# Flog Txt Version 1 # Analyzer Version: 4.4.1 # Analyzer Build Date: Jan 14 2022 06:06:11 # Log Creation Date: 23.04.2022 11:57:37.347 Process: id = "1" image_name = "dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" page_root = "0x6a8dc000" os_pid = "0x4c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x4a0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 124 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 125 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 126 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 127 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 128 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 129 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 130 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 131 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 132 start_va = 0x400000 end_va = 0x8d4fff monitored = 1 entry_point = 0x8d35a0 region_type = mapped_file name = "dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe") Region: id = 133 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 134 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 135 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 136 start_va = 0x7fff0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 137 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 138 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 276 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 277 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 278 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 279 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 280 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 281 start_va = 0xa60000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 282 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 283 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 284 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 285 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 286 start_va = 0x8e0000 end_va = 0x99dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 287 start_va = 0x743a0000 end_va = 0x74431fff monitored = 0 entry_point = 0x743e0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 288 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 289 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 290 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 291 start_va = 0xc20000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 292 start_va = 0x75310000 end_va = 0x7536efff monitored = 0 entry_point = 0x75314af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 293 start_va = 0x6ca20000 end_va = 0x6ca43fff monitored = 0 entry_point = 0x6ca24820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 294 start_va = 0x76ae0000 end_va = 0x76b23fff monitored = 0 entry_point = 0x76af9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 295 start_va = 0x6c9f0000 end_va = 0x6ca12fff monitored = 0 entry_point = 0x6c9f8940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 296 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 297 start_va = 0x75120000 end_va = 0x75156fff monitored = 0 entry_point = 0x75123b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 298 start_va = 0x76b30000 end_va = 0x76c7efff monitored = 0 entry_point = 0x76be6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 299 start_va = 0x77450000 end_va = 0x77596fff monitored = 0 entry_point = 0x77461cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 300 start_va = 0x75260000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75274f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 301 start_va = 0x74450000 end_va = 0x7446dfff monitored = 0 entry_point = 0x7445b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 302 start_va = 0x74440000 end_va = 0x74449fff monitored = 0 entry_point = 0x74442a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 303 start_va = 0x74590000 end_va = 0x745e7fff monitored = 0 entry_point = 0x745d25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 304 start_va = 0xd20000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 305 start_va = 0x9a0000 end_va = 0x9c9fff monitored = 0 entry_point = 0x9a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 306 start_va = 0xe60000 end_va = 0xfe7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 307 start_va = 0x74ea0000 end_va = 0x74ecafff monitored = 0 entry_point = 0x74ea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 308 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 309 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 310 start_va = 0xff0000 end_va = 0x1170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 311 start_va = 0x1180000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 312 start_va = 0x74650000 end_va = 0x746cafff monitored = 0 entry_point = 0x7466e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 313 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 314 start_va = 0x2580000 end_va = 0x1279ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 315 start_va = 0x127a0000 end_va = 0x32b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000127a0000" filename = "" Region: id = 316 start_va = 0x12800000 end_va = 0x327fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012800000" filename = "" Region: id = 317 start_va = 0x9f0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 318 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 319 start_va = 0xa10000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 320 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 321 start_va = 0xaa0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 322 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 323 start_va = 0xb20000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 324 start_va = 0xd20000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 325 start_va = 0xe50000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 326 start_va = 0x32800000 end_va = 0x328fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032800000" filename = "" Region: id = 327 start_va = 0x32900000 end_va = 0x329fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032900000" filename = "" Region: id = 328 start_va = 0x32a00000 end_va = 0x32afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032a00000" filename = "" Region: id = 329 start_va = 0x127a0000 end_va = 0x127eefff monitored = 0 entry_point = 0x127ad850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 330 start_va = 0xe20000 end_va = 0xe21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 331 start_va = 0xe30000 end_va = 0xe30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 332 start_va = 0x32b00000 end_va = 0x32efafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000032b00000" filename = "" Region: id = 333 start_va = 0x127a0000 end_va = 0x127dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000127a0000" filename = "" Region: id = 334 start_va = 0x71f30000 end_va = 0x71f7efff monitored = 0 entry_point = 0x71f3d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 335 start_va = 0x71ea0000 end_va = 0x71f23fff monitored = 0 entry_point = 0x71ec6530 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 336 start_va = 0x74980000 end_va = 0x74986fff monitored = 0 entry_point = 0x74981e10 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 337 start_va = 0x71e60000 end_va = 0x71e67fff monitored = 0 entry_point = 0x71e61920 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 338 start_va = 0x71e70000 end_va = 0x71e9efff monitored = 0 entry_point = 0x71e7bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 339 start_va = 0x71e10000 end_va = 0x71e56fff monitored = 0 entry_point = 0x71e258d0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 340 start_va = 0x740f0000 end_va = 0x7410afff monitored = 0 entry_point = 0x740f9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 341 start_va = 0x32f00000 end_va = 0x32f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032f00000" filename = "" Region: id = 342 start_va = 0x32f40000 end_va = 0x32f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032f40000" filename = "" Region: id = 343 start_va = 0x32f80000 end_va = 0x3307ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000032f80000" filename = "" Region: id = 344 start_va = 0x6ddf0000 end_va = 0x6de02fff monitored = 0 entry_point = 0x6ddf9950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 345 start_va = 0x6d1e0000 end_va = 0x6d20efff monitored = 0 entry_point = 0x6d1f95e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 346 start_va = 0x33080000 end_va = 0x333b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 347 start_va = 0x333c0000 end_va = 0x333fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000333c0000" filename = "" Region: id = 348 start_va = 0x33400000 end_va = 0x334fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033400000" filename = "" Region: id = 349 start_va = 0x775a0000 end_va = 0x77717fff monitored = 0 entry_point = 0x775f8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 350 start_va = 0x74810000 end_va = 0x7481dfff monitored = 0 entry_point = 0x74815410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 351 start_va = 0x33500000 end_va = 0x3353ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033500000" filename = "" Region: id = 352 start_va = 0x33540000 end_va = 0x3363ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033540000" filename = "" Region: id = 353 start_va = 0x33640000 end_va = 0x3373ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033640000" filename = "" Region: id = 354 start_va = 0x6cc80000 end_va = 0x6cc9efff monitored = 0 entry_point = 0x6cc88a90 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 355 start_va = 0x33740000 end_va = 0x337effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033740000" filename = "" Region: id = 356 start_va = 0x337f0000 end_va = 0x3382ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000337f0000" filename = "" Region: id = 357 start_va = 0x33830000 end_va = 0x3392ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033830000" filename = "" Region: id = 358 start_va = 0x33930000 end_va = 0x3396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033930000" filename = "" Region: id = 359 start_va = 0x33970000 end_va = 0x33a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033970000" filename = "" Region: id = 360 start_va = 0x33a70000 end_va = 0x33aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033a70000" filename = "" Region: id = 361 start_va = 0x33ab0000 end_va = 0x33aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033ab0000" filename = "" Region: id = 362 start_va = 0x33af0000 end_va = 0x33b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033af0000" filename = "" Region: id = 363 start_va = 0x33b30000 end_va = 0x33c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033b30000" filename = "" Region: id = 364 start_va = 0xe40000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 487 start_va = 0x33c30000 end_va = 0x33c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033c30000" filename = "" Region: id = 488 start_va = 0x33c70000 end_va = 0x33d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033c70000" filename = "" Region: id = 489 start_va = 0x33d70000 end_va = 0x33daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033d70000" filename = "" Region: id = 490 start_va = 0x33db0000 end_va = 0x33eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033db0000" filename = "" Region: id = 491 start_va = 0x33eb0000 end_va = 0x33eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033eb0000" filename = "" Region: id = 492 start_va = 0x33ef0000 end_va = 0x33feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033ef0000" filename = "" Region: id = 493 start_va = 0x127e0000 end_va = 0x127effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000127e0000" filename = "" Region: id = 494 start_va = 0x33ff0000 end_va = 0x3402ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000033ff0000" filename = "" Region: id = 495 start_va = 0x34030000 end_va = 0x3412ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034030000" filename = "" Region: id = 496 start_va = 0x34130000 end_va = 0x3416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034130000" filename = "" Region: id = 497 start_va = 0x34170000 end_va = 0x3426ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000034170000" filename = "" Region: id = 498 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 499 start_va = 0xc20000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Thread: id = 1 os_tid = 0x830 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="WriteFile") returned 0x75626ca0 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="WriteConsoleW") returned 0x75627020 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="WaitForSingleObject") returned 0x75626820 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="VirtualQuery") returned 0x75617a90 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="VirtualFree") returned 0x75617600 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="VirtualAlloc") returned 0x75617810 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SwitchToThread") returned 0x7561a690 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SetWaitableTimer") returned 0x756267e0 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SetUnhandledExceptionFilter") returned 0x7561a940 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SetProcessPriorityBoost") returned 0x7561fef0 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SetEvent") returned 0x756267d0 [0094.191] GetProcAddress (hModule=0x75600000, lpProcName="SetErrorMode") returned 0x75618d20 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleCtrlHandler") returned 0x75626ff0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="LoadLibraryA") returned 0x75624bf0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="LoadLibraryW") returned 0x7561a840 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetSystemInfo") returned 0x7561a0f0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetStdHandle") returned 0x7561a6e0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetQueuedCompletionStatus") returned 0x75618d40 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetProcessAffinityMask") returned 0x75619eb0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetProcAddress") returned 0x756178b0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetEnvironmentStringsW") returned 0x7561aac0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="GetConsoleMode") returned 0x75626f70 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="FreeEnvironmentStringsW") returned 0x7561a7e0 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="ExitProcess") returned 0x75627b30 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="DuplicateHandle") returned 0x75626640 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="CreateThread") returned 0x75619b90 [0094.192] GetProcAddress (hModule=0x75600000, lpProcName="CreateIoCompletionPort") returned 0x75624fa0 [0094.193] GetProcAddress (hModule=0x75600000, lpProcName="CreateEventA") returned 0x75626680 [0094.193] GetProcAddress (hModule=0x75600000, lpProcName="CloseHandle") returned 0x75626630 [0094.193] GetProcAddress (hModule=0x75600000, lpProcName="AddVectoredExceptionHandler") returned 0x77743f90 [0094.193] LoadLibraryA (lpLibFileName="winmm.dll") returned 0x6ca20000 [0094.193] GetProcAddress (hModule=0x6ca20000, lpProcName="timeEndPeriod") returned 0x6ca2ca30 [0094.193] GetProcAddress (hModule=0x6ca20000, lpProcName="timeBeginPeriod") returned 0x6ca24330 [0094.193] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75310000 [0094.193] GetProcAddress (hModule=0x75310000, lpProcName="WSAGetOverlappedResult") returned 0x753247e0 [0094.193] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0094.508] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0094.796] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75600000 [0094.797] GetProcAddress (hModule=0x75600000, lpProcName="AddDllDirectory") returned 0x755b45e0 [0094.797] GetProcAddress (hModule=0x75600000, lpProcName="AddVectoredContinueHandler") returned 0x777d28d0 [0094.797] GetProcAddress (hModule=0x75600000, lpProcName="GetQueuedCompletionStatusEx") returned 0x756410f0 [0094.797] GetProcAddress (hModule=0x75600000, lpProcName="LoadLibraryExW") returned 0x75617930 [0094.797] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74650000 [0096.224] GetProcAddress (hModule=0x74650000, lpProcName="SystemFunction036") returned 0x74442a60 [0096.225] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77720000 [0096.226] GetProcAddress (hModule=0x77720000, lpProcName="NtWaitForSingleObject") returned 0x77796cc0 [0096.226] GetProcAddress (hModule=0x77720000, lpProcName="wine_get_version") returned 0x0 [0096.226] SetErrorMode (uMode=0x2) returned 0x0 [0096.226] SetErrorMode (uMode=0x8003) returned 0x2 [0096.226] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x44d640) returned 0xb33a08 [0096.226] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x44d650) returned 0x0 [0096.228] SetConsoleCtrlHandler (HandlerRoutine=0x44d660, Add=1) returned 1 [0096.228] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0096.229] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x19fe8c, lpSystemAffinityMask=0x19fe88 | out: lpProcessAffinityMask=0x19fe8c, lpSystemAffinityMask=0x19fe88) returned 1 [0096.230] GetSystemInfo (in: lpSystemInfo=0x19fec8 | out: lpSystemInfo=0x19fec8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0096.230] SetProcessPriorityBoost (hProcess=0xffffffff, bDisablePriorityBoost=1) returned 1 [0096.505] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x9b0000 [0097.522] VirtualAlloc (lpAddress=0x0, dwSize=0x10220000, flAllocationType=0x2000, flProtect=0x4) returned 0x2580000 [0098.033] VirtualAlloc (lpAddress=0xc00000, dwSize=0x20400000, flAllocationType=0x2000, flProtect=0x4) returned 0x0 [0098.033] VirtualAlloc (lpAddress=0x0, dwSize=0x20400000, flAllocationType=0x2000, flProtect=0x4) returned 0x127a0000 [0098.048] VirtualFree (lpAddress=0x127a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.049] VirtualAlloc (lpAddress=0x12800000, dwSize=0x20000000, flAllocationType=0x2000, flProtect=0x4) returned 0x12800000 [0098.174] VirtualAlloc (lpAddress=0x12800000, dwSize=0x400000, flAllocationType=0x1000, flProtect=0x4) returned 0x12800000 [0098.565] VirtualAlloc (lpAddress=0x2580000, dwSize=0x41000, flAllocationType=0x1000, flProtect=0x4) returned 0x2580000 [0098.909] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x9f0000 [0099.316] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0xa00000 [0099.604] SystemFunction036 (in: RandomBuffer=0x8ccc00, RandomBufferLength=0x40 | out: RandomBuffer=0x8ccc00) returned 1 [0099.657] GetEnvironmentStringsW () returned 0xb35300* [0099.669] FreeEnvironmentStringsW (penv=0xb35300) returned 1 [0099.976] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19fea4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19fea4*=0xec) returned 1 [0099.976] VirtualQuery (in: lpAddress=0x19feb4, lpBuffer=0x19feb4, dwLength=0x1c | out: lpBuffer=0x19feb4*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x128261c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0100.369] CloseHandle (hObject=0xf0) returned 1 [0100.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0100.656] CloseHandle (hObject=0xf4) returned 1 [0100.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826540, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0100.658] CloseHandle (hObject=0xf4) returned 1 [0100.658] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf4 [0100.658] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0100.665] SetEvent (hEvent=0x10c) returned 1 [0100.697] SetEvent (hEvent=0x104) returned 1 [0100.697] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0101.464] LoadLibraryExW (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x800) returned 0x75600000 [0101.478] GetProcAddress (hModule=0x75600000, lpProcName="GetStdHandle") returned 0x7561a6e0 [0101.479] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0102.297] SetEvent (hEvent=0xfc) returned 1 [0102.298] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0102.713] GetProcAddress (hModule=0x75600000, lpProcName="SetHandleInformation") returned 0x75626660 [0102.723] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0103.548] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0103.548] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0103.548] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0103.548] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0104.048] SetEvent (hEvent=0xfc) returned 1 [0104.048] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0105.019] LoadLibraryExW (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x75310000 [0105.020] GetProcAddress (hModule=0x75310000, lpProcName="WSAStartup") returned 0x75316520 [0105.021] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x12822e2c | out: lpWSAData=0x12822e2c) returned 0 [0105.037] GetProcAddress (hModule=0x75600000, lpProcName="CancelIoEx") returned 0x7561f450 [0105.143] GetProcAddress (hModule=0x75600000, lpProcName="SetFileCompletionNotificationModes") returned 0x75619dd0 [0105.144] GetProcAddress (hModule=0x75310000, lpProcName="WSAEnumProtocolsW") returned 0x75327ed0 [0105.144] WSAEnumProtocolsW (in: lpiProtocols=0x1285af90, lpProtocolBuffer=0x1285af98, lpdwBufferLength=0x1285af8c | out: lpProtocolBuffer=0x1285af98, lpdwBufferLength=0x1285af8c) returned 4 [0105.937] GetProcAddress (hModule=0x75600000, lpProcName="GetConsoleMode") returned 0x75626f70 [0105.937] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x1285ff88 | out: lpMode=0x1285ff88) returned 0 [0105.963] SetEvent (hEvent=0xfc) returned 1 [0106.048] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x127a0000 [0106.066] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x1285ff88 | out: lpMode=0x1285ff88) returned 0 [0106.066] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x1285ff88 | out: lpMode=0x1285ff88) returned 0 [0106.121] GetProcAddress (hModule=0x75600000, lpProcName="GetCommandLineW") returned 0x7561aba0 [0106.121] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe\" " [0106.209] SetEvent (hEvent=0x104) returned 1 [0106.209] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0106.423] SetEvent (hEvent=0x104) returned 1 [0106.423] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0106.813] SetEvent (hEvent=0x104) returned 1 [0106.813] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0107.086] SetEvent (hEvent=0x104) returned 1 [0107.086] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0107.204] SetEvent (hEvent=0x104) returned 1 [0107.204] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0107.372] SetEvent (hEvent=0x104) returned 1 [0107.372] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0107.619] SetEvent (hEvent=0x104) returned 1 [0107.619] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0107.875] SetEvent (hEvent=0x104) returned 1 [0107.875] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0108.050] SetEvent (hEvent=0x104) returned 1 [0108.050] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0108.281] SetEvent (hEvent=0x104) returned 1 [0108.281] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0108.473] SetEvent (hEvent=0x104) returned 1 [0108.473] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0108.684] GetProcAddress (hModule=0x75600000, lpProcName="GetEnvironmentVariableW") returned 0x75619970 [0108.693] SetEvent (hEvent=0x104) returned 1 [0108.693] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0108.736] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0x1288a000, nSize=0x64 | out: lpBuffer="") returned 0x0 [0108.805] SetEvent (hEvent=0x104) returned 1 [0108.805] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.017] SetEvent (hEvent=0x104) returned 1 [0109.018] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.127] SetEvent (hEvent=0x104) returned 1 [0109.127] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.229] SetEvent (hEvent=0x104) returned 1 [0109.229] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.274] GetEnvironmentVariableW (in: lpName="DEBUG_HTTP2_GOROUTINES", lpBuffer=0x1288a0d0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.294] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0x1288a1a0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.351] SetEvent (hEvent=0x104) returned 1 [0109.351] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.460] SetEvent (hEvent=0x104) returned 1 [0109.460] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0109.472] GetEnvironmentVariableW (in: lpName="ProgramFiles", lpBuffer=0x1288a270, nSize=0x64 | out: lpBuffer="") returned 0x16 [0109.490] GetEnvironmentVariableW (in: lpName="ProgramFiles", lpBuffer=0x1288a340, nSize=0x64 | out: lpBuffer="") returned 0x16 [0109.729] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0x1288a410, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="HTTP_PROXY", lpBuffer=0x1288a4e0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="http_proxy", lpBuffer=0x1288a5b0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="HTTPS_PROXY", lpBuffer=0x1288a680, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="https_proxy", lpBuffer=0x1288a750, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="NO_PROXY", lpBuffer=0x1288a820, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.920] GetEnvironmentVariableW (in: lpName="no_proxy", lpBuffer=0x1288a8f0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0109.921] GetEnvironmentVariableW (in: lpName="REQUEST_METHOD", lpBuffer=0x1288a9c0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0110.006] SetEvent (hEvent=0x104) returned 1 [0110.137] SetEvent (hEvent=0xfc) returned 1 [0110.169] SetEvent (hEvent=0x104) returned 1 [0110.178] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x74db) returned 0x0 [0115.677] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x26f4) returned 0x102 [0125.834] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x159bc) returned 0x102 [0136.953] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x12e55) returned 0x102 [0147.579] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x104cc) returned 0x102 [0157.761] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xdd05) returned 0x0 [0165.384] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x2560) returned 0x102 [0175.428] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0175.445] SetEvent (hEvent=0x3f8) returned 1 [0176.026] SetEvent (hEvent=0xfc) returned 1 [0176.026] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0176.558] SetEvent (hEvent=0x1d0) returned 1 [0176.558] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0176.572] SetEvent (hEvent=0x3f8) returned 1 [0176.572] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0176.608] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0176.656] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0176.662] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0176.662] SetEvent (hEvent=0xfc) returned 1 [0176.662] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0176.674] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0176.674] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0176.674] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1692b03, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x36b)) returned 1 [0176.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0176.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0176.675] ReadFile (in: hFile=0x15c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a61d1c*=0x36b, lpOverlapped=0x0) returned 1 [0176.726] GetFileType (hFile=0x15c) returned 0x1 [0176.726] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.726] WriteFile (in: hFile=0x15c, lpBuffer=0x12866000*, nNumberOfBytesToWrite=0x36b, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12866000*, lpNumberOfBytesWritten=0x12a61d00*=0x36b, lpOverlapped=0x12a61d0c) returned 1 [0176.726] GetFileType (hFile=0x15c) returned 0x1 [0176.726] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x36b, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.726] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0176.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0176.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0176.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0176.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0176.727] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0176.727] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d62000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d62000*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0176.728] CloseHandle (hObject=0x1a0) returned 1 [0176.729] CloseHandle (hObject=0x15c) returned 1 [0176.729] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0176.730] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\#_THIS_FILE_IS_ENCRYPTED_[342C9555D8F818AB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\#_this_file_is_encrypted_[342c9555d8f818ab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0176.731] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0176.731] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0176.731] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0176.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0176.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a140 | out: pbBuffer=0x12a9a140) returned 1 [0176.731] ReadFile (in: hFile=0x15c, lpBuffer=0x1297e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x1297e000*, lpNumberOfBytesRead=0x12a61d1c*=0x10f, lpOverlapped=0x0) returned 1 [0176.760] GetFileType (hFile=0x15c) returned 0x1 [0176.760] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.760] WriteFile (in: hFile=0x15c, lpBuffer=0x12909680*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12909680*, lpNumberOfBytesWritten=0x12a61d00*=0x10f, lpOverlapped=0x12a61d0c) returned 1 [0176.760] GetFileType (hFile=0x15c) returned 0x1 [0176.761] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0176.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0176.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0176.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a218 | out: pbBuffer=0x12a9a218) returned 1 [0176.762] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0176.762] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0176.762] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d62f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d62f00*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0177.608] CloseHandle (hObject=0x1a0) returned 1 [0177.610] CloseHandle (hObject=0x15c) returned 1 [0177.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a230 | out: pbBuffer=0x12a9a230) returned 1 [0177.736] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\#_THIS_FILE_IS_ENCRYPTED_[E03FA1291AD439F6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\#_this_file_is_encrypted_[e03fa1291ad439f6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0177.758] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[72FEEA7E21664A95]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\#_this_file_is_encrypted_[72feea7e21664a95]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0177.869] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0178.139] SetEvent (hEvent=0x19c) returned 1 [0178.165] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0178.166] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0178.166] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670)) returned 1 [0178.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6a0 | out: pbBuffer=0x1280e6a0) returned 1 [0178.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a278 | out: pbBuffer=0x12a9a278) returned 1 [0178.167] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c00000*, lpNumberOfBytesRead=0x12a63d1c*=0x670, lpOverlapped=0x0) returned 1 [0178.321] GetFileType (hFile=0x1a0) returned 0x1 [0178.321] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0178.321] WriteFile (in: hFile=0x1a0, lpBuffer=0x1290c700*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1290c700*, lpNumberOfBytesWritten=0x12a63d00*=0x670, lpOverlapped=0x12a63d0c) returned 1 [0178.324] GetFileType (hFile=0x1a0) returned 0x1 [0178.324] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x670, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.549] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0179.550] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0179.550] WriteFile (in: hFile=0x43c, lpBuffer=0x12a68000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a68000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0179.552] CloseHandle (hObject=0x43c) returned 1 [0179.553] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0179.553] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0179.723] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.723] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0179.723] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.723] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0179.723] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0179.723] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0179.724] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0179.724] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0179.724] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0179.724] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0179.725] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0179.725] WriteFile (in: hFile=0x43c, lpBuffer=0x12d64000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0179.726] CloseHandle (hObject=0x43c) returned 1 [0179.726] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0179.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.727] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0179.727] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0179.727] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0179.727] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0179.727] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0179.727] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0179.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0179.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0179.731] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0179.731] WriteFile (in: hFile=0x43c, lpBuffer=0x12d65300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12d65300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0179.733] CloseHandle (hObject=0x43c) returned 1 [0179.733] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae)) returned 1 [0179.734] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0179.734] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0179.734] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0179.734] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e780 | out: pbBuffer=0x1280e780) returned 1 [0179.734] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a360 | out: pbBuffer=0x12a9a360) returned 1 [0179.735] ReadFile (in: hFile=0x43c, lpBuffer=0x12d16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d16000*, lpNumberOfBytesRead=0x12a67d1c*=0x10f, lpOverlapped=0x0) returned 1 [0179.736] GetFileType (hFile=0x43c) returned 0x1 [0179.736] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.736] WriteFile (in: hFile=0x43c, lpBuffer=0x12a585a0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a585a0*, lpNumberOfBytesWritten=0x12a67d00*=0x10f, lpOverlapped=0x12a67d0c) returned 1 [0179.737] GetFileType (hFile=0x43c) returned 0x1 [0179.737] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0179.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0179.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0180.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a418 | out: pbBuffer=0x12a9a418) returned 1 [0180.164] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0180.165] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0180.166] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d63400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d63400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.432] CloseHandle (hObject=0x3c4) returned 1 [0180.449] CloseHandle (hObject=0x43c) returned 1 [0180.449] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810348 | out: pbBuffer=0x12810348) returned 1 [0180.450] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\#_THIS_FILE_IS_ENCRYPTED_[63263BC4262DEDB0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\#_this_file_is_encrypted_[63263bc4262dedb0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.451] SetEvent (hEvent=0x3f4) returned 1 [0180.451] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0180.452] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0180.452] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1cac)) returned 1 [0180.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844e40 | out: pbBuffer=0x12844e40) returned 1 [0180.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810390 | out: pbBuffer=0x12810390) returned 1 [0180.453] ReadFile (in: hFile=0x43c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a67d1c*=0x1cac, lpOverlapped=0x0) returned 1 [0180.543] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0180.602] SetEvent (hEvent=0x19c) returned 1 [0180.602] GetFileType (hFile=0x43c) returned 0x1 [0180.602] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.602] WriteFile (in: hFile=0x43c, lpBuffer=0x1299e000*, nNumberOfBytesToWrite=0x1cac, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x1299e000*, lpNumberOfBytesWritten=0x12a67d00*=0x1cac, lpOverlapped=0x12a67d0c) returned 1 [0180.603] GetFileType (hFile=0x43c) returned 0x1 [0180.603] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x1cac, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0180.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0180.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0180.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810448 | out: pbBuffer=0x12810448) returned 1 [0180.604] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0180.604] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0180.604] WriteFile (in: hFile=0x15c, lpBuffer=0x12b12a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12a00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.604] CloseHandle (hObject=0x15c) returned 1 [0180.606] CloseHandle (hObject=0x43c) returned 1 [0180.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810460 | out: pbBuffer=0x12810460) returned 1 [0180.606] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\#_THIS_FILE_IS_ENCRYPTED_[00326E387944F92F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\#_this_file_is_encrypted_[00326e387944f92f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.608] SwitchToThread () returned 1 [0180.611] SetEvent (hEvent=0x19c) returned 1 [0180.611] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0180.995] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0180.996] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0180.996] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0180.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0180.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0181.005] ReadFile (in: hFile=0x15c, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12927d1c*=0x139, lpOverlapped=0x0) returned 1 [0181.007] GetFileType (hFile=0x15c) returned 0x1 [0181.008] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.008] WriteFile (in: hFile=0x15c, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x139, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12927d00*=0x139, lpOverlapped=0x12927d0c) returned 1 [0181.008] GetFileType (hFile=0x15c) returned 0x1 [0181.008] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x139, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.008] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0181.008] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0181.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0181.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0181.009] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.009] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.009] WriteFile (in: hFile=0x428, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.040] CloseHandle (hObject=0x428) returned 1 [0181.042] CloseHandle (hObject=0x15c) returned 1 [0181.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0181.042] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[585AE829A3AD39BE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\#_this_file_is_encrypted_[585ae829a3ad39be]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.086] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0181.086] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.086] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0181.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0181.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0181.087] ReadFile (in: hFile=0x15c, lpBuffer=0x12c00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c00000*, lpNumberOfBytesRead=0x12927d1c*=0x15c, lpOverlapped=0x0) returned 1 [0181.088] GetFileType (hFile=0x15c) returned 0x1 [0181.088] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.088] WriteFile (in: hFile=0x15c, lpBuffer=0x12afa000*, nNumberOfBytesToWrite=0x15c, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12afa000*, lpNumberOfBytesWritten=0x12927d00*=0x15c, lpOverlapped=0x12927d0c) returned 1 [0181.088] GetFileType (hFile=0x15c) returned 0x1 [0181.088] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15c, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0181.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0181.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0181.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0181.089] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.089] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.089] WriteFile (in: hFile=0x428, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.118] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0181.133] CloseHandle (hObject=0x428) returned 1 [0181.135] CloseHandle (hObject=0x15c) returned 1 [0181.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484e0 | out: pbBuffer=0x128484e0) returned 1 [0181.136] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[EA83B6538714E342]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\#_this_file_is_encrypted_[ea83b6538714e342]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.204] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2)) returned 1 [0181.205] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0181.218] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0181.268] SetEvent (hEvent=0xfc) returned 1 [0181.268] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0181.268] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\#_THIS_FILE_IS_ENCRYPTED_[684F989088C3B2CD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\#_this_file_is_encrypted_[684f989088c3b2cd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.270] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0181.270] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.270] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5)) returned 1 [0181.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0181.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0181.271] ReadFile (in: hFile=0x15c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12927d1c*=0x2a5, lpOverlapped=0x0) returned 1 [0181.299] GetFileType (hFile=0x15c) returned 0x1 [0181.299] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.300] WriteFile (in: hFile=0x15c, lpBuffer=0x12c2a2c0*, nNumberOfBytesToWrite=0x2a5, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12c2a2c0*, lpNumberOfBytesWritten=0x12927d00*=0x2a5, lpOverlapped=0x12927d0c) returned 1 [0181.300] GetFileType (hFile=0x15c) returned 0x1 [0181.300] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2a5, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0181.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0181.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0181.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810150 | out: pbBuffer=0x12810150) returned 1 [0181.301] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.301] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.301] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.301] CloseHandle (hObject=0x438) returned 1 [0181.303] CloseHandle (hObject=0x15c) returned 1 [0181.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810168 | out: pbBuffer=0x12810168) returned 1 [0181.304] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[0BC6571FB80D535D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\#_this_file_is_encrypted_[0bc6571fb80d535d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.305] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0181.354] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.354] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.354] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416)) returned 1 [0181.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0181.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101b0 | out: pbBuffer=0x128101b0) returned 1 [0181.355] ReadFile (in: hFile=0x1a0, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a67d1c*=0x416, lpOverlapped=0x0) returned 1 [0181.362] GetFileType (hFile=0x1a0) returned 0x1 [0181.362] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.362] WriteFile (in: hFile=0x1a0, lpBuffer=0x12890d80*, nNumberOfBytesToWrite=0x416, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12890d80*, lpNumberOfBytesWritten=0x12a67d00*=0x416, lpOverlapped=0x12a67d0c) returned 1 [0181.401] GetFileType (hFile=0x1a0) returned 0x1 [0181.401] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x416, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0181.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0181.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0181.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810278 | out: pbBuffer=0x12810278) returned 1 [0181.402] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.402] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.402] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.412] CloseHandle (hObject=0x438) returned 1 [0181.413] CloseHandle (hObject=0x1a0) returned 1 [0181.424] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810290 | out: pbBuffer=0x12810290) returned 1 [0181.424] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[D5F1356FB477F330]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\#_this_file_is_encrypted_[d5f1356fb477f330]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.710] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.710] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.710] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0181.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0181.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e8 | out: pbBuffer=0x128483e8) returned 1 [0181.711] ReadFile (in: hFile=0x3c4, lpBuffer=0x129a6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a6000*, lpNumberOfBytesRead=0x12a67d1c*=0x139, lpOverlapped=0x0) returned 1 [0181.714] GetFileType (hFile=0x3c4) returned 0x1 [0181.714] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.714] WriteFile (in: hFile=0x3c4, lpBuffer=0x12bec000*, nNumberOfBytesToWrite=0x139, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12bec000*, lpNumberOfBytesWritten=0x12a67d00*=0x139, lpOverlapped=0x12a67d0c) returned 1 [0181.714] GetFileType (hFile=0x3c4) returned 0x1 [0181.714] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x139, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0181.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0181.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0181.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c0 | out: pbBuffer=0x128484c0) returned 1 [0181.715] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.715] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.716] WriteFile (in: hFile=0x428, lpBuffer=0x128b0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.731] CloseHandle (hObject=0x428) returned 1 [0181.744] CloseHandle (hObject=0x3c4) returned 1 [0181.745] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0181.745] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[1B534C292614F555]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\#_this_file_is_encrypted_[1b534c292614f555]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.754] GetFileType (hFile=0x42c) returned 0x1 [0181.754] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.754] WriteFile (in: hFile=0x42c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x732, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12a63d00*=0x732, lpOverlapped=0x12a63d0c) returned 1 [0181.754] GetFileType (hFile=0x42c) returned 0x1 [0181.754] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x732, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0181.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0181.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0181.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0181.756] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.757] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.757] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.757] CloseHandle (hObject=0x3c4) returned 1 [0181.761] CloseHandle (hObject=0x42c) returned 1 [0181.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0181.802] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[C9CE1BC32AB661F0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\#_this_file_is_encrypted_[c9ce1bc32ab661f0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.986] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0182.051] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0182.091] SetEvent (hEvent=0x3f8) returned 1 [0182.091] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.091] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.091] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586)) returned 1 [0182.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844080 | out: pbBuffer=0x12844080) returned 1 [0182.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810088 | out: pbBuffer=0x12810088) returned 1 [0182.091] ReadFile (in: hFile=0x428, lpBuffer=0x12cf0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf0000*, lpNumberOfBytesRead=0x12a63d1c*=0x586, lpOverlapped=0x0) returned 1 [0182.131] GetFileType (hFile=0x428) returned 0x1 [0182.131] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.131] WriteFile (in: hFile=0x428, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x586, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12a63d00*=0x586, lpOverlapped=0x12a63d0c) returned 1 [0182.132] GetFileType (hFile=0x428) returned 0x1 [0182.132] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x586, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0182.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0182.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0182.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0182.133] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.133] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.133] WriteFile (in: hFile=0x438, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.134] CloseHandle (hObject=0x438) returned 1 [0182.136] CloseHandle (hObject=0x428) returned 1 [0182.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810178 | out: pbBuffer=0x12810178) returned 1 [0182.136] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[E71FAF1058B98C1D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[e71faf1058b98c1d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63)) returned 1 [0182.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757)) returned 1 [0182.138] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.138] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63)) returned 1 [0182.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844460 | out: pbBuffer=0x12844460) returned 1 [0182.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101c0 | out: pbBuffer=0x128101c0) returned 1 [0182.139] ReadFile (in: hFile=0x428, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a63d1c*=0xe63, lpOverlapped=0x0) returned 1 [0182.159] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0182.257] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0182.408] SetEvent (hEvent=0x3f8) returned 1 [0182.408] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5)) returned 1 [0182.409] SetEvent (hEvent=0x19c) returned 1 [0182.409] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0182.414] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0182.414] SetEvent (hEvent=0x19c) returned 1 [0182.415] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0182.418] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0188.470] SetEvent (hEvent=0x3f8) returned 1 [0188.470] SetEvent (hEvent=0x1d0) returned 1 [0188.470] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0188.535] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.536] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.536] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0188.536] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0188.536] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0188.536] ReadFile (in: hFile=0x43c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12d33d1c*=0x2000, lpOverlapped=0x0) returned 1 [0188.540] GetFileType (hFile=0x43c) returned 0x1 [0188.540] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.540] WriteFile (in: hFile=0x43c, lpBuffer=0x12866000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12866000*, lpNumberOfBytesWritten=0x12d33d00*=0x2000, lpOverlapped=0x12d33d0c) returned 1 [0188.540] GetFileType (hFile=0x43c) returned 0x1 [0188.540] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0188.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0188.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0188.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0188.541] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.542] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.542] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.542] CloseHandle (hObject=0x42c) returned 1 [0188.553] CloseHandle (hObject=0x43c) returned 1 [0188.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0188.558] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[81DD7F2610946208]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[81dd7f2610946208]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.778] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0188.785] SetEvent (hEvent=0x1d0) returned 1 [0188.785] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.786] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.786] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c6200, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x6fc19112, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x58c6200, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c)) returned 1 [0188.788] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284e0 | out: pbBuffer=0x129284e0) returned 1 [0188.788] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146e8 | out: pbBuffer=0x129146e8) returned 1 [0188.788] ReadFile (in: hFile=0x43c, lpBuffer=0x12b8e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8e000*, lpNumberOfBytesRead=0x12d33d1c*=0x42c, lpOverlapped=0x0) returned 1 [0188.794] GetFileType (hFile=0x43c) returned 0x1 [0188.795] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.795] WriteFile (in: hFile=0x43c, lpBuffer=0x12a48d80*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12a48d80*, lpNumberOfBytesWritten=0x12d33d00*=0x42c, lpOverlapped=0x12d33d0c) returned 1 [0188.795] GetFileType (hFile=0x43c) returned 0x1 [0188.795] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x42c, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0188.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0188.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0188.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129147e0 | out: pbBuffer=0x129147e0) returned 1 [0188.796] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.797] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.797] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58f00*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.797] CloseHandle (hObject=0x42c) returned 1 [0188.802] CloseHandle (hObject=0x43c) returned 1 [0188.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914810 | out: pbBuffer=0x12914810) returned 1 [0188.810] MoveFileExW (lpExistingFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), lpNewFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\#_THIS_FILE_IS_ENCRYPTED_[8D6050A72BC9CDB7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\#_this_file_is_encrypted_[8d6050a72bc9cdb7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.959] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.039] SetEvent (hEvent=0x19c) returned 1 [0189.040] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.044] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252261fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252261fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e)) returned 1 [0189.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0189.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0189.044] ReadFile (in: hFile=0x448, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12d35d1c*=0x14e, lpOverlapped=0x0) returned 1 [0189.046] GetFileType (hFile=0x448) returned 0x1 [0189.046] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.046] WriteFile (in: hFile=0x448, lpBuffer=0x12884840*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12884840*, lpNumberOfBytesWritten=0x12d35d00*=0x14e, lpOverlapped=0x12d35d0c) returned 1 [0189.046] GetFileType (hFile=0x448) returned 0x1 [0189.046] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x14e, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0189.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0189.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0189.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848748 | out: pbBuffer=0x12848748) returned 1 [0189.047] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0189.048] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.048] WriteFile (in: hFile=0x42c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.071] CloseHandle (hObject=0x42c) returned 1 [0189.071] CloseHandle (hObject=0x448) returned 1 [0189.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848770 | out: pbBuffer=0x12848770) returned 1 [0189.072] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[BB551D2C4EF2FEE2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[bb551d2c4ef2fee2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.074] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.119] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.132] SetEvent (hEvent=0x420) returned 1 [0189.132] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings" (normalized: "c:\\users\\default\\local settings"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.132] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x12d33a44 | out: lpFindFileData=0x12d33a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.132] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents" (normalized: "c:\\users\\default\\my documents"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.132] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.132] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.143] SetEvent (hEvent=0x420) returned 1 [0189.143] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.147] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.147] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0189.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845e60 | out: pbBuffer=0x12845e60) returned 1 [0189.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ea0 | out: pbBuffer=0x12c34ea0) returned 1 [0189.147] ReadFile (in: hFile=0x43c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12d35d1c*=0x9000, lpOverlapped=0x0) returned 1 [0189.160] GetFileType (hFile=0x43c) returned 0x1 [0189.160] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.160] WriteFile (in: hFile=0x43c, lpBuffer=0x12bce000*, nNumberOfBytesToWrite=0x9000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12bce000*, lpNumberOfBytesWritten=0x12d35d00*=0x9000, lpOverlapped=0x12d35d0c) returned 1 [0189.160] GetFileType (hFile=0x43c) returned 0x1 [0189.160] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x9000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0189.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0189.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0189.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0189.161] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.161] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.161] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a00000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.162] CloseHandle (hObject=0x1a0) returned 1 [0189.162] CloseHandle (hObject=0x43c) returned 1 [0189.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0189.162] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[8199F8CE5169CBC6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[8199f8ce5169cbc6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.163] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.173] SetEvent (hEvent=0x3f4) returned 1 [0189.173] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.173] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0189.174] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0189.174] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0189.174] ReadFile (in: hFile=0x438, lpBuffer=0x12a08000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a08000*, lpNumberOfBytesRead=0x1282fd1c*=0x10000, lpOverlapped=0x0) returned 1 [0189.229] GetFileType (hFile=0x438) returned 0x1 [0189.229] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.229] WriteFile (in: hFile=0x438, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x1282fd00*=0x10000, lpOverlapped=0x1282fd0c) returned 1 [0189.229] GetFileType (hFile=0x438) returned 0x1 [0189.229] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0189.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0189.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0189.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0189.230] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.230] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.231] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.231] CloseHandle (hObject=0x1a0) returned 1 [0189.231] CloseHandle (hObject=0x438) returned 1 [0189.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0189.231] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[AA890E097C94678A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[aa890e097c94678a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.315] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.321] SetEvent (hEvent=0xfc) returned 1 [0189.321] CreateFileW (lpFileName="C:\\Users\\Default\\Recent" (normalized: "c:\\users\\default\\recent"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.321] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.321] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.411] SetEvent (hEvent=0x19c) returned 1 [0189.411] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.522] SetEvent (hEvent=0x420) returned 1 [0189.522] SetEvent (hEvent=0xfc) returned 1 [0189.522] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.533] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.549] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.577] SetEvent (hEvent=0xfc) returned 1 [0189.577] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.578] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.578] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf)) returned 1 [0189.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0189.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0189.578] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6fd1c*=0xaf, lpOverlapped=0x0) returned 1 [0189.580] GetFileType (hFile=0x1a0) returned 0x1 [0189.580] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.580] WriteFile (in: hFile=0x1a0, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x12a6fd00*=0xaf, lpOverlapped=0x12a6fd0c) returned 1 [0189.580] GetFileType (hFile=0x1a0) returned 0x1 [0189.581] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xaf, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0189.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0189.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0189.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0189.581] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.582] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.582] WriteFile (in: hFile=0x43c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.606] CloseHandle (hObject=0x43c) returned 1 [0189.606] CloseHandle (hObject=0x1a0) returned 1 [0189.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0189.607] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Libraries\\#_THIS_FILE_IS_ENCRYPTED_[119186FCA22DDBFB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\libraries\\#_this_file_is_encrypted_[119186fca22ddbfb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0189.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.608] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0189.608] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7acb0e39, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7acb0e39, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf56cf76f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf56cf76f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf525123f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf525123f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6b125138, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6b125138, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x89000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf52d70e7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf52d70e7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0189.609] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5346139, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf5346139, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0189.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.610] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0189.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.611] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0189.611] WriteFile (in: hFile=0x1a0, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0189.614] CloseHandle (hObject=0x1a0) returned 1 [0189.614] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.614] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.615] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0189.615] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.615] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0189.615] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0189.615] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf58ba333, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58ba333, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0189.615] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.615] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0189.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.615] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.615] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.616] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.616] WriteFile (in: hFile=0x1a0, lpBuffer=0x12851300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12851300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.618] CloseHandle (hObject=0x1a0) returned 1 [0189.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0189.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.618] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x69d588a7, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x5c6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xbf067727, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xbf067727, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0189.619] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.620] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0189.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.621] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0189.621] WriteFile (in: hFile=0x1a0, lpBuffer=0x12852600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12852600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0189.622] CloseHandle (hObject=0x1a0) returned 1 [0189.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.623] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0189.623] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.623] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.623] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0189.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.624] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.624] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.625] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0189.625] WriteFile (in: hFile=0x1a0, lpBuffer=0x12853900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12853900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0189.626] CloseHandle (hObject=0x1a0) returned 1 [0189.626] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\application data"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\application data"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.627] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282ba84 | out: lpFileInformation=0x1282ba84) returned 1 [0189.627] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282ba7c, dwBufferSize=0x8 | out: lpFileInformation=0x1282ba7c) returned 1 [0189.627] CloseHandle (hObject=0x1a0) returned 1 [0189.628] CreateFileW (lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.628] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e840 | out: pbBuffer=0x1280e840) returned 1 [0189.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ca0 | out: pbBuffer=0x128e8ca0) returned 1 [0189.628] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a6fd1c*=0xae, lpOverlapped=0x0) returned 1 [0189.628] GetFileType (hFile=0x1a0) returned 0x1 [0189.628] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.629] WriteFile (in: hFile=0x1a0, lpBuffer=0x1288c6e0*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x1288c6e0*, lpNumberOfBytesWritten=0x12a6fd00*=0xae, lpOverlapped=0x12a6fd0c) returned 1 [0189.629] GetFileType (hFile=0x1a0) returned 0x1 [0189.629] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xae, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0189.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0189.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0189.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8d58 | out: pbBuffer=0x128e8d58) returned 1 [0189.630] CreateFileW (lpFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.630] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.630] WriteFile (in: hFile=0x43c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.666] CloseHandle (hObject=0x43c) returned 1 [0189.666] CloseHandle (hObject=0x1a0) returned 1 [0189.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8d70 | out: pbBuffer=0x128e8d70) returned 1 [0189.666] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\#_THIS_FILE_IS_ENCRYPTED_[FCA91D5EE88BEFC6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\#_this_file_is_encrypted_[fca91d5ee88befc6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.667] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.723] SetEvent (hEvent=0x19c) returned 1 [0189.724] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0189.810] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.chk"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xe9d47116, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0189.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98bc0 | out: pbBuffer=0x12a98bc0) returned 1 [0189.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811b90 | out: pbBuffer=0x12811b90) returned 1 [0189.812] ReadFile (in: hFile=0x428, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0189.825] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0189.864] SetEvent (hEvent=0xfc) returned 1 [0189.864] GetFileType (hFile=0x428) returned 0x1 [0189.865] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.865] WriteFile (in: hFile=0x428, lpBuffer=0x12d28000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d28000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0189.865] GetFileType (hFile=0x428) returned 0x1 [0189.865] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0189.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0189.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0189.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a560 | out: pbBuffer=0x12a9a560) returned 1 [0189.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.chk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.866] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.866] WriteFile (in: hFile=0x448, lpBuffer=0x12b17900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b17900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.866] CloseHandle (hObject=0x448) returned 1 [0189.867] CloseHandle (hObject=0x428) returned 1 [0189.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a578 | out: pbBuffer=0x12a9a578) returned 1 [0189.867] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.chk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\#_THIS_FILE_IS_ENCRYPTED_[941B2947167F8538]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\#_this_file_is_encrypted_[941b2947167f8538]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.868] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.129] SetEvent (hEvent=0xfc) returned 1 [0190.129] SetEvent (hEvent=0x3f4) returned 1 [0190.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0190.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\store.vol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\store.vol"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23a0d188, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23a0d188, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc449e3a7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x600000)) returned 1 [0190.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.131] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0190.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0190.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0190.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810890 | out: pbBuffer=0x12810890) returned 1 [0190.131] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0190.191] GetFileType (hFile=0x438) returned 0x1 [0190.191] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.191] WriteFile (in: hFile=0x438, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0190.192] GetFileType (hFile=0x438) returned 0x1 [0190.192] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0190.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0190.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0190.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810948 | out: pbBuffer=0x12810948) returned 1 [0190.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.193] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0190.193] WriteFile (in: hFile=0x43c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0190.197] CloseHandle (hObject=0x43c) returned 1 [0190.197] CloseHandle (hObject=0x438) returned 1 [0190.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810960 | out: pbBuffer=0x12810960) returned 1 [0190.197] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\#_THIS_FILE_IS_ENCRYPTED_[BBDF4B45DF708FCB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\#_this_file_is_encrypted_[bbdf4b45df708fcb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.198] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.219] SetEvent (hEvent=0xfc) returned 1 [0190.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.220] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0190.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8647598c, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x110c)) returned 1 [0190.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0190.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0190.220] ReadFile (in: hFile=0x438, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x1282fd1c*=0x110c, lpOverlapped=0x0) returned 1 [0190.332] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.382] GetFileType (hFile=0x438) returned 0x1 [0190.382] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.383] WriteFile (in: hFile=0x438, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x110c, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x1282fd00*=0x110c, lpOverlapped=0x1282fd0c) returned 1 [0190.383] GetFileType (hFile=0x438) returned 0x1 [0190.383] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x110c, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0190.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0190.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0190.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810aa8 | out: pbBuffer=0x12810aa8) returned 1 [0190.385] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0190.385] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0190.385] WriteFile (in: hFile=0x448, lpBuffer=0x12c2ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ca00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0190.385] CloseHandle (hObject=0x448) returned 1 [0190.385] CloseHandle (hObject=0x438) returned 1 [0190.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ac0 | out: pbBuffer=0x12810ac0) returned 1 [0190.386] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\#_THIS_FILE_IS_ENCRYPTED_[C0F47C524A118D01]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\#_this_file_is_encrypted_[c0f47c524a118d01]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.387] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0190.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a845ef9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1078)) returned 1 [0190.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0190.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b08 | out: pbBuffer=0x12810b08) returned 1 [0190.387] ReadFile (in: hFile=0x438, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a73d1c*=0x1078, lpOverlapped=0x0) returned 1 [0190.404] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.505] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.605] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.746] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0190.807] SetEvent (hEvent=0xfc) returned 1 [0190.808] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\ieonlinews.microsoft[1]" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\ieonlinews.microsoft[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.808] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0190.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\ieonlinews.microsoft[1]" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\ieonlinews.microsoft[1]"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4097881, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4097881, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0190.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0190.809] ReadFile (in: hFile=0x438, lpBuffer=0x12a24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a24000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0190.809] CloseHandle (hObject=0x438) returned 1 [0190.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\internet explorer suggested sites~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.809] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0190.809] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\internet explorer suggested sites~.feed-ms"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3fe8047, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x56613a5, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0190.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0190.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848018 | out: pbBuffer=0x12848018) returned 1 [0190.810] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a4bd1c*=0x8000, lpOverlapped=0x0) returned 1 [0190.810] GetFileType (hFile=0x438) returned 0x1 [0190.810] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0190.811] WriteFile (in: hFile=0x438, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12a4bd00*=0x8000, lpOverlapped=0x12a4bd0c) returned 1 [0190.811] GetFileType (hFile=0x438) returned 0x1 [0190.811] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0190.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0190.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0190.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0190.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0190.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\internet explorer suggested sites~.feed-ms"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.812] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0190.812] WriteFile (in: hFile=0x43c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0190.813] CloseHandle (hObject=0x43c) returned 1 [0190.813] CloseHandle (hObject=0x438) returned 1 [0190.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0190.813] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\internet explorer suggested sites~.feed-ms"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\#_THIS_FILE_IS_ENCRYPTED_[E9FCD375DBE5D4A1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\#_this_file_is_encrypted_[e9fcd375dbe5d4a1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 0 [0190.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.814] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0190.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3fd8244, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fd8244, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fd8244, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282e0 | out: pbBuffer=0x129282e0) returned 1 [0190.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0190.814] ReadFile (in: hFile=0x438, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a73d1c*=0x0, lpOverlapped=0x0) returned 1 [0190.814] CloseHandle (hObject=0x438) returned 1 [0190.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\knowngamelist.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.815] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin\\*", lpFindFileData=0x12a6da44 | out: lpFindFileData=0x12a6da44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0190.815] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0191.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\en-us.1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.852] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0191.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\en-us.1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966db287, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966bf0b2, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4700)) returned 1 [0191.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928300 | out: pbBuffer=0x12928300) returned 1 [0191.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848428 | out: pbBuffer=0x12848428) returned 1 [0191.853] ReadFile (in: hFile=0x43c, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12829d1c*=0x4700, lpOverlapped=0x0) returned 1 [0191.855] GetFileType (hFile=0x43c) returned 0x1 [0191.855] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0191.855] WriteFile (in: hFile=0x43c, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x4700, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12829d00*=0x4700, lpOverlapped=0x12829d0c) returned 1 [0191.856] GetFileType (hFile=0x43c) returned 0x1 [0191.856] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x4700, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0191.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0191.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0191.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0191.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0191.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\en-us.1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0191.858] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0191.858] WriteFile (in: hFile=0x428, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0191.858] CloseHandle (hObject=0x428) returned 1 [0191.858] CloseHandle (hObject=0x43c) returned 1 [0191.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848518 | out: pbBuffer=0x12848518) returned 1 [0191.859] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\en-us.1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\#_THIS_FILE_IS_ENCRYPTED_[CC7780CD5940D203]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\#_this_file_is_encrypted_[cc7780cd5940d203]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0193.196] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0193.545] SwitchToThread () returned 1 [0193.763] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cc, buf=0x12854000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cc, lpOverlapped=0x128e6088) returned 0 [0194.012] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa40, ulCount=0x10, ulNumEntriesRemoved=0x19fa24, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa40, ulNumEntriesRemoved=0x19fa24) returned 0 [0194.013] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa40, ulCount=0x10, ulNumEntriesRemoved=0x19fa24, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x19fa40, ulNumEntriesRemoved=0x19fa24) returned 1 [0208.150] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x19fa20, fWait=0, lpdwFlags=0x19fa30 | out: lpcbTransfer=0x19fa20, lpdwFlags=0x19fa30) returned 1 [0208.373] SetEvent (hEvent=0x3f8) returned 1 [0208.417] SetEvent (hEvent=0x110) returned 1 [0208.417] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0208.691] SetEvent (hEvent=0x3cc) returned 1 [0208.691] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb1bd98b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeb1bd98b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeb3ad73a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0208.740] SetEvent (hEvent=0x40c) returned 1 [0208.740] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc43b7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecc43b7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5c4b24e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0208.779] SetEvent (hEvent=0x420) returned 1 [0208.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77c8633, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77c8633, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d9801d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0208.913] SetEvent (hEvent=0x420) returned 1 [0208.913] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8878a7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8878a7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc424655, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0208.964] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0208.982] SetEvent (hEvent=0x10c) returned 1 [0208.982] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0209.010] SetEvent (hEvent=0x3f8) returned 1 [0209.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcbbde9d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcbbde9d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd2fec9b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0209.148] SetEvent (hEvent=0x40c) returned 1 [0209.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd704ae4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd704ae4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23231a2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0209.937] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0209.950] SetEvent (hEvent=0x1d0) returned 1 [0209.950] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2454520, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2454520, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x253922a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0210.005] SetEvent (hEvent=0x420) returned 1 [0210.005] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eeba5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x32eeba5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4889ef2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0210.033] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0210.163] SetEvent (hEvent=0x1d0) returned 1 [0210.187] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f40d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe50f40d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xefa8864, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0210.237] SetEvent (hEvent=0x40c) returned 1 [0210.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1018a7a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1018a7a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0210.269] SetEvent (hEvent=0x110) returned 1 [0210.270] SetEvent (hEvent=0xfc) returned 1 [0210.270] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x126710a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x126710a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0210.308] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0210.316] SetEvent (hEvent=0x1d0) returned 1 [0210.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1347c6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1347c6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x140b472d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0210.335] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0210.420] SetEvent (hEvent=0x10c) returned 1 [0210.420] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0210.427] SetEvent (hEvent=0x1d0) returned 1 [0210.428] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16909517, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16909517, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16c7693c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0210.505] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0210.937] SetEvent (hEvent=0x3f8) returned 1 [0211.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0211.420] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0211.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16909517, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16909517, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16c7693c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0211.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6a0 | out: pbBuffer=0x1280e6a0) returned 1 [0211.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0211.595] ReadFile (in: hFile=0x1a0, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x129a9d1c*=0x9ac0, lpOverlapped=0x0) returned 1 [0211.658] GetFileType (hFile=0x1a0) returned 0x1 [0211.658] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0211.658] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d64000*, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12d64000*, lpNumberOfBytesWritten=0x129a9d00*=0x9ac0, lpOverlapped=0x129a9d0c) returned 1 [0211.659] GetFileType (hFile=0x1a0) returned 0x1 [0211.659] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x9ac0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0212.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0212.714] ReadFile (in: hFile=0x448, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x129abd1c*=0x152c0, lpOverlapped=0x0) returned 1 [0212.835] GetFileType (hFile=0x448) returned 0x1 [0212.835] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0212.835] WriteFile (in: hFile=0x448, lpBuffer=0x12ba8000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12ba8000*, lpNumberOfBytesWritten=0x129abd00*=0x152c0, lpOverlapped=0x129abd0c) returned 1 [0212.836] GetFileType (hFile=0x448) returned 0x1 [0212.836] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0212.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0212.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0212.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0212.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a280 | out: pbBuffer=0x12a9a280) returned 1 [0212.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0212.943] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0212.943] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bd8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bd8000*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0212.943] CloseHandle (hObject=0x1a0) returned 1 [0212.943] CloseHandle (hObject=0x448) returned 1 [0212.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a298 | out: pbBuffer=0x12a9a298) returned 1 [0212.944] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\#_THIS_FILE_IS_ENCRYPTED_[BBA50B914C5ACE38]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\#_this_file_is_encrypted_[bba50b914c5ace38]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0212.984] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.028] SetEvent (hEvent=0x40c) returned 1 [0213.028] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.121] SetEvent (hEvent=0x10c) returned 1 [0213.121] SetEvent (hEvent=0xfc) returned 1 [0213.121] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.162] SetEvent (hEvent=0x10c) returned 1 [0213.162] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.215] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.458] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.462] SetEvent (hEvent=0x40c) returned 1 [0213.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.463] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0213.463] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf223ea69, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf24ed57a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.464] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0213.464] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810310 | out: pbBuffer=0x12810310) returned 1 [0213.464] ReadFile (in: hFile=0x448, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x129a9d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0213.586] GetFileType (hFile=0x448) returned 0x1 [0213.586] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.586] WriteFile (in: hFile=0x448, lpBuffer=0x12c5a000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12c5a000*, lpNumberOfBytesWritten=0x129a9d00*=0x156c0, lpOverlapped=0x129a9d0c) returned 1 [0213.587] GetFileType (hFile=0x448) returned 0x1 [0213.587] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0213.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0213.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0213.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c8 | out: pbBuffer=0x128103c8) returned 1 [0213.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.588] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0213.588] WriteFile (in: hFile=0x15c, lpBuffer=0x1297a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x1297a000*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.588] CloseHandle (hObject=0x15c) returned 1 [0213.589] CloseHandle (hObject=0x448) returned 1 [0213.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0213.589] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\#_THIS_FILE_IS_ENCRYPTED_[78CD1FD3E96B0EEF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\#_this_file_is_encrypted_[78cd1fd3e96b0eef]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.614] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.692] SetEvent (hEvent=0x40c) returned 1 [0213.692] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.698] SetEvent (hEvent=0x420) returned 1 [0213.698] SetEvent (hEvent=0x10c) returned 1 [0213.698] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.731] SetEvent (hEvent=0x40c) returned 1 [0213.731] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0213.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.789] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0213.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb3017e0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb622788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0213.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0213.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0213.790] ReadFile (in: hFile=0x15c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0213.863] GetFileType (hFile=0x15c) returned 0x1 [0213.863] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0213.863] WriteFile (in: hFile=0x15c, lpBuffer=0x12b88000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b88000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ec0, lpOverlapped=0x1282fd0c) returned 1 [0213.864] GetFileType (hFile=0x15c) returned 0x1 [0213.864] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0213.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0213.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0213.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0213.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810238 | out: pbBuffer=0x12810238) returned 1 [0213.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.866] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0213.866] WriteFile (in: hFile=0x3c4, lpBuffer=0x1297aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x1297aa00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0213.866] CloseHandle (hObject=0x3c4) returned 1 [0213.866] CloseHandle (hObject=0x15c) returned 1 [0213.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810260 | out: pbBuffer=0x12810260) returned 1 [0213.867] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\#_THIS_FILE_IS_ENCRYPTED_[D8E42127DEF87C61]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\#_this_file_is_encrypted_[d8e42127def87c61]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe683ed2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.869] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.869] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe683ed2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0213.869] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe683ed2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.869] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xff2499db, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.869] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.869] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0213.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.872] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.872] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.873] CloseHandle (hObject=0x15c) returned 1 [0213.874] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xff2499db, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb4ba12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.939] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.939] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xb4ba12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0213.940] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xb4ba12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.940] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ba12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1a7e8c8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.940] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.940] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0213.940] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.984] SetEvent (hEvent=0x110) returned 1 [0213.984] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.984] WriteFile (in: hFile=0x438, lpBuffer=0x12d05300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d05300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.986] CloseHandle (hObject=0x438) returned 1 [0213.986] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ba12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1a7e8c8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.993] SetEvent (hEvent=0x420) returned 1 [0213.993] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fb07e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67fb07e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xae9cb73, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0213.999] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.022] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb9ac6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbbb9ac6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xddeae4a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0214.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d4510a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.026] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.026] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d4510a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d4510a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d4510a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3bb95f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.026] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.026] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.027] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.027] WriteFile (in: hFile=0x438, lpBuffer=0x12d13300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d13300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.030] CloseHandle (hObject=0x438) returned 1 [0214.030] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d4510a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3bb95f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.038] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.039] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.039] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.039] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6d7e5c9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.039] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.039] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.041] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.041] WriteFile (in: hFile=0x438, lpBuffer=0x12d06600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d06600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.043] CloseHandle (hObject=0x438) returned 1 [0214.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6d7e5c9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0214.110] SetEvent (hEvent=0x420) returned 1 [0214.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x8fea519, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.117] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.123] SetEvent (hEvent=0xfc) returned 1 [0214.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.124] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.142] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x8fea519, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.142] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x8fea519, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.142] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9aa4e53, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.142] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.142] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.142] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.144] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.144] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.145] CloseHandle (hObject=0x448) returned 1 [0214.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9aa4e53, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0214.151] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.170] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.187] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.401] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.760] SetEvent (hEvent=0xfc) returned 1 [0214.760] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.797] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0214.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.802] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0214.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x12ba82ea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0214.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0214.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34028 | out: pbBuffer=0x12c34028) returned 1 [0214.802] ReadFile (in: hFile=0x438, lpBuffer=0x12c94000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c94000*, lpNumberOfBytesRead=0x12829d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0214.903] GetFileType (hFile=0x438) returned 0x1 [0214.903] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.903] WriteFile (in: hFile=0x438, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12829d00*=0x156c0, lpOverlapped=0x12829d0c) returned 1 [0215.432] GetFileType (hFile=0x438) returned 0x1 [0215.432] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0215.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0215.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0215.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0215.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a120 | out: pbBuffer=0x12a9a120) returned 1 [0215.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0215.433] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0215.434] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0215.483] CloseHandle (hObject=0x3c4) returned 1 [0215.483] CloseHandle (hObject=0x438) returned 1 [0215.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0215.504] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\#_THIS_FILE_IS_ENCRYPTED_[139B915996B9C459]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\#_this_file_is_encrypted_[139b915996b9c459]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0215.552] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0215.561] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0218.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8490 | out: pbBuffer=0x128e8490) returned 1 [0218.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0218.699] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0218.699] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b16500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16500*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0218.699] CloseHandle (hObject=0x1a0) returned 1 [0218.699] CloseHandle (hObject=0x42c) returned 1 [0218.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e84a8 | out: pbBuffer=0x128e84a8) returned 1 [0218.795] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0218.936] SetEvent (hEvent=0xfc) returned 1 [0218.936] SetEvent (hEvent=0x40c) returned 1 [0218.936] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0219.036] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0219.237] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0219.742] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0223.672] SetEvent (hEvent=0x40c) returned 1 [0223.672] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x15f23) returned 0x0 [0224.192] SetEvent (hEvent=0x110) returned 1 [0224.192] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x2706) returned 0x102 [0234.416] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0235.177] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cd, buf=0x128f43c0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cd, lpOverlapped=0x128e6088) returned 0 [0235.217] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0235.331] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa40, ulCount=0x10, ulNumEntriesRemoved=0x19fa24, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa40, ulNumEntriesRemoved=0x19fa24) returned 0 [0235.332] SetEvent (hEvent=0x3f4) returned 1 [0235.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d0a816, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x14d0a816, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16afe0f6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0235.386] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0235.727] SwitchToThread () returned 1 [0235.780] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0236.092] SetEvent (hEvent=0x454) returned 1 [0236.093] SetEvent (hEvent=0x3f8) returned 1 [0236.093] SetEvent (hEvent=0x420) returned 1 [0236.093] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0236.100] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0236.100] SetEvent (hEvent=0x420) returned 1 [0236.100] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0236.104] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0243.088] SetEvent (hEvent=0x19c) returned 1 [0243.088] SetEvent (hEvent=0xfc) returned 1 [0243.088] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0244.155] SetEvent (hEvent=0x420) returned 1 [0244.155] SetEvent (hEvent=0x3f8) returned 1 [0244.155] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0244.177] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0244.178] SetEvent (hEvent=0x1b8) returned 1 [0244.178] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0244.191] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x31566c2e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.211] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x31566c2e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x31566c2e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31566c2e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x328ec16f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.212] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.217] SetEvent (hEvent=0x110) returned 1 [0244.217] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.217] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.219] CloseHandle (hObject=0x44c) returned 1 [0244.219] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31566c2e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x328ec16f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0244.228] SetEvent (hEvent=0x1b8) returned 1 [0244.228] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32fecd60, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.296] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32fecd60, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.297] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32fecd60, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.297] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fecd60, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x335bca47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.297] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.297] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.297] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.301] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.302] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.304] CloseHandle (hObject=0x44c) returned 1 [0244.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fecd60, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x335bca47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0244.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33a5b30a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.316] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.316] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33a5b30a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33a5b30a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344c97b6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.316] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.318] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.318] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.320] CloseHandle (hObject=0x42c) returned 1 [0244.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344c97b6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0244.339] SetEvent (hEvent=0xfc) returned 1 [0244.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3570c0be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.433] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3570c0be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.433] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3570c0be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.433] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3570c0be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35c43302, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x178c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.433] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.434] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.439] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.439] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.441] CloseHandle (hObject=0x3e4) returned 1 [0244.441] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3570c0be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35c43302, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x178c0)) returned 1 [0244.450] SetEvent (hEvent=0x110) returned 1 [0244.450] SetEvent (hEvent=0xfc) returned 1 [0244.450] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.456] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.456] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0244.457] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.457] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36f7c3c3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.457] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.457] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0244.457] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.457] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.457] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.459] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.459] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.464] CloseHandle (hObject=0x3e4) returned 1 [0244.464] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36f7c3c3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0244.489] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x39698686, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.496] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x39698686, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.496] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x39698686, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.496] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39698686, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a092ece, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.496] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.497] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.497] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.497] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.498] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.499] WriteFile (in: hFile=0x44c, lpBuffer=0x12da8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12da8000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.509] CloseHandle (hObject=0x44c) returned 1 [0244.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39698686, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a092ece, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0)) returned 1 [0244.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a4b4493, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.519] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a4b4493, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a4b4493, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.520] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a4b4493, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3aad5fdc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.520] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.520] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.522] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.522] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.524] CloseHandle (hObject=0x44c) returned 1 [0244.524] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a4b4493, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3aad5fdc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0)) returned 1 [0244.531] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b2a92ce, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.531] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.531] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b2a92ce, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0244.532] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b2a92ce, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.532] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2a92ce, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b774971, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x146c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.532] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.532] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0244.532] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.532] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.532] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.533] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.533] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.535] CloseHandle (hObject=0x3e4) returned 1 [0244.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2a92ce, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b774971, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x146c0)) returned 1 [0244.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c07d3b2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.535] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.536] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c07d3b2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0244.536] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c07d3b2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.536] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c07d3b2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c816989, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x116c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.536] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.536] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0244.536] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.538] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.538] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.539] CloseHandle (hObject=0x3e4) returned 1 [0244.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c07d3b2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c816989, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x116c0)) returned 1 [0244.540] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.541] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.541] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2a92ce, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b774971, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x146c0)) returned 1 [0244.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0244.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34bf0 | out: pbBuffer=0x12c34bf0) returned 1 [0244.541] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12829d1c*=0x146c0, lpOverlapped=0x0) returned 1 [0244.567] GetFileType (hFile=0x3e4) returned 0x1 [0244.567] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.567] WriteFile (in: hFile=0x3e4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x146c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12829d00*=0x146c0, lpOverlapped=0x12829d0c) returned 1 [0244.568] GetFileType (hFile=0x3e4) returned 0x1 [0244.568] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x146c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0244.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0244.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0244.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34ca8 | out: pbBuffer=0x12c34ca8) returned 1 [0244.569] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.570] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.570] WriteFile (in: hFile=0x450, lpBuffer=0x12c32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.570] CloseHandle (hObject=0x450) returned 1 [0244.570] CloseHandle (hObject=0x3e4) returned 1 [0244.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34cc0 | out: pbBuffer=0x12c34cc0) returned 1 [0244.571] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\#_THIS_FILE_IS_ENCRYPTED_[4C55B7F469217918]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\#_this_file_is_encrypted_[4c55b7f469217918]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.582] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3cd73d9d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.582] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3cd73d9d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0244.583] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3cd73d9d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.583] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd73d9d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3dcf3371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.583] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.583] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0244.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.585] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.585] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.587] CloseHandle (hObject=0x3e4) returned 1 [0244.587] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd73d9d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3dcf3371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ee3c3c6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.589] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ee3c3c6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0244.589] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ee3c3c6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.589] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee3c3c6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f32718f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.589] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.589] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0244.589] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.590] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.590] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.626] CloseHandle (hObject=0x3e4) returned 1 [0244.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee3c3c6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f32718f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0)) returned 1 [0244.627] SetEvent (hEvent=0x19c) returned 1 [0244.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f8f6c52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.666] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.666] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f8f6c52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0244.666] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f8f6c52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.666] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f8f6c52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3fe2e122, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.666] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.666] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0244.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.666] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.667] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.673] SetEvent (hEvent=0x110) returned 1 [0244.673] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.673] WriteFile (in: hFile=0x458, lpBuffer=0x12da9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12da9300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.674] CloseHandle (hObject=0x458) returned 1 [0244.675] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f8f6c52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3fe2e122, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0244.681] SetEvent (hEvent=0xfc) returned 1 [0244.681] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4038b58c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.686] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0244.767] SetEvent (hEvent=0xfc) returned 1 [0244.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.767] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4038b58c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.768] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4038b58c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.768] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038b58c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40b97255, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.768] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.768] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.770] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.770] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.771] CloseHandle (hObject=0x42c) returned 1 [0244.772] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038b58c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40b97255, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0244.777] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4137d061, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.780] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4137d061, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0244.780] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4137d061, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.780] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137d061, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x41f429f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.780] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.780] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0244.780] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.782] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.782] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c1b300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.783] CloseHandle (hObject=0x42c) returned 1 [0244.783] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137d061, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x41f429f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.784] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4255e9da, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.797] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.797] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4255e9da, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0244.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4255e9da, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255e9da, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4293ea9a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.797] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0244.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.798] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.798] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.799] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.799] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c1c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c1c600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.801] CloseHandle (hObject=0x3e4) returned 1 [0244.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255e9da, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4293ea9a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x431bcd83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.833] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.833] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x431bcd83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0244.833] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x431bcd83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.833] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431bcd83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44031086, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.833] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.833] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0244.833] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.833] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.834] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.880] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.880] WriteFile (in: hFile=0x458, lpBuffer=0x12c1d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c1d900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.882] CloseHandle (hObject=0x458) returned 1 [0244.883] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431bcd83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44031086, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0244.887] SetEvent (hEvent=0x1b8) returned 1 [0244.887] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44fb0692, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.888] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.889] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44fb0692, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0244.889] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44fb0692, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.889] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fb0692, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45d3fb83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.889] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.889] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0244.890] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.890] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.890] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.891] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.891] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c1ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c1ec00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.893] CloseHandle (hObject=0x3e4) returned 1 [0244.893] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fb0692, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45d3fb83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0244.893] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47006399, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.899] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.900] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47006399, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0244.901] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47006399, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.901] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47006399, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47373ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x166c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.901] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.901] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0244.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.902] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.902] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.903] CloseHandle (hObject=0x458) returned 1 [0244.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47006399, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47373ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x166c0)) returned 1 [0244.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x479435d4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.943] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x479435d4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0244.943] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x479435d4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.943] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479435d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x48496726, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.943] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.943] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0244.943] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.953] SetEvent (hEvent=0x110) returned 1 [0244.953] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.953] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.954] CloseHandle (hObject=0x3e4) returned 1 [0244.954] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479435d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x48496726, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0244.959] SetEvent (hEvent=0x19c) returned 1 [0244.959] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353788c4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x353788c4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x368c78f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x684c0)) returned 1 [0245.040] SetEvent (hEvent=0x19c) returned 1 [0245.040] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4887669e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.041] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.041] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4887669e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0245.041] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4887669e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.041] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887669e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x49aa44f0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.041] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.041] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0245.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.043] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.043] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.044] CloseHandle (hObject=0x458) returned 1 [0245.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887669e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x49aa44f0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0)) returned 1 [0245.056] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0245.072] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4c221446, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.263] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4c221446, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0245.263] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4c221446, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.263] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c221446, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fb3372a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.263] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.263] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0245.280] SetEvent (hEvent=0xfc) returned 1 [0245.280] SetEvent (hEvent=0x1b8) returned 1 [0245.280] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[B2E24C82160A833F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[b2e24c82160a833f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.282] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.282] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.283] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.284] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.284] WriteFile (in: hFile=0x42c, lpBuffer=0x12da8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12da8000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.286] CloseHandle (hObject=0x42c) returned 1 [0245.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c221446, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fb3372a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0245.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x54c43715, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.291] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x54c43715, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0245.292] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x54c43715, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.292] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c43715, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x555ccdf4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.292] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.292] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0245.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.293] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.293] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.295] CloseHandle (hObject=0x42c) returned 1 [0245.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c43715, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x555ccdf4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0245.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x58ca2fba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.322] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.323] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x58ca2fba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0245.323] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x58ca2fba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.323] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ca2fba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bad473f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd0c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.323] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.323] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0245.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.324] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.325] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.325] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.327] CloseHandle (hObject=0x3e4) returned 1 [0245.327] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ca2fba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bad473f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd0c0)) returned 1 [0245.328] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.329] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0245.329] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.329] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6c0410, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d06fe04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.329] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.329] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0245.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.331] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.331] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.333] CloseHandle (hObject=0x3e4) returned 1 [0245.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6c0410, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d06fe04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd2c0)) returned 1 [0245.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.334] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ca2fba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bad473f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd0c0)) returned 1 [0245.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0245.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c20 | out: pbBuffer=0x12810c20) returned 1 [0245.335] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0xd0c0, lpOverlapped=0x0) returned 1 [0245.368] GetFileType (hFile=0x3e4) returned 0x1 [0245.368] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.368] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0xd0c0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12853d00*=0xd0c0, lpOverlapped=0x12853d0c) returned 1 [0245.398] GetFileType (hFile=0x3e4) returned 0x1 [0245.398] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0xd0c0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.398] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0245.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0245.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0245.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d68 | out: pbBuffer=0x12810d68) returned 1 [0245.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.400] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.400] WriteFile (in: hFile=0x458, lpBuffer=0x12afa000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.400] CloseHandle (hObject=0x458) returned 1 [0245.400] CloseHandle (hObject=0x3e4) returned 1 [0245.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d80 | out: pbBuffer=0x12810d80) returned 1 [0245.400] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\#_THIS_FILE_IS_ENCRYPTED_[AE0FCEA4AABD410A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\#_this_file_is_encrypted_[ae0fcea4aabd410a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.402] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0245.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\tracecurrent.5892.0626.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.482] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\tracecurrent.5892.0626.etl"), fInfoLevelId=0x0, lpFileInformation=0x12db5ad0 | out: lpFileInformation=0x12db5ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c44d76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0245.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0245.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810dc8 | out: pbBuffer=0x12810dc8) returned 1 [0245.482] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0245.502] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0245.502] SetEvent (hEvent=0x110) returned 1 [0245.502] SetEvent (hEvent=0x19c) returned 1 [0245.502] ReadFile (in: hFile=0x3e4, lpBuffer=0x129ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12db5d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ee000*, lpNumberOfBytesRead=0x12db5d1c*=0x2000, lpOverlapped=0x0) returned 1 [0245.508] GetFileType (hFile=0x3e4) returned 0x1 [0245.508] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.509] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b80000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12db5d00, lpOverlapped=0x12db5d0c | out: lpBuffer=0x12b80000*, lpNumberOfBytesWritten=0x12db5d00*=0x2000, lpOverlapped=0x12db5d0c) returned 1 [0245.509] GetFileType (hFile=0x3e4) returned 0x1 [0245.509] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0245.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0245.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0245.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848938 | out: pbBuffer=0x12848938) returned 1 [0245.510] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\tracecurrent.5892.0626.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.511] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.511] WriteFile (in: hFile=0x458, lpBuffer=0x12a48500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12db5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48500*, lpNumberOfBytesWritten=0x12db5d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.511] CloseHandle (hObject=0x458) returned 1 [0245.511] CloseHandle (hObject=0x3e4) returned 1 [0245.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848960 | out: pbBuffer=0x12848960) returned 1 [0245.512] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\tracecurrent.5892.0626.etl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\#_THIS_FILE_IS_ENCRYPTED_[03E9F36B88C6BF6E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\#_this_file_is_encrypted_[03e9f36b88c6bf6e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.525] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0245.527] SetEvent (hEvent=0x19c) returned 1 [0245.528] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0245.531] SetEvent (hEvent=0x19c) returned 1 [0245.531] SetEvent (hEvent=0x420) returned 1 [0245.531] GetFileType (hFile=0x42c) returned 0x1 [0245.532] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.532] WriteFile (in: hFile=0x42c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0245.532] GetFileType (hFile=0x42c) returned 0x1 [0245.533] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0245.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0245.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0245.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0245.534] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\onedrive.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.534] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.534] WriteFile (in: hFile=0x3e4, lpBuffer=0x12afa000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.537] CloseHandle (hObject=0x3e4) returned 1 [0245.537] CloseHandle (hObject=0x42c) returned 1 [0245.537] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0245.537] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\onedrive.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\#_THIS_FILE_IS_ENCRYPTED_[D1B1B24662CC6C66]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\#_this_file_is_encrypted_[d1b1b24662cc6c66]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f2e5a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x65f2e5a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f8974f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x20ae)) returned 1 [0245.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8805a3a7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8805a3a7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x234b2)) returned 1 [0245.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x137c38b0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x137c38b0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2745e)) returned 1 [0245.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xced0b146, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xced0b146, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x36366)) returned 1 [0245.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.557] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x137c38b0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x137c38b0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2745e)) returned 1 [0245.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98200 | out: pbBuffer=0x12a98200) returned 1 [0245.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811000 | out: pbBuffer=0x12811000) returned 1 [0245.557] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.584] GetFileType (hFile=0x44c) returned 0x1 [0245.584] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.584] WriteFile (in: hFile=0x44c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0245.585] GetFileType (hFile=0x44c) returned 0x1 [0245.585] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0245.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0245.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0245.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128110b8 | out: pbBuffer=0x128110b8) returned 1 [0245.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.586] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.586] WriteFile (in: hFile=0x3e4, lpBuffer=0x12afaa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afaa00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.587] CloseHandle (hObject=0x3e4) returned 1 [0245.587] CloseHandle (hObject=0x44c) returned 1 [0245.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128110d0 | out: pbBuffer=0x128110d0) returned 1 [0245.587] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[1CB81BEEFF265DCF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[1cb81beeff265dcf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.869] SetEvent (hEvent=0x110) returned 1 [0245.869] SetEvent (hEvent=0x420) returned 1 [0245.869] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.870] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd27489e1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd27489e1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8afcf13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5c1cc)) returned 1 [0245.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e260 | out: pbBuffer=0x1280e260) returned 1 [0245.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848068 | out: pbBuffer=0x12848068) returned 1 [0245.870] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.880] GetFileType (hFile=0x44c) returned 0x1 [0245.880] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.880] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0245.881] GetFileType (hFile=0x44c) returned 0x1 [0245.881] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0245.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0245.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0245.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0245.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0245.940] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.940] WriteFile (in: hFile=0x450, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.951] CloseHandle (hObject=0x450) returned 1 [0245.955] CloseHandle (hObject=0x44c) returned 1 [0245.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0245.966] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[87EE318C0B70E560]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[87ee318c0b70e560]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0247.219] SetEvent (hEvent=0x420) returned 1 [0247.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0247.221] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0247.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b7b80c2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4b7b80c2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5db470, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0247.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e980 | out: pbBuffer=0x1280e980) returned 1 [0247.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848bb0 | out: pbBuffer=0x12848bb0) returned 1 [0247.222] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12853d1c*=0xf5f6, lpOverlapped=0x0) returned 1 [0247.316] GetFileType (hFile=0x458) returned 0x1 [0247.316] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0247.316] WriteFile (in: hFile=0x458, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0xf5f6, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12853d00*=0xf5f6, lpOverlapped=0x12853d0c) returned 1 [0247.317] GetFileType (hFile=0x458) returned 0x1 [0247.317] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xf5f6, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0247.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf81 | out: pbBuffer=0x12afcf81) returned 1 [0247.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd081 | out: pbBuffer=0x12afd081) returned 1 [0247.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd181 | out: pbBuffer=0x12afd181) returned 1 [0247.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ce8 | out: pbBuffer=0x12848ce8) returned 1 [0247.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0247.319] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0247.319] WriteFile (in: hFile=0x450, lpBuffer=0x12a49400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a49400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0247.319] CloseHandle (hObject=0x450) returned 1 [0247.407] CloseHandle (hObject=0x458) returned 1 [0247.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d00 | out: pbBuffer=0x12848d00) returned 1 [0247.494] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[C33852FA29E35D69]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[c33852fa29e35d69]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0249.772] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0250.126] SetEvent (hEvent=0x3f8) returned 1 [0250.126] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.109] SetEvent (hEvent=0x19c) returned 1 [0252.112] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.113] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.113] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43f61d3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0252.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0252.117] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.117] CloseHandle (hObject=0x44c) returned 1 [0252.117] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.480] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.554] SetEvent (hEvent=0x3f8) returned 1 [0252.554] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.558] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.559] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.559] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845280 | out: pbBuffer=0x12845280) returned 1 [0252.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9080 | out: pbBuffer=0x128e9080) returned 1 [0252.560] ReadFile (in: hFile=0x44c, lpBuffer=0x12984000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12984000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0252.560] CloseHandle (hObject=0x44c) returned 1 [0252.561] SetEvent (hEvent=0x3f4) returned 1 [0252.561] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0252.578] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0252.581] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0252.581] SetEvent (hEvent=0x3f8) returned 1 [0252.581] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0252.602] GetFileType (hFile=0x458) returned 0x1 [0252.602] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.603] WriteFile (in: hFile=0x458, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12851d00*=0x4000, lpOverlapped=0x12851d0c) returned 1 [0252.603] GetFileType (hFile=0x458) returned 0x1 [0252.603] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0252.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0252.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0252.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0252.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.604] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.604] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.605] CloseHandle (hObject=0x3e4) returned 1 [0252.605] CloseHandle (hObject=0x458) returned 1 [0252.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0252.605] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[CE8C5DBF6AE6C36E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[ce8c5dbf6ae6c36e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.606] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.607] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0252.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0252.608] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0252.608] CloseHandle (hObject=0x458) returned 1 [0252.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.608] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0252.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9056b602, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9056b602, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0252.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0252.609] ReadFile (in: hFile=0x458, lpBuffer=0x12958000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12958000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0252.669] GetFileType (hFile=0x458) returned 0x1 [0252.669] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0252.669] WriteFile (in: hFile=0x458, lpBuffer=0x12918000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12918000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0252.669] GetFileType (hFile=0x458) returned 0x1 [0252.669] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0252.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0252.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0252.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0252.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0252.670] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.670] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0252.670] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0252.671] CloseHandle (hObject=0x3e4) returned 1 [0252.671] CloseHandle (hObject=0x458) returned 1 [0252.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0252.671] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[BF0E7FF56FB2184F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[bf0e7ff56fb2184f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.757] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.796] SetEvent (hEvent=0x1d0) returned 1 [0252.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.797] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6131ff94, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6131ff94, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0252.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0252.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0252.799] ReadFile (in: hFile=0x3e4, lpBuffer=0x129c4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129c4000*, lpNumberOfBytesRead=0x1282fd1c*=0x10000, lpOverlapped=0x0) returned 1 [0252.900] GetFileType (hFile=0x3e4) returned 0x1 [0252.900] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0252.900] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1282fd00*=0x10000, lpOverlapped=0x1282fd0c) returned 1 [0252.901] GetFileType (hFile=0x3e4) returned 0x1 [0252.901] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0252.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0252.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0252.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0252.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a248 | out: pbBuffer=0x12a9a248) returned 1 [0252.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.902] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.902] WriteFile (in: hFile=0x44c, lpBuffer=0x12d8ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d8ea00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0252.903] CloseHandle (hObject=0x44c) returned 1 [0252.903] CloseHandle (hObject=0x3e4) returned 1 [0252.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0252.903] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[B8E870A6C711DC39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[b8e870a6c711dc39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.905] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.906] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928460 | out: pbBuffer=0x12928460) returned 1 [0252.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2a8 | out: pbBuffer=0x12a9a2a8) returned 1 [0252.907] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0252.915] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0252.915] SetEvent (hEvent=0x110) returned 1 [0252.915] SetEvent (hEvent=0x420) returned 1 [0252.915] SetEvent (hEvent=0x19c) returned 1 [0252.916] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c94000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c94000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.916] CloseHandle (hObject=0x3e4) returned 1 [0252.918] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0252.980] SetEvent (hEvent=0x1d0) returned 1 [0252.980] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0252.992] SetEvent (hEvent=0x3f4) returned 1 [0252.992] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0253.027] SetEvent (hEvent=0x3f4) returned 1 [0253.027] SetEvent (hEvent=0x1d0) returned 1 [0253.027] GetFileType (hFile=0x458) returned 0x1 [0253.027] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0253.027] WriteFile (in: hFile=0x458, lpBuffer=0x12866000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12866000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0253.027] GetFileType (hFile=0x458) returned 0x1 [0253.027] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0253.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0253.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0253.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0253.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0253.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.029] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0253.029] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0253.029] CloseHandle (hObject=0x3e4) returned 1 [0253.029] CloseHandle (hObject=0x458) returned 1 [0253.029] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0253.030] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[CCDEFBC86D1ACDE4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[ccdefbc86d1acde4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.031] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.032] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.032] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.032] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0253.032] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34110 | out: pbBuffer=0x12c34110) returned 1 [0253.033] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0253.045] GetFileType (hFile=0x458) returned 0x1 [0253.045] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.046] WriteFile (in: hFile=0x458, lpBuffer=0x12918000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12918000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0253.046] GetFileType (hFile=0x458) returned 0x1 [0253.046] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0253.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0253.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0253.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341c8 | out: pbBuffer=0x12c341c8) returned 1 [0253.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.047] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.047] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.048] CloseHandle (hObject=0x3e4) returned 1 [0253.048] CloseHandle (hObject=0x458) returned 1 [0253.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341e0 | out: pbBuffer=0x12c341e0) returned 1 [0253.048] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[65B0E361AEAB2857]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[65b0e361aeab2857]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.050] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0253.150] SetEvent (hEvent=0x1d0) returned 1 [0253.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.151] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0253.151] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0253.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88400 | out: pbBuffer=0x12b88400) returned 1 [0253.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34228 | out: pbBuffer=0x12c34228) returned 1 [0253.151] ReadFile (in: hFile=0x458, lpBuffer=0x12d8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d8c000*, lpNumberOfBytesRead=0x1282bd1c*=0x3000, lpOverlapped=0x0) returned 1 [0253.169] GetFileType (hFile=0x458) returned 0x1 [0253.169] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0253.169] WriteFile (in: hFile=0x458, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x1282bd00*=0x3000, lpOverlapped=0x1282bd0c) returned 1 [0253.169] GetFileType (hFile=0x458) returned 0x1 [0253.169] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0253.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0253.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0253.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0253.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342e0 | out: pbBuffer=0x12c342e0) returned 1 [0253.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.170] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0253.171] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0253.171] CloseHandle (hObject=0x44c) returned 1 [0253.171] CloseHandle (hObject=0x458) returned 1 [0253.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342f8 | out: pbBuffer=0x12c342f8) returned 1 [0253.171] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[C0A8405F5EBE6139]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[c0a8405f5ebe6139]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.174] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.174] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.174] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.174] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.176] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.176] WriteFile (in: hFile=0x458, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.178] CloseHandle (hObject=0x458) returned 1 [0253.178] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.178] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.179] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.179] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.179] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.180] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.180] WriteFile (in: hFile=0x458, lpBuffer=0x12db1300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db1300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.182] CloseHandle (hObject=0x458) returned 1 [0253.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.199] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.199] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0253.204] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0253.205] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0253.205] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0253.205] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0253.205] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0253.205] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.205] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.207] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.207] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.209] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0253.209] WriteFile (in: hFile=0x458, lpBuffer=0x12db2600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12db2600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0253.211] CloseHandle (hObject=0x458) returned 1 [0253.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.213] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.213] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0253.219] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.219] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.223] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.223] WriteFile (in: hFile=0x458, lpBuffer=0x12db3900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db3900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.230] CloseHandle (hObject=0x458) returned 1 [0253.231] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.235] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.236] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.236] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.236] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.236] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.236] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.238] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.238] WriteFile (in: hFile=0x42c, lpBuffer=0x12db4c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12db4c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.240] CloseHandle (hObject=0x42c) returned 1 [0253.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.244] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.245] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0253.245] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.245] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.245] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0253.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.246] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.246] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.247] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.247] WriteFile (in: hFile=0x42c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.249] CloseHandle (hObject=0x42c) returned 1 [0253.249] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.250] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.250] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.250] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.250] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.252] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.252] WriteFile (in: hFile=0x42c, lpBuffer=0x12c65300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c65300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.254] CloseHandle (hObject=0x42c) returned 1 [0253.255] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.255] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0253.256] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.256] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.256] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0253.256] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.258] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.258] WriteFile (in: hFile=0x42c, lpBuffer=0x12c66600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c66600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.260] CloseHandle (hObject=0x42c) returned 1 [0253.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.260] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.261] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.261] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.261] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.261] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.261] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.261] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.261] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.263] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.263] WriteFile (in: hFile=0x42c, lpBuffer=0x12c67900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c67900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.265] CloseHandle (hObject=0x42c) returned 1 [0253.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.271] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.271] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.271] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.271] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.271] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.272] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.272] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.273] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.273] WriteFile (in: hFile=0x42c, lpBuffer=0x12c68c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c68c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.275] CloseHandle (hObject=0x42c) returned 1 [0253.275] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.275] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.276] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.276] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.276] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.276] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.277] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.277] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.277] WriteFile (in: hFile=0x42c, lpBuffer=0x12c70000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c70000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.279] CloseHandle (hObject=0x42c) returned 1 [0253.282] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.282] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.283] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.283] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.283] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0253.283] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.283] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.283] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.285] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.285] WriteFile (in: hFile=0x42c, lpBuffer=0x12c71300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c71300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.289] CloseHandle (hObject=0x42c) returned 1 [0253.289] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.289] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.294] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.295] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3102f837, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3102f837, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0253.295] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0253.295] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0253.295] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.295] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.296] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.299] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.299] WriteFile (in: hFile=0x42c, lpBuffer=0x12c72600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c72600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.300] CloseHandle (hObject=0x42c) returned 1 [0253.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3102f837, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3102f837, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.301] SetEvent (hEvent=0x420) returned 1 [0253.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.306] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0253.320] SetEvent (hEvent=0x3f4) returned 1 [0253.320] SetEvent (hEvent=0x420) returned 1 [0253.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.321] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.321] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.321] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.321] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.321] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.321] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.321] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.322] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.322] WriteFile (in: hFile=0x42c, lpBuffer=0x12c73900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c73900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.324] CloseHandle (hObject=0x42c) returned 1 [0253.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.325] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.325] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0253.325] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.325] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0253.325] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0253.325] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.325] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0253.327] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.329] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.329] WriteFile (in: hFile=0x42c, lpBuffer=0x12c74c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c74c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.331] CloseHandle (hObject=0x42c) returned 1 [0253.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.332] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.333] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.333] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.333] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.334] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.334] WriteFile (in: hFile=0x42c, lpBuffer=0x12d54000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12d54000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.336] CloseHandle (hObject=0x42c) returned 1 [0253.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.337] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0253.338] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.338] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.338] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0253.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.339] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.339] WriteFile (in: hFile=0x42c, lpBuffer=0x12d55300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12d55300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.341] CloseHandle (hObject=0x42c) returned 1 [0253.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.383] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.387] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.387] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0253.387] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0253.387] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0253.388] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.388] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.393] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.394] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0253.394] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0253.396] CloseHandle (hObject=0x3e4) returned 1 [0253.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.400] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.403] SetEvent (hEvent=0x110) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0253.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.404] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.404] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.405] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.410] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.410] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.412] CloseHandle (hObject=0x458) returned 1 [0253.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.414] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.414] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.414] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.415] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.415] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.417] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.417] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.419] CloseHandle (hObject=0x458) returned 1 [0253.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.419] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.420] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.420] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.420] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.446] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.446] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.448] CloseHandle (hObject=0x458) returned 1 [0253.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.449] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.449] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.449] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.449] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.449] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.449] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.449] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.450] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.450] WriteFile (in: hFile=0x458, lpBuffer=0x12c70000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c70000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.452] CloseHandle (hObject=0x458) returned 1 [0253.452] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.453] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.453] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.453] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.453] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.453] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.454] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.455] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.455] WriteFile (in: hFile=0x458, lpBuffer=0x12c71300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c71300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.457] CloseHandle (hObject=0x458) returned 1 [0253.457] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.465] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.466] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.466] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.466] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.466] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.468] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.468] WriteFile (in: hFile=0x458, lpBuffer=0x12c72600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c72600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.470] CloseHandle (hObject=0x458) returned 1 [0253.470] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.470] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.471] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0253.471] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.471] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.471] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0253.471] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.471] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.472] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.473] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.473] WriteFile (in: hFile=0x458, lpBuffer=0x12d56600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12d56600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.475] CloseHandle (hObject=0x458) returned 1 [0253.475] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.476] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.476] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.478] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.478] WriteFile (in: hFile=0x458, lpBuffer=0x12d57900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12d57900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.479] CloseHandle (hObject=0x458) returned 1 [0253.480] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.486] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.487] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.488] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.488] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0253.488] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.488] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.488] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.489] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.490] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.490] WriteFile (in: hFile=0x458, lpBuffer=0x12d58c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12d58c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.492] CloseHandle (hObject=0x458) returned 1 [0253.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.492] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.492] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0253.504] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.504] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2eef4cf1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2eef4cf1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0253.505] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0253.505] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0253.505] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.505] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0253.506] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.507] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.509] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.509] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.511] CloseHandle (hObject=0x458) returned 1 [0253.511] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2eef4cf1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2eef4cf1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.512] SetEvent (hEvent=0x1d0) returned 1 [0253.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.584] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.584] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.584] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.584] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.606] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.606] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.608] CloseHandle (hObject=0x458) returned 1 [0253.609] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.610] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0253.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0253.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0253.610] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.610] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0253.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.615] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.615] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.617] CloseHandle (hObject=0x458) returned 1 [0253.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.619] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.619] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.619] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.619] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.621] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.621] WriteFile (in: hFile=0x458, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.622] CloseHandle (hObject=0x458) returned 1 [0253.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.623] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0253.623] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.623] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.623] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0253.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.624] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.624] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.625] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.625] WriteFile (in: hFile=0x458, lpBuffer=0x128af300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128af300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.627] CloseHandle (hObject=0x458) returned 1 [0253.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.627] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0253.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.644] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.650] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0253.650] WriteFile (in: hFile=0x458, lpBuffer=0x128b0600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x128b0600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0253.652] CloseHandle (hObject=0x458) returned 1 [0253.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.662] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.662] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0253.669] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.669] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.672] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.672] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.747] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.747] WriteFile (in: hFile=0x458, lpBuffer=0x128b1900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128b1900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.748] CloseHandle (hObject=0x458) returned 1 [0253.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.758] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0253.758] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.758] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.758] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0253.758] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.761] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.761] WriteFile (in: hFile=0x458, lpBuffer=0x128b2c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128b2c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.762] CloseHandle (hObject=0x458) returned 1 [0253.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.763] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.763] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0253.763] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.763] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.764] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0253.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.764] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.764] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0253.764] SetEvent (hEvent=0x3f8) returned 1 [0253.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.766] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.766] WriteFile (in: hFile=0x458, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.768] CloseHandle (hObject=0x458) returned 1 [0253.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.769] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.769] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.769] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.769] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.771] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.771] WriteFile (in: hFile=0x458, lpBuffer=0x12db1300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12db1300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.773] CloseHandle (hObject=0x458) returned 1 [0253.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.773] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.774] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.774] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.774] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.776] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.776] WriteFile (in: hFile=0x458, lpBuffer=0x12db2600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12db2600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.777] CloseHandle (hObject=0x458) returned 1 [0253.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.778] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0253.779] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.779] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.779] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0253.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.780] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.780] WriteFile (in: hFile=0x458, lpBuffer=0x12db3900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db3900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.782] CloseHandle (hObject=0x458) returned 1 [0253.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.791] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.791] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.791] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.791] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.791] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.791] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.793] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.793] WriteFile (in: hFile=0x458, lpBuffer=0x129da000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x129da000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.794] CloseHandle (hObject=0x458) returned 1 [0253.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.795] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.795] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.796] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.796] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.796] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.796] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.798] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.798] WriteFile (in: hFile=0x458, lpBuffer=0x129db300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x129db300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.800] CloseHandle (hObject=0x458) returned 1 [0253.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.804] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0253.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.805] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.805] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.807] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.807] WriteFile (in: hFile=0x458, lpBuffer=0x129dc600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x129dc600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.808] CloseHandle (hObject=0x458) returned 1 [0253.809] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a2120ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.809] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0253.818] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.818] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a803aaf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a803aaf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0253.818] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0253.818] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0253.818] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.818] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0253.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.823] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.823] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.824] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.824] WriteFile (in: hFile=0x458, lpBuffer=0x129dd900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x129dd900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.826] CloseHandle (hObject=0x458) returned 1 [0253.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a803aaf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a803aaf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.828] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.828] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.828] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.828] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.828] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.829] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.830] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.830] WriteFile (in: hFile=0x458, lpBuffer=0x129dec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x129dec00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.831] CloseHandle (hObject=0x458) returned 1 [0253.831] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.832] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.832] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.832] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.833] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0253.833] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0253.833] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.833] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.833] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.833] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.833] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.834] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.834] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.836] CloseHandle (hObject=0x458) returned 1 [0253.836] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.836] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.837] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845d40 | out: pbBuffer=0x12845d40) returned 1 [0253.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9210 | out: pbBuffer=0x128e9210) returned 1 [0253.838] ReadFile (in: hFile=0x458, lpBuffer=0x12aa6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa6000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0253.838] CloseHandle (hObject=0x458) returned 1 [0253.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.839] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.839] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.839] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845d60 | out: pbBuffer=0x12845d60) returned 1 [0253.839] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9220 | out: pbBuffer=0x128e9220) returned 1 [0253.839] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0253.850] GetFileType (hFile=0x458) returned 0x1 [0253.850] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.850] WriteFile (in: hFile=0x458, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0253.851] GetFileType (hFile=0x458) returned 0x1 [0253.851] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0253.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0253.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0253.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e92d8 | out: pbBuffer=0x128e92d8) returned 1 [0253.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.852] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.852] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0253.853] CloseHandle (hObject=0x44c) returned 1 [0253.853] CloseHandle (hObject=0x458) returned 1 [0253.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e92f0 | out: pbBuffer=0x128e92f0) returned 1 [0253.853] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[47833524517906D8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[47833524517906d8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.015] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0254.151] SetEvent (hEvent=0x420) returned 1 [0254.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.152] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0254.153] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.153] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0254.153] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340a0 | out: pbBuffer=0x12c340a0) returned 1 [0254.153] ReadFile (in: hFile=0x44c, lpBuffer=0x12d14000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d14000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.153] CloseHandle (hObject=0x44c) returned 1 [0254.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.154] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88040 | out: pbBuffer=0x12b88040) returned 1 [0254.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0254.155] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0254.159] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0254.160] SetEvent (hEvent=0x110) returned 1 [0254.160] SetEvent (hEvent=0x420) returned 1 [0254.160] ReadFile (in: hFile=0x44c, lpBuffer=0x12d34000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d34000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.166] GetFileType (hFile=0x44c) returned 0x1 [0254.166] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.166] WriteFile (in: hFile=0x44c, lpBuffer=0x12d54000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12d54000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0254.167] GetFileType (hFile=0x44c) returned 0x1 [0254.167] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0254.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0254.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0254.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34168 | out: pbBuffer=0x12c34168) returned 1 [0254.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0254.183] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.183] WriteFile (in: hFile=0x450, lpBuffer=0x12b18000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0254.184] CloseHandle (hObject=0x450) returned 1 [0254.184] CloseHandle (hObject=0x44c) returned 1 [0254.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34180 | out: pbBuffer=0x12c34180) returned 1 [0254.184] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[17A0E9634E9CEB66]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[17a0e9634e9ceb66]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.249] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0254.256] SetEvent (hEvent=0x19c) returned 1 [0254.256] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0254.263] SetEvent (hEvent=0x19c) returned 1 [0254.263] SetEvent (hEvent=0x1d0) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0254.263] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0254.264] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0254.264] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0254.264] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0254.264] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0254.264] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.264] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0254.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.268] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0254.268] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0254.270] CloseHandle (hObject=0x42c) returned 1 [0254.270] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.279] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.284] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0254.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0254.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0254.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0254.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.285] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.290] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.290] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.292] CloseHandle (hObject=0x3e4) returned 1 [0254.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.296] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0254.297] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.297] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.297] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0254.297] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.299] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.299] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.302] CloseHandle (hObject=0x3e4) returned 1 [0254.302] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.303] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0254.303] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.303] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.303] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0254.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.305] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.305] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.307] CloseHandle (hObject=0x3e4) returned 1 [0254.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.308] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.308] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.308] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.309] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.309] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.311] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.311] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.313] CloseHandle (hObject=0x3e4) returned 1 [0254.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.313] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.313] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0254.313] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.314] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.314] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0254.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.315] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.315] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.317] CloseHandle (hObject=0x3e4) returned 1 [0254.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.317] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0254.317] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.318] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.318] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0254.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.319] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.319] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.320] CloseHandle (hObject=0x3e4) returned 1 [0254.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.332] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.332] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.332] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.332] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.334] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.334] WriteFile (in: hFile=0x3e4, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.337] CloseHandle (hObject=0x3e4) returned 1 [0254.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.337] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0254.337] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.338] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.338] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0254.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.339] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.339] WriteFile (in: hFile=0x3e4, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.341] CloseHandle (hObject=0x3e4) returned 1 [0254.341] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.342] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.342] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0254.343] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.344] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0254.344] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.344] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0254.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.349] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.349] WriteFile (in: hFile=0x3e4, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.351] CloseHandle (hObject=0x3e4) returned 1 [0254.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.354] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.354] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0254.358] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.358] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f1e4a00, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f1e4a00, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0254.358] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0254.358] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0254.358] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.358] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0254.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.362] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.362] WriteFile (in: hFile=0x3e4, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.363] CloseHandle (hObject=0x3e4) returned 1 [0254.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f1e4a00, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f1e4a00, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.364] SetEvent (hEvent=0x19c) returned 1 [0254.364] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.364] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.364] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.364] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0254.365] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.365] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.365] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0254.365] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.365] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.365] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.367] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.368] WriteFile (in: hFile=0x3e4, lpBuffer=0x1285cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.369] CloseHandle (hObject=0x3e4) returned 1 [0254.369] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x91215d9d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91215d9d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.370] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91215d9d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.385] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91215d9d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.386] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0254.386] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x916b486a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x916b486a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0254.386] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91131126, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91131126, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91131126, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0254.386] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9115737d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9115737d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9115737d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0254.386] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.386] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.390] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.390] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a68000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a68000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.507] CloseHandle (hObject=0x3e4) returned 1 [0254.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x916b486a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x916b486a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91131126, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91131126, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91131126, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9115737d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9115737d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9115737d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.509] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91131126, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91131126, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91131126, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129283c0 | out: pbBuffer=0x129283c0) returned 1 [0254.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a270 | out: pbBuffer=0x12a9a270) returned 1 [0254.509] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d5c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d5c000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.555] GetFileType (hFile=0x3e4) returned 0x1 [0254.556] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.556] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0254.556] GetFileType (hFile=0x3e4) returned 0x1 [0254.556] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd181 | out: pbBuffer=0x12afd181) returned 1 [0254.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd281 | out: pbBuffer=0x12afd281) returned 1 [0254.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0254.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a328 | out: pbBuffer=0x12a9a328) returned 1 [0254.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.557] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.557] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0254.558] CloseHandle (hObject=0x458) returned 1 [0254.558] CloseHandle (hObject=0x3e4) returned 1 [0254.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a340 | out: pbBuffer=0x12a9a340) returned 1 [0254.558] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[5A97DCECCA66176A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[5a97dcecca66176a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.559] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0254.665] SetEvent (hEvent=0x1d0) returned 1 [0254.665] SetEvent (hEvent=0x19c) returned 1 [0254.665] SwitchToThread () returned 1 [0254.721] SwitchToThread () returned 1 [0254.726] SetEvent (hEvent=0x1d0) returned 1 [0254.726] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0254.729] SetEvent (hEvent=0x1d0) returned 1 [0254.729] SetEvent (hEvent=0x19c) returned 1 [0254.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.730] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.etl\\*", lpFindFileData=0x128afa44 | out: lpFindFileData=0x128afa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0254.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0254.730] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282bd1c*=0x9000, lpOverlapped=0x0) returned 1 [0254.768] GetFileType (hFile=0x44c) returned 0x1 [0254.768] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.769] WriteFile (in: hFile=0x44c, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x9000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x1282bd00*=0x9000, lpOverlapped=0x1282bd0c) returned 1 [0254.769] GetFileType (hFile=0x44c) returned 0x1 [0254.769] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x9000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0254.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0254.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0254.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0254.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.770] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.770] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.770] CloseHandle (hObject=0x458) returned 1 [0254.770] CloseHandle (hObject=0x44c) returned 1 [0254.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0254.771] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[CD5F03984E2628AE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[cd5f03984e2628ae]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.773] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0254.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1331ced9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3bc7451, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xa3bc7451, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0254.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0254.773] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12851d1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.774] GetFileType (hFile=0x44c) returned 0x1 [0254.775] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.775] WriteFile (in: hFile=0x44c, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12851d00*=0x2000, lpOverlapped=0x12851d0c) returned 1 [0254.775] GetFileType (hFile=0x44c) returned 0x1 [0254.775] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0254.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0254.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0254.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0254.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.776] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0254.776] WriteFile (in: hFile=0x458, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0254.776] CloseHandle (hObject=0x458) returned 1 [0254.776] CloseHandle (hObject=0x44c) returned 1 [0254.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0254.777] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[F7653F4EB7905506]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[f7653f4eb7905506]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.778] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0255.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0255.044] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0255.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0255.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a298 | out: pbBuffer=0x12a9a298) returned 1 [0255.057] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0255.057] SetEvent (hEvent=0x40c) returned 1 [0255.057] SetEvent (hEvent=0x420) returned 1 [0255.058] ReadFile (in: hFile=0x44c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0255.058] CloseHandle (hObject=0x44c) returned 1 [0255.059] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0255.790] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0255.819] SetEvent (hEvent=0x19c) returned 1 [0255.819] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0255.853] GetFileType (hFile=0x3e4) returned 0x1 [0255.853] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0255.853] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a4e000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a4e000*, lpNumberOfBytesWritten=0x12855d00*=0x4000, lpOverlapped=0x12855d0c) returned 1 [0255.854] GetFileType (hFile=0x3e4) returned 0x1 [0255.854] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0255.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0255.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0255.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0255.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d0 | out: pbBuffer=0x12c341d0) returned 1 [0255.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0255.944] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0255.944] WriteFile (in: hFile=0x42c, lpBuffer=0x12cf2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf2500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0255.944] CloseHandle (hObject=0x42c) returned 1 [0255.944] CloseHandle (hObject=0x3e4) returned 1 [0255.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341e8 | out: pbBuffer=0x12c341e8) returned 1 [0255.945] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[3735E75A8729CFB6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[3735e75a8729cfb6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0255.946] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0256.116] SetEvent (hEvent=0x420) returned 1 [0256.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.117] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.117] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0256.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928200 | out: pbBuffer=0x12928200) returned 1 [0256.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34230 | out: pbBuffer=0x12c34230) returned 1 [0256.117] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282bd1c*=0x3000, lpOverlapped=0x0) returned 1 [0256.134] GetFileType (hFile=0x42c) returned 0x1 [0256.134] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.135] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac5000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ac5000*, lpNumberOfBytesWritten=0x1282bd00*=0x3000, lpOverlapped=0x1282bd0c) returned 1 [0256.135] GetFileType (hFile=0x42c) returned 0x1 [0256.135] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0256.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0256.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0256.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342e8 | out: pbBuffer=0x12c342e8) returned 1 [0256.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.136] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.136] WriteFile (in: hFile=0x458, lpBuffer=0x12cf2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf2a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0256.137] CloseHandle (hObject=0x458) returned 1 [0256.137] CloseHandle (hObject=0x42c) returned 1 [0256.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34300 | out: pbBuffer=0x12c34300) returned 1 [0256.137] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[8752AD2A26614511]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[8752ad2a26614511]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.139] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.139] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0256.139] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.140] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.140] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0256.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.141] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.142] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.143] CloseHandle (hObject=0x42c) returned 1 [0256.144] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.144] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0256.144] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.144] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.144] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0256.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.146] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.146] WriteFile (in: hFile=0x42c, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.147] CloseHandle (hObject=0x42c) returned 1 [0256.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.296] SetEvent (hEvent=0x110) returned 1 [0256.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.297] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0256.315] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0256.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0256.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0256.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0256.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.316] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.321] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0256.321] WriteFile (in: hFile=0x458, lpBuffer=0x12aea000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12aea000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0256.322] CloseHandle (hObject=0x458) returned 1 [0256.322] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.331] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.331] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0256.336] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.336] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0256.336] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0256.337] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0256.337] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0256.337] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.337] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0256.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.342] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.342] WriteFile (in: hFile=0x42c, lpBuffer=0x12aeb300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aeb300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.343] CloseHandle (hObject=0x42c) returned 1 [0256.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.345] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.345] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0256.345] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.345] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.346] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0256.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.347] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.347] WriteFile (in: hFile=0x42c, lpBuffer=0x12aec600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12aec600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.349] CloseHandle (hObject=0x42c) returned 1 [0256.349] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.353] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0256.353] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.353] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.353] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0256.353] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.354] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.354] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.354] WriteFile (in: hFile=0x42c, lpBuffer=0x12aed900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12aed900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.356] CloseHandle (hObject=0x42c) returned 1 [0256.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.357] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.357] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.357] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.357] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.357] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.358] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.359] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.359] WriteFile (in: hFile=0x42c, lpBuffer=0x12aeec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12aeec00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.361] CloseHandle (hObject=0x42c) returned 1 [0256.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.361] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.361] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.364] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.364] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.366] CloseHandle (hObject=0x42c) returned 1 [0256.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.366] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.367] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.367] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.367] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.367] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.398] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.398] WriteFile (in: hFile=0x42c, lpBuffer=0x12a59300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a59300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.400] CloseHandle (hObject=0x42c) returned 1 [0256.400] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.403] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.403] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.403] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.403] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.405] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.405] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.412] CloseHandle (hObject=0x42c) returned 1 [0256.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.412] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0256.413] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.413] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.413] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0256.413] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.418] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.418] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.420] CloseHandle (hObject=0x42c) returned 1 [0256.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.420] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0256.420] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.420] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0256.420] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.421] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0256.449] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.451] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.451] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.453] CloseHandle (hObject=0x42c) returned 1 [0256.453] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.453] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.453] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0256.456] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.456] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6289529c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6289529c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0256.456] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0256.456] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0256.456] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.457] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0256.458] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.459] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.459] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.462] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.462] WriteFile (in: hFile=0x42c, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.464] CloseHandle (hObject=0x42c) returned 1 [0256.464] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6289529c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6289529c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0256.465] SetEvent (hEvent=0x19c) returned 1 [0256.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0256.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.466] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0256.467] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.467] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.467] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0256.467] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.468] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.468] WriteFile (in: hFile=0x42c, lpBuffer=0x12a63300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a63300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.470] CloseHandle (hObject=0x42c) returned 1 [0256.470] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x91e019c3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91e019c3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.471] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.471] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91e019c3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91e019c3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6273dda0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6273dda0, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6273dda0, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9246a026, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9246a026, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0256.480] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.481] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.485] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.485] WriteFile (in: hFile=0x42c, lpBuffer=0x12a64600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a64600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.486] CloseHandle (hObject=0x42c) returned 1 [0256.486] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6273dda0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6273dda0, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6273dda0, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.488] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9246a026, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9246a026, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.489] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.489] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6273dda0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6273dda0, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6273dda0, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f860 | out: pbBuffer=0x1280f860) returned 1 [0256.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849b90 | out: pbBuffer=0x12849b90) returned 1 [0256.490] ReadFile (in: hFile=0x42c, lpBuffer=0x12d58000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d58000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0256.490] CloseHandle (hObject=0x42c) returned 1 [0256.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0256.491] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.491] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9246a026, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9246a026, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f880 | out: pbBuffer=0x1280f880) returned 1 [0256.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ba0 | out: pbBuffer=0x12849ba0) returned 1 [0256.494] ReadFile (in: hFile=0x42c, lpBuffer=0x12d98000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d98000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0256.506] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0256.526] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0256.539] SetEvent (hEvent=0x40c) returned 1 [0256.539] SetEvent (hEvent=0x3f4) returned 1 [0256.539] GetFileType (hFile=0x458) returned 0x1 [0256.539] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0256.539] WriteFile (in: hFile=0x458, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x128afd00, lpOverlapped=0x128afd0c | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x128afd00*=0x4000, lpOverlapped=0x128afd0c) returned 1 [0256.540] GetFileType (hFile=0x458) returned 0x1 [0256.540] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0256.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0256.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0256.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0256.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0256.541] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.541] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0256.541] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a7e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x128afd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a7e000*, lpNumberOfBytesWritten=0x128afd0c*=0x276, lpOverlapped=0x0) returned 1 [0256.542] CloseHandle (hObject=0x3e4) returned 1 [0256.542] CloseHandle (hObject=0x458) returned 1 [0256.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0256.543] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[3A85D1D02B8A0E19]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[3a85d1d02b8a0e19]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.545] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0256.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129281e0 | out: pbBuffer=0x129281e0) returned 1 [0256.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34110 | out: pbBuffer=0x12c34110) returned 1 [0256.546] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x128afd1c*=0x0, lpOverlapped=0x0) returned 1 [0256.546] CloseHandle (hObject=0x458) returned 1 [0256.546] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.546] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.547] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.547] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.547] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.547] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.547] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.547] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.548] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.548] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.550] CloseHandle (hObject=0x458) returned 1 [0256.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.550] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.550] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.550] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.550] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.551] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.551] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.551] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.552] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.552] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.553] CloseHandle (hObject=0x458) returned 1 [0256.554] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0256.554] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.554] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426a58a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0256.555] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.555] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.557] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0256.557] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0256.559] CloseHandle (hObject=0x458) returned 1 [0256.559] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0256.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.559] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561d9295, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0256.560] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.560] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0256.560] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.561] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.561] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.564] CloseHandle (hObject=0x458) returned 1 [0256.564] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561d9295, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0256.564] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.565] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561d9295, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561d9295, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1cf55339, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1cf55339, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1cf55339, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0256.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x561d9295, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561d9295, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FAXM6P1O", cAlternateFileName="")) returned 1 [0256.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.567] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.569] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.569] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.570] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.570] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.572] CloseHandle (hObject=0x458) returned 1 [0256.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x561d9295, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561da63b, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561da63b, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.572] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.572] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x561d9295, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561da63b, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.574] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x561d9295, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561d9295, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x561da63b, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.574] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x561da63b, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561da63b, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x56328ebf, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x17414, dwReserved0=0x0, dwReserved1=0x0, cFileName="15_10.0.0[1].json", cAlternateFileName="15_100~1.JSO")) returned 1 [0256.574] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.574] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.574] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.574] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.574] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.575] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0256.575] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0256.576] CloseHandle (hObject=0x458) returned 1 [0256.695] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x561da63b, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561da63b, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x56328ebf, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x17414)) returned 1 [0257.091] SetEvent (hEvent=0x3f4) returned 1 [0257.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0257.222] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0257.223] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x561da63b, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x561da63b, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x56328ebf, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x17414)) returned 1 [0257.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0257.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c346b0 | out: pbBuffer=0x12c346b0) returned 1 [0257.223] ReadFile (in: hFile=0x458, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x128afd1c*=0x17414, lpOverlapped=0x0) returned 1 [0257.311] GetFileType (hFile=0x458) returned 0x1 [0257.311] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0257.311] WriteFile (in: hFile=0x458, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x17414, lpNumberOfBytesWritten=0x128afd00, lpOverlapped=0x128afd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x128afd00*=0x17414, lpOverlapped=0x128afd0c) returned 1 [0257.312] GetFileType (hFile=0x458) returned 0x1 [0257.312] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x17414, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0258.098] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0258.214] WriteFile (in: hFile=0x42c, lpBuffer=0x12a59300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a59300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0258.216] CloseHandle (hObject=0x42c) returned 1 [0258.216] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage-ecs.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage-ecs.data"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x6af0efc0, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x200818)) returned 1 [0258.230] SetEvent (hEvent=0x40c) returned 1 [0258.230] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0259.399] SetEvent (hEvent=0x420) returned 1 [0259.399] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0262.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.062] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0262.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b896a0 | out: pbBuffer=0x12b896a0) returned 1 [0262.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811290 | out: pbBuffer=0x12811290) returned 1 [0262.063] ReadFile (in: hFile=0x458, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0262.063] CloseHandle (hObject=0x458) returned 1 [0262.063] SetEvent (hEvent=0x420) returned 1 [0262.063] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.791] SetEvent (hEvent=0x19c) returned 1 [0267.791] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.793] SetEvent (hEvent=0x19c) returned 1 [0267.793] SetEvent (hEvent=0xfc) returned 1 [0267.793] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.802] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.818] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.838] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.894] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0267.920] SetEvent (hEvent=0xfc) returned 1 [0267.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rqFpkxvRIQQ_.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rqfpkxvriqq_.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13015f10, ftCreationTime.dwHighDateTime=0x1d825cd, ftLastAccessTime.dwLowDateTime=0x9d4afa70, ftLastAccessTime.dwHighDateTime=0x1d82760, ftLastWriteTime.dwLowDateTime=0x9d4afa70, ftLastWriteTime.dwHighDateTime=0x1d82760, nFileSizeHigh=0x0, nFileSizeLow=0x1fc4)) returned 1 [0268.361] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0268.417] SwitchToThread () returned 1 [0268.492] SetEvent (hEvent=0xfc) returned 1 [0268.492] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0268.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rqFpkxvRIQQ_.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rqfpkxvriqq_.wav"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13015f10, ftCreationTime.dwHighDateTime=0x1d825cd, ftLastAccessTime.dwLowDateTime=0x9d4afa70, ftLastAccessTime.dwHighDateTime=0x1d82760, ftLastWriteTime.dwLowDateTime=0x9d4afa70, ftLastWriteTime.dwHighDateTime=0x1d82760, nFileSizeHigh=0x0, nFileSizeLow=0x1fc4)) returned 1 [0268.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928200 | out: pbBuffer=0x12928200) returned 1 [0268.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849300 | out: pbBuffer=0x12849300) returned 1 [0268.502] ReadFile (in: hFile=0x450, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0x1fc4, lpOverlapped=0x0) returned 1 [0268.520] GetFileType (hFile=0x450) returned 0x1 [0268.520] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0268.520] WriteFile (in: hFile=0x450, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x1fc4, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x12853d00*=0x1fc4, lpOverlapped=0x12853d0c) returned 1 [0268.520] GetFileType (hFile=0x450) returned 0x1 [0268.520] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1fc4, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0269.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0269.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0269.715] SetEvent (hEvent=0x1b8) returned 1 [0269.715] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0269.757] SetEvent (hEvent=0x40c) returned 1 [0269.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849418 | out: pbBuffer=0x12849418) returned 1 [0269.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ujzi_c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ujzi_c.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0269.758] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.758] WriteFile (in: hFile=0x44c, lpBuffer=0x12c32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0269.759] CloseHandle (hObject=0x44c) returned 1 [0269.759] CloseHandle (hObject=0x458) returned 1 [0269.759] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849450 | out: pbBuffer=0x12849450) returned 1 [0269.759] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ujzi_c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ujzi_c.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[F41C9008A46B7CBE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[f41c9008a46b7cbe]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128494a8 | out: pbBuffer=0x128494a8) returned 1 [0269.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\txpRRLn2D.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\txprrln2d.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0269.762] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0269.762] WriteFile (in: hFile=0x458, lpBuffer=0x12c32a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.762] CloseHandle (hObject=0x458) returned 1 [0269.763] CloseHandle (hObject=0x42c) returned 1 [0269.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128494f0 | out: pbBuffer=0x128494f0) returned 1 [0269.765] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\txpRRLn2D.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\txprrln2d.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[770A072F5AB3BB07]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[770a072f5ab3bb07]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849548 | out: pbBuffer=0x12849548) returned 1 [0269.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rqFpkxvRIQQ_.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rqfpkxvriqq_.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0269.767] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.767] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.773] CloseHandle (hObject=0x42c) returned 1 [0269.773] CloseHandle (hObject=0x450) returned 1 [0269.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849570 | out: pbBuffer=0x12849570) returned 1 [0269.773] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rqFpkxvRIQQ_.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rqfpkxvriqq_.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[6CF9005282E88B5F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[6cf9005282e88b5f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.775] SwitchToThread () returned 1 [0269.776] SetEvent (hEvent=0x1b8) returned 1 [0269.777] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0269.862] SetEvent (hEvent=0x104) returned 1 [0269.862] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wOMfc5SjGAE a.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\womfc5sjgae a.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0269.863] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0269.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wOMfc5SjGAE a.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\womfc5sjgae a.pps"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d99f20, ftCreationTime.dwHighDateTime=0x1d819e5, ftLastAccessTime.dwLowDateTime=0x143f4a40, ftLastAccessTime.dwHighDateTime=0x1d824f1, ftLastWriteTime.dwLowDateTime=0x143f4a40, ftLastWriteTime.dwHighDateTime=0x1d824f1, nFileSizeHigh=0x0, nFileSizeLow=0x1fbd)) returned 1 [0269.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0269.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0269.864] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x1fbd, lpOverlapped=0x0) returned 1 [0269.865] GetFileType (hFile=0x44c) returned 0x1 [0269.865] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.865] WriteFile (in: hFile=0x44c, lpBuffer=0x12a9e000*, nNumberOfBytesToWrite=0x1fbd, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a9e000*, lpNumberOfBytesWritten=0x12829d00*=0x1fbd, lpOverlapped=0x12829d0c) returned 1 [0269.866] GetFileType (hFile=0x44c) returned 0x1 [0269.866] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1fbd, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0269.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0269.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0269.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0269.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wOMfc5SjGAE a.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\womfc5sjgae a.pps"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0269.867] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0269.867] WriteFile (in: hFile=0x45c, lpBuffer=0x12da4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da4000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.867] CloseHandle (hObject=0x45c) returned 1 [0269.868] CloseHandle (hObject=0x44c) returned 1 [0269.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0269.868] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wOMfc5SjGAE a.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\womfc5sjgae a.pps"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[ED0BED838411E55B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[ed0bed838411e55b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.869] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0269.870] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0269.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0269.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8480 | out: pbBuffer=0x128e8480) returned 1 [0269.871] ReadFile (in: hFile=0x44c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0269.878] GetFileType (hFile=0x44c) returned 0x1 [0269.878] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.879] WriteFile (in: hFile=0x44c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0269.880] GetFileType (hFile=0x44c) returned 0x1 [0269.880] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0269.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0269.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0269.881] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8538 | out: pbBuffer=0x128e8538) returned 1 [0269.881] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0269.881] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0269.881] WriteFile (in: hFile=0x45c, lpBuffer=0x12da4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da4a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.004] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0270.143] CloseHandle (hObject=0x45c) returned 1 [0270.143] CloseHandle (hObject=0x44c) returned 1 [0270.143] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0270.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.621] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0270.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb7e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bccb9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5e3)) returned 1 [0270.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0270.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0270.623] ReadFile (in: hFile=0x460, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0x5e3, lpOverlapped=0x0) returned 1 [0270.640] GetFileType (hFile=0x460) returned 0x1 [0270.640] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.640] WriteFile (in: hFile=0x460, lpBuffer=0x1285c000*, nNumberOfBytesToWrite=0x5e3, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x1285c000*, lpNumberOfBytesWritten=0x12853d00*=0x5e3, lpOverlapped=0x12853d0c) returned 1 [0270.694] GetFileType (hFile=0x460) returned 0x1 [0270.694] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5e3, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0270.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0270.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0270.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9488 | out: pbBuffer=0x128e9488) returned 1 [0270.696] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.696] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0270.696] WriteFile (in: hFile=0x45c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.720] CloseHandle (hObject=0x45c) returned 1 [0270.720] CloseHandle (hObject=0x460) returned 1 [0270.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e95a8 | out: pbBuffer=0x128e95a8) returned 1 [0270.731] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\#_THIS_FILE_IS_ENCRYPTED_[337195BDA1DF769C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\#_this_file_is_encrypted_[337195bda1df769c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LDiB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ldib.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0271.225] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0271.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LDiB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ldib.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa068a40, ftCreationTime.dwHighDateTime=0x1d8274c, ftLastAccessTime.dwLowDateTime=0x1724d570, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0x1724d570, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x78a0)) returned 1 [0271.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845c60 | out: pbBuffer=0x12845c60) returned 1 [0271.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34cb0 | out: pbBuffer=0x12c34cb0) returned 1 [0271.226] ReadFile (in: hFile=0x42c, lpBuffer=0x12d4a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d4a000*, lpNumberOfBytesRead=0x12853d1c*=0x78a0, lpOverlapped=0x0) returned 1 [0271.227] GetFileType (hFile=0x42c) returned 0x1 [0271.228] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.228] WriteFile (in: hFile=0x42c, lpBuffer=0x12d8a000*, nNumberOfBytesToWrite=0x78a0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12d8a000*, lpNumberOfBytesWritten=0x12853d00*=0x78a0, lpOverlapped=0x12853d0c) returned 1 [0271.228] GetFileType (hFile=0x42c) returned 0x1 [0271.228] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x78a0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0271.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b281 | out: pbBuffer=0x1286b281) returned 1 [0271.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0271.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34d68 | out: pbBuffer=0x12c34d68) returned 1 [0271.229] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LDiB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ldib.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0271.229] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0271.229] WriteFile (in: hFile=0x458, lpBuffer=0x12ada000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ada000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0271.229] CloseHandle (hObject=0x458) returned 1 [0271.245] CloseHandle (hObject=0x42c) returned 1 [0271.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848060 | out: pbBuffer=0x12848060) returned 1 [0271.260] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LDiB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ldib.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[B8FB2414FE62EA9A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[b8fb2414fe62ea9a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.762] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0271.800] SetEvent (hEvent=0x40c) returned 1 [0271.800] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0271.801] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0271.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722)) returned 1 [0271.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0271.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848378 | out: pbBuffer=0x12848378) returned 1 [0271.801] ReadFile (in: hFile=0x42c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12851d1c*=0x20000, lpOverlapped=0x0) returned 1 [0271.933] SetEvent (hEvent=0x110) returned 1 [0271.934] GetFileType (hFile=0x42c) returned 0x1 [0271.934] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.934] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12851d00*=0x20000, lpOverlapped=0x12851d0c) returned 1 [0271.935] GetFileType (hFile=0x42c) returned 0x1 [0271.935] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0271.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0271.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0271.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0271.949] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0271.949] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0271.950] WriteFile (in: hFile=0x45c, lpBuffer=0x12ada500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ada500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.196] SetEvent (hEvent=0x110) returned 1 [0272.196] CloseHandle (hObject=0x45c) returned 1 [0272.196] CloseHandle (hObject=0x42c) returned 1 [0272.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848458 | out: pbBuffer=0x12848458) returned 1 [0272.196] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[D4A416B5DB08F199]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[d4a416b5db08f199]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.198] SetEvent (hEvent=0x1d0) returned 1 [0272.198] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.199] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0272.199] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639)) returned 1 [0272.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0272.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484b0 | out: pbBuffer=0x128484b0) returned 1 [0272.199] ReadFile (in: hFile=0x42c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12851d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.212] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0272.233] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0272.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.236] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.236] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882)) returned 1 [0272.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0272.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0272.237] ReadFile (in: hFile=0x45c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.311] GetFileType (hFile=0x45c) returned 0x1 [0272.311] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.311] WriteFile (in: hFile=0x45c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0272.312] GetFileType (hFile=0x45c) returned 0x1 [0272.312] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0272.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0272.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0272.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0272.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.313] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.313] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.318] CloseHandle (hObject=0x460) returned 1 [0272.318] CloseHandle (hObject=0x45c) returned 1 [0272.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0272.319] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[07F1AB8ED286BECB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[07f1ab8ed286becb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.518] SetEvent (hEvent=0x110) returned 1 [0272.518] SetEvent (hEvent=0x104) returned 1 [0272.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.520] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3)) returned 1 [0272.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0272.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0272.520] ReadFile (in: hFile=0x45c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.532] GetFileType (hFile=0x45c) returned 0x1 [0272.532] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.532] WriteFile (in: hFile=0x45c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0272.533] GetFileType (hFile=0x45c) returned 0x1 [0272.533] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0272.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0272.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0272.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e83e8 | out: pbBuffer=0x128e83e8) returned 1 [0272.534] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.534] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.534] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.535] CloseHandle (hObject=0x44c) returned 1 [0272.540] CloseHandle (hObject=0x45c) returned 1 [0272.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8400 | out: pbBuffer=0x128e8400) returned 1 [0272.544] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[A369804C14B75679]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[a369804c14b75679]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.664] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0272.674] SetEvent (hEvent=0x40c) returned 1 [0272.674] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0272.909] SetEvent (hEvent=0x40c) returned 1 [0272.909] SwitchToThread () returned 1 [0272.912] SetEvent (hEvent=0x40c) returned 1 [0272.912] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0272.918] SetEvent (hEvent=0x40c) returned 1 [0272.918] SetEvent (hEvent=0x104) returned 1 [0272.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0272.919] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[59A23227536B866C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[59a23227536b866c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.921] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.922] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.922] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.922] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80f81d62, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80f81d62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80f83167, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0272.922] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4689310, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0272.922] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.922] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.922] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.924] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.924] WriteFile (in: hFile=0x460, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.925] CloseHandle (hObject=0x460) returned 1 [0272.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80f81d62, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80f81d62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80f83167, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9362)) returned 1 [0272.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa481d59b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.926] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0272.927] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.927] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xa481d59b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa481d59b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0272.927] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4689310, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0272.927] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.927] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0272.927] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.929] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.929] WriteFile (in: hFile=0x460, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.930] CloseHandle (hObject=0x460) returned 1 [0272.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4689310, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4ab)) returned 1 [0272.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xa481d59b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa481d59b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1c)) returned 1 [0272.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.932] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.932] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4689310, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4ab)) returned 1 [0272.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88040 | out: pbBuffer=0x12b88040) returned 1 [0272.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849640 | out: pbBuffer=0x12849640) returned 1 [0272.932] ReadFile (in: hFile=0x460, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a5fd1c*=0x4ab, lpOverlapped=0x0) returned 1 [0272.981] GetFileType (hFile=0x460) returned 0x1 [0272.981] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.981] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x4ab, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a5fd00*=0x4ab, lpOverlapped=0x12a5fd0c) returned 1 [0272.982] GetFileType (hFile=0x460) returned 0x1 [0272.982] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x4ab, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0272.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0272.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0272.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849708 | out: pbBuffer=0x12849708) returned 1 [0272.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.983] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.983] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.983] CloseHandle (hObject=0x44c) returned 1 [0272.984] CloseHandle (hObject=0x460) returned 1 [0272.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849720 | out: pbBuffer=0x12849720) returned 1 [0272.984] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\#_THIS_FILE_IS_ENCRYPTED_[95290EE3CC1AF353]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\#_this_file_is_encrypted_[95290ee3cc1af353]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.001] SetEvent (hEvent=0x104) returned 1 [0273.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0273.002] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xa481d59b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa481d59b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1c)) returned 1 [0273.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0273.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849778 | out: pbBuffer=0x12849778) returned 1 [0273.002] ReadFile (in: hFile=0x460, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a5fd1c*=0x1c, lpOverlapped=0x0) returned 1 [0273.005] GetFileType (hFile=0x460) returned 0x1 [0273.005] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.005] WriteFile (in: hFile=0x460, lpBuffer=0x12b88260*, nNumberOfBytesToWrite=0x1c, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b88260*, lpNumberOfBytesWritten=0x12a5fd00*=0x1c, lpOverlapped=0x12a5fd0c) returned 1 [0273.006] GetFileType (hFile=0x460) returned 0x1 [0273.006] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1c, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.006] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0273.006] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0273.006] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0273.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849890 | out: pbBuffer=0x12849890) returned 1 [0273.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.007] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.007] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.007] CloseHandle (hObject=0x44c) returned 1 [0273.007] CloseHandle (hObject=0x460) returned 1 [0273.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128498a8 | out: pbBuffer=0x128498a8) returned 1 [0273.008] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\#_THIS_FILE_IS_ENCRYPTED_[2D11634C36E00094]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\#_this_file_is_encrypted_[2d11634c36e00094]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.059] SetEvent (hEvent=0x110) returned 1 [0273.059] SetEvent (hEvent=0x104) returned 1 [0273.059] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0273.060] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6abbe5b6, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6abbe5b6, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6acd6e90, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0xa00)) returned 1 [0273.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0273.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8720 | out: pbBuffer=0x128e8720) returned 1 [0273.061] ReadFile (in: hFile=0x460, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a5fd1c*=0xa00, lpOverlapped=0x0) returned 1 [0273.074] GetFileType (hFile=0x460) returned 0x1 [0273.074] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.074] WriteFile (in: hFile=0x460, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12a5fd00*=0xa00, lpOverlapped=0x12a5fd0c) returned 1 [0273.074] GetFileType (hFile=0x460) returned 0x1 [0273.075] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa00, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.075] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0273.075] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0273.075] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0273.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8a58 | out: pbBuffer=0x128e8a58) returned 1 [0273.089] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.089] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.089] WriteFile (in: hFile=0x44c, lpBuffer=0x12b02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.089] CloseHandle (hObject=0x44c) returned 1 [0273.098] CloseHandle (hObject=0x460) returned 1 [0273.116] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8a80 | out: pbBuffer=0x128e8a80) returned 1 [0273.116] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\#_THIS_FILE_IS_ENCRYPTED_[BCC3864FA262EE28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\#_this_file_is_encrypted_[bcc3864fa262ee28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.197] SetEvent (hEvent=0x104) returned 1 [0273.197] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0273.215] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0273.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.exc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.345] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.exc"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x566a47fe, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x566a47fe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x566a47fe, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0273.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34038 | out: pbBuffer=0x12c34038) returned 1 [0273.346] ReadFile (in: hFile=0x45c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12853d1c*=0x2, lpOverlapped=0x0) returned 1 [0273.347] GetFileType (hFile=0x45c) returned 0x1 [0273.347] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.347] WriteFile (in: hFile=0x45c, lpBuffer=0x12c34040*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c34040*, lpNumberOfBytesWritten=0x12853d00*=0x2, lpOverlapped=0x12853d0c) returned 1 [0273.347] GetFileType (hFile=0x45c) returned 0x1 [0273.348] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x2, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0273.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0273.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0273.349] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34110 | out: pbBuffer=0x12c34110) returned 1 [0273.349] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.exc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.349] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.349] WriteFile (in: hFile=0x450, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.349] CloseHandle (hObject=0x450) returned 1 [0273.367] CloseHandle (hObject=0x45c) returned 1 [0273.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34168 | out: pbBuffer=0x12c34168) returned 1 [0273.403] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.exc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\#_THIS_FILE_IS_ENCRYPTED_[FC44393460FA657E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\#_this_file_is_encrypted_[fc44393460fa657e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98af6207, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98af6207, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x34091900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2ef7a4)) returned 1 [0273.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x987adf7a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x987adf7a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xea6cfe00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xbddaf)) returned 1 [0273.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.557] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98af6207, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98af6207, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x34091900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2ef7a4)) returned 1 [0273.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b60 | out: pbBuffer=0x12928b60) returned 1 [0273.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ad0 | out: pbBuffer=0x12848ad0) returned 1 [0273.558] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.581] GetFileType (hFile=0x458) returned 0x1 [0273.581] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.581] WriteFile (in: hFile=0x458, lpBuffer=0x12a16000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a16000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0273.582] GetFileType (hFile=0x458) returned 0x1 [0273.582] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0273.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0273.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0273.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848be8 | out: pbBuffer=0x12848be8) returned 1 [0273.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.583] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.583] WriteFile (in: hFile=0x42c, lpBuffer=0x12c22a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.600] CloseHandle (hObject=0x42c) returned 1 [0273.607] CloseHandle (hObject=0x458) returned 1 [0273.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d68 | out: pbBuffer=0x12848d68) returned 1 [0273.613] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[3033EC0563F8DDE8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[3033ec0563f8dde8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.111] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.168] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.228] SetEvent (hEvent=0xfc) returned 1 [0274.228] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.233] SetEvent (hEvent=0x1b8) returned 1 [0274.234] SetEvent (hEvent=0x19c) returned 1 [0274.234] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0274.248] SetEvent (hEvent=0x19c) returned 1 [0274.249] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0274.252] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0274.253] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0274.254] SetEvent (hEvent=0x1b8) returned 1 [0274.254] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0274.261] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.660] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.662] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.663] SetEvent (hEvent=0x19c) returned 1 [0274.663] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.666] SetEvent (hEvent=0x19c) returned 1 [0274.666] SetEvent (hEvent=0x3f8) returned 1 [0274.666] SwitchToThread () returned 1 [0274.667] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0274.670] SetEvent (hEvent=0x3f8) returned 1 [0274.670] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0274.671] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98742454, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98742454, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x973bdf00, ftLastWriteTime.dwHighDateTime=0x1d4196d, nFileSizeHigh=0x0, nFileSizeLow=0x10a79d)) returned 1 [0274.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0274.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0274.671] ReadFile (in: hFile=0x458, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.684] GetFileType (hFile=0x458) returned 0x1 [0274.684] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.684] WriteFile (in: hFile=0x458, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0274.685] GetFileType (hFile=0x458) returned 0x1 [0274.685] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0274.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0274.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0274.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0274.685] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.686] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.686] WriteFile (in: hFile=0x45c, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.693] CloseHandle (hObject=0x45c) returned 1 [0274.697] CloseHandle (hObject=0x458) returned 1 [0274.703] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0274.703] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[B1E99E2B5BD14DAB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[b1e99e2b5bd14dab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.903] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0274.904] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98403091, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98403091, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98404408, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23e7)) returned 1 [0274.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0274.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342e0 | out: pbBuffer=0x12c342e0) returned 1 [0274.905] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12853d1c*=0x23e7, lpOverlapped=0x0) returned 1 [0274.912] GetFileType (hFile=0x458) returned 0x1 [0274.912] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.912] WriteFile (in: hFile=0x458, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x23e7, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12853d00*=0x23e7, lpOverlapped=0x12853d0c) returned 1 [0274.913] GetFileType (hFile=0x458) returned 0x1 [0274.913] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x23e7, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0274.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0274.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0274.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c343a8 | out: pbBuffer=0x12c343a8) returned 1 [0274.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.914] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.914] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.914] CloseHandle (hObject=0x45c) returned 1 [0274.920] CloseHandle (hObject=0x458) returned 1 [0274.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343f0 | out: pbBuffer=0x12c343f0) returned 1 [0274.921] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[7B1B40B7B412C59D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[7b1b40b7b412c59d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.003] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.005] SetEvent (hEvent=0x19c) returned 1 [0275.005] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.006] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9824557b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9824557b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9824557b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15dc)) returned 1 [0275.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0275.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0275.007] ReadFile (in: hFile=0x458, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x15dc, lpOverlapped=0x0) returned 1 [0275.011] GetFileType (hFile=0x458) returned 0x1 [0275.011] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.011] WriteFile (in: hFile=0x458, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x15dc, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x12829d00*=0x15dc, lpOverlapped=0x12829d0c) returned 1 [0275.011] GetFileType (hFile=0x458) returned 0x1 [0275.011] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x15dc, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0275.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0275.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0275.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0275.012] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.013] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.013] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.013] CloseHandle (hObject=0x44c) returned 1 [0275.019] CloseHandle (hObject=0x458) returned 1 [0275.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0275.023] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[159801F73D5D072B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[159801f73d5d072b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.166] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.170] SetEvent (hEvent=0x19c) returned 1 [0275.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.171] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983bfdac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983bfdac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983bfdac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1930)) returned 1 [0275.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0275.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0275.172] ReadFile (in: hFile=0x458, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x1282bd1c*=0x1930, lpOverlapped=0x0) returned 1 [0275.177] GetFileType (hFile=0x458) returned 0x1 [0275.177] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.177] WriteFile (in: hFile=0x458, lpBuffer=0x128f9980*, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x128f9980*, lpNumberOfBytesWritten=0x1282bd00*=0x1930, lpOverlapped=0x1282bd0c) returned 1 [0275.177] GetFileType (hFile=0x458) returned 0x1 [0275.177] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x1930, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0275.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0275.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0275.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a308 | out: pbBuffer=0x12a9a308) returned 1 [0275.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.178] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.179] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.179] CloseHandle (hObject=0x44c) returned 1 [0275.190] CloseHandle (hObject=0x458) returned 1 [0275.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0275.192] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[DD08240B69329AA1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[dd08240b69329aa1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.283] SetEvent (hEvent=0x110) returned 1 [0275.283] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.292] SetEvent (hEvent=0x19c) returned 1 [0275.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.294] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ad5311, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ad5311, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98ad5311, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc03)) returned 1 [0275.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928fa0 | out: pbBuffer=0x12928fa0) returned 1 [0275.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c353d0 | out: pbBuffer=0x12c353d0) returned 1 [0275.294] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0275.297] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0275.297] SetEvent (hEvent=0x110) returned 1 [0275.297] SetEvent (hEvent=0x19c) returned 1 [0275.297] ReadFile (in: hFile=0x458, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a5fd1c*=0xc03, lpOverlapped=0x0) returned 1 [0275.304] GetFileType (hFile=0x458) returned 0x1 [0275.304] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.305] WriteFile (in: hFile=0x458, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0xc03, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x12a5fd00*=0xc03, lpOverlapped=0x12a5fd0c) returned 1 [0275.305] GetFileType (hFile=0x458) returned 0x1 [0275.305] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xc03, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0275.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0275.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0275.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a410 | out: pbBuffer=0x12a9a410) returned 1 [0275.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.306] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.306] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12a00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.307] CloseHandle (hObject=0x44c) returned 1 [0275.312] CloseHandle (hObject=0x458) returned 1 [0275.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8000 | out: pbBuffer=0x128e8000) returned 1 [0275.315] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[FC3E7FAD495681B3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[fc3e7fad495681b3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.468] SetEvent (hEvent=0x1d0) returned 1 [0275.468] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851221[[fn=harvardanglia2008officeonline]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.469] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851221[[fn=harvardanglia2008officeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983d213f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d213f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d4a29, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x456ff)) returned 1 [0275.470] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89ca0 | out: pbBuffer=0x12b89ca0) returned 1 [0275.470] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9830 | out: pbBuffer=0x128e9830) returned 1 [0275.470] ReadFile (in: hFile=0x458, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.480] GetFileType (hFile=0x458) returned 0x1 [0275.480] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.480] WriteFile (in: hFile=0x458, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0275.481] GetFileType (hFile=0x458) returned 0x1 [0275.481] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a81 | out: pbBuffer=0x12835a81) returned 1 [0275.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835b81 | out: pbBuffer=0x12835b81) returned 1 [0275.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835c81 | out: pbBuffer=0x12835c81) returned 1 [0275.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e98e8 | out: pbBuffer=0x128e98e8) returned 1 [0275.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851221[[fn=harvardanglia2008officeonline]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.482] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.482] WriteFile (in: hFile=0x460, lpBuffer=0x12a46000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a46000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.487] CloseHandle (hObject=0x460) returned 1 [0275.488] CloseHandle (hObject=0x458) returned 1 [0275.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9900 | out: pbBuffer=0x128e9900) returned 1 [0275.493] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851221[[fn=harvardanglia2008officeonline]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[896A91DEAAE113B3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[896a91deaae113b3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.534] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851224[[fn=iso690nmerical]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.537] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.537] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851224[[fn=iso690nmerical]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977efc44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977efc44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977f0f37, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x35031)) returned 1 [0275.537] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0275.537] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0275.538] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.543] GetFileType (hFile=0x42c) returned 0x1 [0275.543] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.543] WriteFile (in: hFile=0x42c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0275.543] GetFileType (hFile=0x42c) returned 0x1 [0275.543] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0275.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0275.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0275.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0275.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851224[[fn=iso690nmerical]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.544] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.544] WriteFile (in: hFile=0x44c, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.545] CloseHandle (hObject=0x44c) returned 1 [0275.545] CloseHandle (hObject=0x42c) returned 1 [0275.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0275.545] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851224[[fn=iso690nmerical]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[A315EC2B3CED1136]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[a315ec2b3ced1136]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.598] SetEvent (hEvent=0x104) returned 1 [0275.598] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.599] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980dfb29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980dfb29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980e0ec2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xca72)) returned 1 [0275.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129289e0 | out: pbBuffer=0x129289e0) returned 1 [0275.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34378 | out: pbBuffer=0x12c34378) returned 1 [0275.599] ReadFile (in: hFile=0x42c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12853d1c*=0xca72, lpOverlapped=0x0) returned 1 [0275.624] GetFileType (hFile=0x42c) returned 0x1 [0275.624] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.624] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xca72, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0xca72, lpOverlapped=0x12853d0c) returned 1 [0275.624] GetFileType (hFile=0x42c) returned 0x1 [0275.624] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xca72, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0275.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0275.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0275.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34460 | out: pbBuffer=0x12c34460) returned 1 [0275.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.625] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.625] WriteFile (in: hFile=0x45c, lpBuffer=0x128aea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aea00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.626] CloseHandle (hObject=0x45c) returned 1 [0275.626] CloseHandle (hObject=0x42c) returned 1 [0275.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34478 | out: pbBuffer=0x12c34478) returned 1 [0275.626] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\#_THIS_FILE_IS_ENCRYPTED_[1BA98916F6B8FEBC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\#_this_file_is_encrypted_[1ba98916f6b8febc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.633] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.902] SetEvent (hEvent=0x1b8) returned 1 [0275.902] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0275.958] SetEvent (hEvent=0x19c) returned 1 [0275.959] SetEvent (hEvent=0x1b8) returned 1 [0275.959] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.006] SetEvent (hEvent=0x19c) returned 1 [0278.006] SetEvent (hEvent=0x1b8) returned 1 [0278.006] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.014] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.039] SetEvent (hEvent=0x19c) returned 1 [0278.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\OWWkE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\owwke.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb26a9d10, ftCreationTime.dwHighDateTime=0x1d82310, ftLastAccessTime.dwLowDateTime=0x208b8480, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x208b8480, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0xe7ef)) returned 1 [0278.039] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.063] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.081] SetEvent (hEvent=0x19c) returned 1 [0278.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\eqpPz5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eqppz5d.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x666a92d0, ftCreationTime.dwHighDateTime=0x1d8218f, ftLastAccessTime.dwLowDateTime=0x181e4610, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x181e4610, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x5f98)) returned 1 [0278.081] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.217] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.244] SetEvent (hEvent=0x19c) returned 1 [0278.244] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\m1C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\m1c.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a2df0, ftCreationTime.dwHighDateTime=0x1d819c0, ftLastAccessTime.dwLowDateTime=0xa946e310, ftLastAccessTime.dwHighDateTime=0x1d8204f, ftLastWriteTime.dwLowDateTime=0xa946e310, ftLastWriteTime.dwHighDateTime=0x1d8204f, nFileSizeHigh=0x0, nFileSizeLow=0xad1)) returned 1 [0278.265] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.357] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.494] SetEvent (hEvent=0x19c) returned 1 [0278.494] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\uF2rHEH2XRc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\uf2rheh2xrc.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x949c6c60, ftCreationTime.dwHighDateTime=0x1d8258f, ftLastAccessTime.dwLowDateTime=0x48c5e190, ftLastAccessTime.dwHighDateTime=0x1d8288c, ftLastWriteTime.dwLowDateTime=0x48c5e190, ftLastWriteTime.dwHighDateTime=0x1d8288c, nFileSizeHigh=0x0, nFileSizeLow=0x17f1d)) returned 1 [0278.494] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.554] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.582] SetEvent (hEvent=0x1d0) returned 1 [0278.582] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.595] SetEvent (hEvent=0x19c) returned 1 [0278.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\6etfHXV 5PagM21.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\6etfhxv 5pagm21.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8501f0, ftCreationTime.dwHighDateTime=0x1d8226d, ftLastAccessTime.dwLowDateTime=0xd2e053a0, ftLastAccessTime.dwHighDateTime=0x1d822ed, ftLastWriteTime.dwLowDateTime=0xd2e053a0, ftLastWriteTime.dwHighDateTime=0x1d822ed, nFileSizeHigh=0x0, nFileSizeLow=0x7e62)) returned 1 [0278.596] SetEvent (hEvent=0x3f8) returned 1 [0278.596] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0278.601] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0278.601] SetEvent (hEvent=0x3f8) returned 1 [0278.601] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0278.619] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.687] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.710] SetEvent (hEvent=0x3f8) returned 1 [0278.710] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\NolPnYVxwc-.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nolpnyvxwc-.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79bd2f50, ftCreationTime.dwHighDateTime=0x1d81f3c, ftLastAccessTime.dwLowDateTime=0x20a5e630, ftLastAccessTime.dwHighDateTime=0x1d82470, ftLastWriteTime.dwLowDateTime=0x20a5e630, ftLastWriteTime.dwHighDateTime=0x1d82470, nFileSizeHigh=0x0, nFileSizeLow=0xd80c)) returned 1 [0278.710] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.770] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.788] SetEvent (hEvent=0x3f8) returned 1 [0278.788] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TBp4.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbp4.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cd910c0, ftCreationTime.dwHighDateTime=0x1d81bc5, ftLastAccessTime.dwLowDateTime=0x1f631800, ftLastAccessTime.dwHighDateTime=0x1d822e6, ftLastWriteTime.dwLowDateTime=0x1f631800, ftLastWriteTime.dwHighDateTime=0x1d822e6, nFileSizeHigh=0x0, nFileSizeLow=0x94ac)) returned 1 [0278.788] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.817] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.831] SetEvent (hEvent=0x1b8) returned 1 [0278.831] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0278.839] SetEvent (hEvent=0x3f8) returned 1 [0278.839] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WHnWOXyFUJT1M8QR5fnu.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\whnwoxyfujt1m8qr5fnu.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0c530, ftCreationTime.dwHighDateTime=0x1d82232, ftLastAccessTime.dwLowDateTime=0xe06d7d80, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0xe06d7d80, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x14067)) returned 1 [0278.840] SetEvent (hEvent=0x19c) returned 1 [0278.840] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0278.844] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0278.845] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0278.845] SetEvent (hEvent=0x3f8) returned 1 [0278.845] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0278.848] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0281.823] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0289.325] SetEvent (hEvent=0x420) returned 1 [0289.325] SetEvent (hEvent=0x3f4) returned 1 [0289.326] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0289.699] GetFileType (hFile=0x1a4) returned 0x1 [0289.699] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.699] WriteFile (in: hFile=0x1a4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x18540, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12853d00*=0x18540, lpOverlapped=0x12853d0c) returned 1 [0289.700] GetFileType (hFile=0x1a4) returned 0x1 [0289.700] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x18540, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0289.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0289.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0289.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0289.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SEi KnrwjhMD.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sei knrwjhmd.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0289.701] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0289.701] WriteFile (in: hFile=0x464, lpBuffer=0x12b72a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b72a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.701] CloseHandle (hObject=0x464) returned 1 [0289.750] CloseHandle (hObject=0x1a4) returned 1 [0289.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914318 | out: pbBuffer=0x12914318) returned 1 [0289.866] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SEi KnrwjhMD.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sei knrwjhmd.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[A56E27715A813294]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[a56e27715a813294]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0291.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\Q1UFERaVErIPdJf.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\q1uferaveripdjf.doc"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf51736d0, ftCreationTime.dwHighDateTime=0x1d822f9, ftLastAccessTime.dwLowDateTime=0x814332a0, ftLastAccessTime.dwHighDateTime=0x1d82591, ftLastWriteTime.dwLowDateTime=0x814332a0, ftLastWriteTime.dwHighDateTime=0x1d82591, nFileSizeHigh=0x0, nFileSizeLow=0x12740)) returned 1 [0291.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\RnsshiYYS.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\rnsshiyys.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c138e40, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0x9c949710, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x9c949710, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x17013)) returned 1 [0291.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\Q1UFERaVErIPdJf.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\q1uferaveripdjf.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0291.070] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0291.070] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\Q1UFERaVErIPdJf.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\q1uferaveripdjf.doc"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf51736d0, ftCreationTime.dwHighDateTime=0x1d822f9, ftLastAccessTime.dwLowDateTime=0x814332a0, ftLastAccessTime.dwHighDateTime=0x1d82591, ftLastWriteTime.dwLowDateTime=0x814332a0, ftLastWriteTime.dwHighDateTime=0x1d82591, nFileSizeHigh=0x0, nFileSizeLow=0x12740)) returned 1 [0291.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eaa0 | out: pbBuffer=0x1280eaa0) returned 1 [0291.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129152d0 | out: pbBuffer=0x129152d0) returned 1 [0291.070] ReadFile (in: hFile=0x464, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x12853d1c*=0x12740, lpOverlapped=0x0) returned 1 [0291.072] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0291.196] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0291.196] SetEvent (hEvent=0x110) returned 1 [0291.197] SetEvent (hEvent=0xfc) returned 1 [0291.198] GetFileType (hFile=0x464) returned 0x1 [0291.198] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.198] WriteFile (in: hFile=0x464, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x12740, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12853d00*=0x12740, lpOverlapped=0x12853d0c) returned 1 [0291.199] GetFileType (hFile=0x464) returned 0x1 [0291.199] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x12740, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0291.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0291.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0291.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915388 | out: pbBuffer=0x12915388) returned 1 [0291.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\Q1UFERaVErIPdJf.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\q1uferaveripdjf.doc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0291.201] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0291.201] WriteFile (in: hFile=0x460, lpBuffer=0x12a44a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0291.201] CloseHandle (hObject=0x460) returned 1 [0291.258] CloseHandle (hObject=0x464) returned 1 [0291.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129153a0 | out: pbBuffer=0x129153a0) returned 1 [0291.525] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\Q1UFERaVErIPdJf.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\q1uferaveripdjf.doc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[692C5BDD37A3106F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[692c5bdd37a3106f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0292.709] SetEvent (hEvent=0x454) returned 1 [0292.709] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7mgyJC0.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7mgyjc0.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0292.711] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0292.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7mgyJC0.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7mgyjc0.odt"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x283188b0, ftCreationTime.dwHighDateTime=0x1d81b78, ftLastAccessTime.dwLowDateTime=0x330654f0, ftLastAccessTime.dwHighDateTime=0x1d81d03, ftLastWriteTime.dwLowDateTime=0x330654f0, ftLastWriteTime.dwHighDateTime=0x1d81d03, nFileSizeHigh=0x0, nFileSizeLow=0xda0c)) returned 1 [0292.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444a0 | out: pbBuffer=0x128444a0) returned 1 [0292.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1f0 | out: pbBuffer=0x12a9a1f0) returned 1 [0292.720] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12853d1c*=0xda0c, lpOverlapped=0x0) returned 1 [0292.723] GetFileType (hFile=0x44c) returned 0x1 [0292.723] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.723] WriteFile (in: hFile=0x44c, lpBuffer=0x12e62000*, nNumberOfBytesToWrite=0xda0c, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12e62000*, lpNumberOfBytesWritten=0x12853d00*=0xda0c, lpOverlapped=0x12853d0c) returned 1 [0292.723] GetFileType (hFile=0x44c) returned 0x1 [0292.723] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xda0c, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.723] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0292.723] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0292.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0292.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2a8 | out: pbBuffer=0x12a9a2a8) returned 1 [0292.735] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7mgyJC0.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7mgyjc0.odt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0292.735] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0292.736] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0292.736] CloseHandle (hObject=0x470) returned 1 [0292.736] CloseHandle (hObject=0x44c) returned 1 [0292.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2c0 | out: pbBuffer=0x12a9a2c0) returned 1 [0292.766] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7mgyJC0.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7mgyjc0.odt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[B5EFC3DC8E1D8EC5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[b5efc3dc8e1d8ec5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.096] SetEvent (hEvent=0x454) returned 1 [0293.096] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VhGbFhvbri9alcaNeITl.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vhgbfhvbri9alcaneitl.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.097] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.097] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VhGbFhvbri9alcaNeITl.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vhgbfhvbri9alcaneitl.ots"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef17480, ftCreationTime.dwHighDateTime=0x1d81fb8, ftLastAccessTime.dwLowDateTime=0x72f0ffc0, ftLastAccessTime.dwHighDateTime=0x1d82032, ftLastWriteTime.dwLowDateTime=0x72f0ffc0, ftLastWriteTime.dwHighDateTime=0x1d82032, nFileSizeHigh=0x0, nFileSizeLow=0x104c6)) returned 1 [0293.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f500 | out: pbBuffer=0x1280f500) returned 1 [0293.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d80 | out: pbBuffer=0x12848d80) returned 1 [0293.097] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0x104c6, lpOverlapped=0x0) returned 1 [0293.099] GetFileType (hFile=0x44c) returned 0x1 [0293.099] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.100] WriteFile (in: hFile=0x44c, lpBuffer=0x12e44000*, nNumberOfBytesToWrite=0x104c6, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12e44000*, lpNumberOfBytesWritten=0x12853d00*=0x104c6, lpOverlapped=0x12853d0c) returned 1 [0293.100] GetFileType (hFile=0x44c) returned 0x1 [0293.101] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x104c6, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0293.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0293.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0293.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e78 | out: pbBuffer=0x12848e78) returned 1 [0293.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VhGbFhvbri9alcaNeITl.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vhgbfhvbri9alcaneitl.ots"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.102] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.102] WriteFile (in: hFile=0x464, lpBuffer=0x12a32a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a32a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.102] CloseHandle (hObject=0x464) returned 1 [0293.109] CloseHandle (hObject=0x44c) returned 1 [0293.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848eb0 | out: pbBuffer=0x12848eb0) returned 1 [0293.112] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VhGbFhvbri9alcaNeITl.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vhgbfhvbri9alcaneitl.ots"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[7A9D31066C18B016]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[7a9d31066c18b016]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.236] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\Qx26De31QiS.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\qx26de31qis.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.237] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\Qx26De31QiS.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\qx26de31qis.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaabee60, ftCreationTime.dwHighDateTime=0x1d8274d, ftLastAccessTime.dwLowDateTime=0x40e998d0, ftLastAccessTime.dwHighDateTime=0x1d82946, ftLastWriteTime.dwLowDateTime=0x40e998d0, ftLastWriteTime.dwHighDateTime=0x1d82946, nFileSizeHigh=0x0, nFileSizeLow=0x11e51)) returned 1 [0293.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0293.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914890 | out: pbBuffer=0x12914890) returned 1 [0293.237] ReadFile (in: hFile=0x44c, lpBuffer=0x12de4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12de4000*, lpNumberOfBytesRead=0x12853d1c*=0x11e51, lpOverlapped=0x0) returned 1 [0293.240] GetFileType (hFile=0x44c) returned 0x1 [0293.240] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.240] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x11e51, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0x11e51, lpOverlapped=0x12853d0c) returned 1 [0293.241] GetFileType (hFile=0x44c) returned 0x1 [0293.241] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x11e51, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0293.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0293.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0293.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914948 | out: pbBuffer=0x12914948) returned 1 [0293.242] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\Qx26De31QiS.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\qx26de31qis.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.242] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.242] WriteFile (in: hFile=0x468, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.243] CloseHandle (hObject=0x468) returned 1 [0293.248] CloseHandle (hObject=0x44c) returned 1 [0293.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914960 | out: pbBuffer=0x12914960) returned 1 [0293.259] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\Qx26De31QiS.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\qx26de31qis.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[2863B910B079C1A8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[2863b910b079c1a8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.402] SwitchToThread () returned 1 [0293.443] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\uPNvhNg_N9fx0M3PhrT.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\upnvhng_n9fx0m3phrt.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x152988a0, ftCreationTime.dwHighDateTime=0x1d82440, ftLastAccessTime.dwLowDateTime=0x97eca220, ftLastAccessTime.dwHighDateTime=0x1d826ea, ftLastWriteTime.dwLowDateTime=0x97eca220, ftLastWriteTime.dwHighDateTime=0x1d826ea, nFileSizeHigh=0x0, nFileSizeLow=0x18986)) returned 1 [0293.443] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\ohHut0PBID.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ohhut0pbid.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa174a920, ftCreationTime.dwHighDateTime=0x1d824fe, ftLastAccessTime.dwLowDateTime=0xca3c850, ftLastAccessTime.dwHighDateTime=0x1d8284e, ftLastWriteTime.dwLowDateTime=0xca3c850, ftLastWriteTime.dwHighDateTime=0x1d8284e, nFileSizeHigh=0x0, nFileSizeLow=0x2452)) returned 1 [0293.444] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\rO-xa.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ro-xa.pps"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe778d310, ftCreationTime.dwHighDateTime=0x1d81e28, ftLastAccessTime.dwLowDateTime=0x3a6cfbb0, ftLastAccessTime.dwHighDateTime=0x1d82611, ftLastWriteTime.dwLowDateTime=0x3a6cfbb0, ftLastWriteTime.dwHighDateTime=0x1d82611, nFileSizeHigh=0x0, nFileSizeLow=0x4e78)) returned 1 [0293.444] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bJHrKFh47XxzRpF4.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjhrkfh47xxzrpf4.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ccaff0, ftCreationTime.dwHighDateTime=0x1d7a224, ftLastAccessTime.dwLowDateTime=0x36cd7db0, ftLastAccessTime.dwHighDateTime=0x1d7e8cf, ftLastWriteTime.dwLowDateTime=0x36cd7db0, ftLastWriteTime.dwHighDateTime=0x1d7e8cf, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c)) returned 1 [0293.444] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\uPNvhNg_N9fx0M3PhrT.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\upnvhng_n9fx0m3phrt.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.445] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0293.445] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\uPNvhNg_N9fx0M3PhrT.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\upnvhng_n9fx0m3phrt.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x152988a0, ftCreationTime.dwHighDateTime=0x1d82440, ftLastAccessTime.dwLowDateTime=0x97eca220, ftLastAccessTime.dwHighDateTime=0x1d826ea, ftLastWriteTime.dwLowDateTime=0x97eca220, ftLastWriteTime.dwHighDateTime=0x1d826ea, nFileSizeHigh=0x0, nFileSizeLow=0x18986)) returned 1 [0293.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928e60 | out: pbBuffer=0x12928e60) returned 1 [0293.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915a30 | out: pbBuffer=0x12915a30) returned 1 [0293.446] SetEvent (hEvent=0x454) returned 1 [0293.446] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.537] SetEvent (hEvent=0x19c) returned 1 [0293.537] SetEvent (hEvent=0xfc) returned 1 [0293.537] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.619] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.650] SetEvent (hEvent=0x420) returned 1 [0293.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0293.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.650] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0293.651] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.651] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0293.651] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.651] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0293.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.651] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.651] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.653] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0293.653] WriteFile (in: hFile=0x470, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0293.656] CloseHandle (hObject=0x470) returned 1 [0293.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0293.656] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.697] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.725] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.937] SetEvent (hEvent=0x420) returned 1 [0293.937] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.947] SetEvent (hEvent=0x454) returned 1 [0293.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0293.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0293.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0293.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848458 | out: pbBuffer=0x12848458) returned 1 [0293.949] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.949] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.949] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.949] CloseHandle (hObject=0x470) returned 1 [0293.958] CloseHandle (hObject=0x45c) returned 1 [0293.963] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0293.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848470 | out: pbBuffer=0x12848470) returned 1 [0293.967] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\#_THIS_FILE_IS_ENCRYPTED_[50AA447CB9265A31]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\#_this_file_is_encrypted_[50aa447cb9265a31]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.134] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.140] SetEvent (hEvent=0x1d0) returned 1 [0294.140] SetEvent (hEvent=0x454) returned 1 [0294.140] SetEvent (hEvent=0x19c) returned 1 [0294.140] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.244] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.255] SetEvent (hEvent=0x454) returned 1 [0294.255] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.271] SetEvent (hEvent=0x454) returned 1 [0294.271] SetEvent (hEvent=0x1d0) returned 1 [0294.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\RMZsOFOkeg68udY j.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\rmzsofokeg68udy j.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.272] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.272] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\RMZsOFOkeg68udY j.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\rmzsofokeg68udy j.wav"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2cac010, ftCreationTime.dwHighDateTime=0x1d822b0, ftLastAccessTime.dwLowDateTime=0xdfeafdf0, ftLastAccessTime.dwHighDateTime=0x1d824c0, ftLastWriteTime.dwLowDateTime=0xdfeafdf0, ftLastWriteTime.dwHighDateTime=0x1d824c0, nFileSizeHigh=0x0, nFileSizeLow=0xb9e4)) returned 1 [0294.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7520 | out: pbBuffer=0x12ac7520) returned 1 [0294.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915670 | out: pbBuffer=0x12915670) returned 1 [0294.273] ReadFile (in: hFile=0x464, lpBuffer=0x12cdc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cdc000*, lpNumberOfBytesRead=0x12851d1c*=0xb9e4, lpOverlapped=0x0) returned 1 [0294.275] GetFileType (hFile=0x464) returned 0x1 [0294.275] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.275] WriteFile (in: hFile=0x464, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0xb9e4, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12851d00*=0xb9e4, lpOverlapped=0x12851d0c) returned 1 [0294.275] GetFileType (hFile=0x464) returned 0x1 [0294.275] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xb9e4, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0294.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0294.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0294.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915738 | out: pbBuffer=0x12915738) returned 1 [0294.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\RMZsOFOkeg68udY j.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\rmzsofokeg68udy j.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.277] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.277] WriteFile (in: hFile=0x468, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.277] CloseHandle (hObject=0x468) returned 1 [0294.277] CloseHandle (hObject=0x464) returned 1 [0294.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915750 | out: pbBuffer=0x12915750) returned 1 [0294.277] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\RMZsOFOkeg68udY j.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\rmzsofokeg68udy j.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\#_THIS_FILE_IS_ENCRYPTED_[C4092A66C4ECA5B4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\#_this_file_is_encrypted_[c4092a66c4eca5b4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.279] SwitchToThread () returned 1 [0294.280] SetEvent (hEvent=0x454) returned 1 [0294.280] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.345] SetEvent (hEvent=0x19c) returned 1 [0294.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\0v2fbPeHHc5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\0v2fbpehhc5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.346] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\0v2fbPeHHc5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\0v2fbpehhc5.wav"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b6ab9f0, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xb5874010, ftLastAccessTime.dwHighDateTime=0x1d82726, ftLastWriteTime.dwLowDateTime=0xb5874010, ftLastWriteTime.dwHighDateTime=0x1d82726, nFileSizeHigh=0x0, nFileSizeLow=0x1599c)) returned 1 [0294.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0294.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0294.347] ReadFile (in: hFile=0x470, lpBuffer=0x12de4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12de4000*, lpNumberOfBytesRead=0x12853d1c*=0x1599c, lpOverlapped=0x0) returned 1 [0294.349] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0294.352] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa94, ulCount=0x10, ulNumEntriesRemoved=0x19fa78, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa94, ulNumEntriesRemoved=0x19fa78) returned 0 [0294.352] SetEvent (hEvent=0x110) returned 1 [0294.353] SetEvent (hEvent=0x19c) returned 1 [0294.353] SetEvent (hEvent=0x420) returned 1 [0294.354] GetFileType (hFile=0x470) returned 0x1 [0294.354] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.354] WriteFile (in: hFile=0x470, lpBuffer=0x12e24000*, nNumberOfBytesToWrite=0x1599c, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12e24000*, lpNumberOfBytesWritten=0x12853d00*=0x1599c, lpOverlapped=0x12853d0c) returned 1 [0294.354] GetFileType (hFile=0x470) returned 0x1 [0294.354] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x1599c, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0294.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0294.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0294.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0294.356] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\0v2fbPeHHc5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\0v2fbpehhc5.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.356] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.356] WriteFile (in: hFile=0x44c, lpBuffer=0x12aeea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aeea00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.357] CloseHandle (hObject=0x44c) returned 1 [0294.357] CloseHandle (hObject=0x470) returned 1 [0294.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0294.357] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\0v2fbPeHHc5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\0v2fbpehhc5.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\#_THIS_FILE_IS_ENCRYPTED_[1186F43A9F2A534E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\#_this_file_is_encrypted_[1186f43a9f2a534e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.360] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0294.390] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0294.392] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x19fa9c, ulCount=0x10, ulNumEntriesRemoved=0x19fa80, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x19fa9c, ulNumEntriesRemoved=0x19fa80) returned 0 [0294.392] SetEvent (hEvent=0x454) returned 1 [0294.392] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x1) returned 0x0 [0294.436] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\ssRbLKtGO.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\ssrblktgo.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.437] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.437] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\ssRbLKtGO.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\ssrblktgo.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb535960, ftCreationTime.dwHighDateTime=0x1d82415, ftLastAccessTime.dwLowDateTime=0xd65839c0, ftLastAccessTime.dwHighDateTime=0x1d82776, ftLastWriteTime.dwLowDateTime=0xd65839c0, ftLastWriteTime.dwHighDateTime=0x1d82776, nFileSizeHigh=0x0, nFileSizeLow=0xcbef)) returned 1 [0294.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0294.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0294.438] ReadFile (in: hFile=0x44c, lpBuffer=0x1296c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1296c000*, lpNumberOfBytesRead=0x12a2fd1c*=0xcbef, lpOverlapped=0x0) returned 1 [0294.441] GetFileType (hFile=0x44c) returned 0x1 [0294.441] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.442] WriteFile (in: hFile=0x44c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0xcbef, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12a2fd00*=0xcbef, lpOverlapped=0x12a2fd0c) returned 1 [0294.442] GetFileType (hFile=0x44c) returned 0x1 [0294.442] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xcbef, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0294.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0294.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0294.443] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\ssRbLKtGO.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\ssrblktgo.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.444] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.444] WriteFile (in: hFile=0x474, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.444] CloseHandle (hObject=0x474) returned 1 [0294.444] CloseHandle (hObject=0x44c) returned 1 [0294.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0294.444] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\ssRbLKtGO.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\ssrblktgo.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\#_THIS_FILE_IS_ENCRYPTED_[5AC99601ECB5C653]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\#_this_file_is_encrypted_[5ac99601ecb5c653]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0294.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0294.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0294.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914448 | out: pbBuffer=0x12914448) returned 1 [0294.447] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\qvUP67bV7Qm2qYTbl.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\qvup67bv7qm2qytbl.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.447] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.447] WriteFile (in: hFile=0x44c, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.447] CloseHandle (hObject=0x44c) returned 1 [0294.447] CloseHandle (hObject=0x464) returned 1 [0294.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914470 | out: pbBuffer=0x12914470) returned 1 [0294.448] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\qvUP67bV7Qm2qYTbl.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\qvup67bv7qm2qytbl.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\#_THIS_FILE_IS_ENCRYPTED_[D1A35750A6838F1A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\#_this_file_is_encrypted_[d1a35750a6838f1a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.450] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0294.450] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0294.450] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0294.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914610 | out: pbBuffer=0x12914610) returned 1 [0294.451] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\-b5_MxngD.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\-b5_mxngd.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.451] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.451] WriteFile (in: hFile=0x464, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.451] CloseHandle (hObject=0x464) returned 1 [0294.451] CloseHandle (hObject=0x468) returned 1 [0294.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914628 | out: pbBuffer=0x12914628) returned 1 [0294.452] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\-b5_MxngD.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\-b5_mxngd.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\#_THIS_FILE_IS_ENCRYPTED_[B8CA80DE5400CCC0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\#_this_file_is_encrypted_[b8ca80de5400ccc0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.453] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.454] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.454] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67)) returned 1 [0294.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6a80 | out: pbBuffer=0x12ac6a80) returned 1 [0294.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914670 | out: pbBuffer=0x12914670) returned 1 [0294.454] ReadFile (in: hFile=0x468, lpBuffer=0x12de4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12de4000*, lpNumberOfBytesRead=0x12a2bd1c*=0x67, lpOverlapped=0x0) returned 1 [0294.455] GetFileType (hFile=0x468) returned 0x1 [0294.455] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.455] WriteFile (in: hFile=0x468, lpBuffer=0x128684d0*, nNumberOfBytesToWrite=0x67, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x128684d0*, lpNumberOfBytesWritten=0x12a2bd00*=0x67, lpOverlapped=0x12a2bd0c) returned 1 [0294.456] GetFileType (hFile=0x468) returned 0x1 [0294.456] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x67, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0294.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0294.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0294.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914728 | out: pbBuffer=0x12914728) returned 1 [0294.456] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.457] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.457] WriteFile (in: hFile=0x464, lpBuffer=0x12dd1900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1900*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.477] CloseHandle (hObject=0x464) returned 1 [0294.477] CloseHandle (hObject=0x468) returned 1 [0294.477] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914740 | out: pbBuffer=0x12914740) returned 1 [0294.477] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\#_THIS_FILE_IS_ENCRYPTED_[2689DB062DAD60E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\#_this_file_is_encrypted_[2689db062dad60e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.514] SwitchToThread () returned 1 [0294.562] SwitchToThread () returned 1 [0294.564] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.567] SetEvent (hEvent=0x420) returned 1 [0294.567] SetEvent (hEvent=0x1b8) returned 1 [0294.567] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.780] SetEvent (hEvent=0x19c) returned 1 [0294.780] SetEvent (hEvent=0x420) returned 1 [0294.780] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.790] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.809] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.831] SetEvent (hEvent=0x420) returned 1 [0294.832] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\TqX2LJia.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\tqx2ljia.png"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b383240, ftCreationTime.dwHighDateTime=0x1d8207d, ftLastAccessTime.dwLowDateTime=0xd2e450f0, ftLastAccessTime.dwHighDateTime=0x1d828f0, ftLastWriteTime.dwLowDateTime=0xd2e450f0, ftLastWriteTime.dwHighDateTime=0x1d828f0, nFileSizeHigh=0x0, nFileSizeLow=0x14ab3)) returned 1 [0294.832] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.863] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.904] SetEvent (hEvent=0x420) returned 1 [0294.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\ww9e exBrFr.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ww9e exbrfr.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82639f0, ftCreationTime.dwHighDateTime=0x1d82346, ftLastAccessTime.dwLowDateTime=0xaec13e20, ftLastAccessTime.dwHighDateTime=0x1d82834, ftLastWriteTime.dwLowDateTime=0xaec13e20, ftLastWriteTime.dwHighDateTime=0x1d82834, nFileSizeHigh=0x0, nFileSizeLow=0x7668)) returned 1 [0294.905] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.941] SetEvent (hEvent=0x420) returned 1 [0294.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\XxBVq2JXPp_ZGN53uP.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\xxbvq2jxpp_zgn53up.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976377c0, ftCreationTime.dwHighDateTime=0x1d82915, ftLastAccessTime.dwLowDateTime=0xf6164610, ftLastAccessTime.dwHighDateTime=0x1d82935, ftLastWriteTime.dwLowDateTime=0xf6164610, ftLastWriteTime.dwHighDateTime=0x1d82935, nFileSizeHigh=0x0, nFileSizeLow=0xcac8)) returned 1 [0294.942] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0294.963] SetEvent (hEvent=0x420) returned 1 [0294.963] SetEvent (hEvent=0x454) returned 1 [0294.963] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.091] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.225] SwitchToThread () returned 1 [0295.261] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.275] SetEvent (hEvent=0xfc) returned 1 [0295.275] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.283] SetEvent (hEvent=0x1b8) returned 1 [0295.283] SetEvent (hEvent=0x454) returned 1 [0295.283] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.288] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.305] SetEvent (hEvent=0x1b8) returned 1 [0295.305] SetEvent (hEvent=0x19c) returned 1 [0295.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.307] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0295.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6240 | out: pbBuffer=0x12ac6240) returned 1 [0295.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10120 | out: pbBuffer=0x12b10120) returned 1 [0295.308] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a31d1c*=0x11a, lpOverlapped=0x0) returned 1 [0295.309] GetFileType (hFile=0x44c) returned 0x1 [0295.309] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.310] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac4240*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12ac4240*, lpNumberOfBytesWritten=0x12a31d00*=0x11a, lpOverlapped=0x12a31d0c) returned 1 [0295.310] GetFileType (hFile=0x44c) returned 0x1 [0295.310] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x11a, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0295.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0295.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0295.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b101d8 | out: pbBuffer=0x12b101d8) returned 1 [0295.311] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.311] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.311] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.318] CloseHandle (hObject=0x470) returned 1 [0295.319] CloseHandle (hObject=0x44c) returned 1 [0295.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811ac8 | out: pbBuffer=0x12811ac8) returned 1 [0295.319] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\#_THIS_FILE_IS_ENCRYPTED_[989965AD3CA8452D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\#_this_file_is_encrypted_[989965ad3ca8452d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.327] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.370] SetEvent (hEvent=0xfc) returned 1 [0295.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\9IXWiaXsXL3wWUddS.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\9ixwiaxsxl3wwudds.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.371] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.371] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\9IXWiaXsXL3wWUddS.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\9ixwiaxsxl3wwudds.flv"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe7b8d0, ftCreationTime.dwHighDateTime=0x1d82308, ftLastAccessTime.dwLowDateTime=0x71e690d0, ftLastAccessTime.dwHighDateTime=0x1d827d6, ftLastWriteTime.dwLowDateTime=0x71e690d0, ftLastWriteTime.dwHighDateTime=0x1d827d6, nFileSizeHigh=0x0, nFileSizeLow=0x12aeb)) returned 1 [0295.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0295.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0295.371] ReadFile (in: hFile=0x468, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a31d1c*=0x12aeb, lpOverlapped=0x0) returned 1 [0295.374] GetFileType (hFile=0x468) returned 0x1 [0295.374] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.374] WriteFile (in: hFile=0x468, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x12aeb, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a31d00*=0x12aeb, lpOverlapped=0x12a31d0c) returned 1 [0295.374] GetFileType (hFile=0x468) returned 0x1 [0295.375] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x12aeb, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0295.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0295.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0295.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0295.375] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\9IXWiaXsXL3wWUddS.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\9ixwiaxsxl3wwudds.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0295.376] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.376] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.376] CloseHandle (hObject=0x45c) returned 1 [0295.376] CloseHandle (hObject=0x468) returned 1 [0295.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0295.376] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\9IXWiaXsXL3wWUddS.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\9ixwiaxsxl3wwudds.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\#_THIS_FILE_IS_ENCRYPTED_[976CC2037A2B3B4C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\#_this_file_is_encrypted_[976cc2037a2b3b4c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.378] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\N9DS8B65_.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\n9ds8b65_.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a37800, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0xcb7db2d0, ftLastAccessTime.dwHighDateTime=0x1d82688, ftLastWriteTime.dwLowDateTime=0xcb7db2d0, ftLastWriteTime.dwHighDateTime=0x1d82688, nFileSizeHigh=0x0, nFileSizeLow=0x50b)) returned 1 [0295.378] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf7776c0, ftCreationTime.dwHighDateTime=0x1d81e3f, ftLastAccessTime.dwLowDateTime=0x8f4d5780, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0x8f4d5780, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.378] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.378] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf7776c0, ftCreationTime.dwHighDateTime=0x1d81e3f, ftLastAccessTime.dwLowDateTime=0x8f4d5780, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0x8f4d5780, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefab8 [0295.378] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf7776c0, ftCreationTime.dwHighDateTime=0x1d81e3f, ftLastAccessTime.dwLowDateTime=0x8f4d5780, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0x8f4d5780, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.378] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cbeff50, ftCreationTime.dwHighDateTime=0x1d824cf, ftLastAccessTime.dwLowDateTime=0xe72739a0, ftLastAccessTime.dwHighDateTime=0x1d82789, ftLastWriteTime.dwLowDateTime=0xe72739a0, ftLastWriteTime.dwHighDateTime=0x1d82789, nFileSizeHigh=0x0, nFileSizeLow=0x16b9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="cWpF2Ydq1srY.flv", cAlternateFileName="CWPF2Y~1.FLV")) returned 1 [0295.379] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.379] FindClose (in: hFindFile=0xbefab8 | out: hFindFile=0xbefab8) returned 1 [0295.379] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.379] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.379] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.381] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0295.381] WriteFile (in: hFile=0x468, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0295.382] CloseHandle (hObject=0x468) returned 1 [0295.382] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\cWpF2Ydq1srY.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\cwpf2ydq1sry.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cbeff50, ftCreationTime.dwHighDateTime=0x1d824cf, ftLastAccessTime.dwLowDateTime=0xe72739a0, ftLastAccessTime.dwHighDateTime=0x1d82789, ftLastWriteTime.dwLowDateTime=0xe72739a0, ftLastWriteTime.dwHighDateTime=0x1d82789, nFileSizeHigh=0x0, nFileSizeLow=0x16b9f)) returned 1 [0295.383] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\N9DS8B65_.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\n9ds8b65_.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.383] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.383] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\N9DS8B65_.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\n9ds8b65_.swf"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a37800, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0xcb7db2d0, ftLastAccessTime.dwHighDateTime=0x1d82688, ftLastWriteTime.dwLowDateTime=0xcb7db2d0, ftLastWriteTime.dwHighDateTime=0x1d82688, nFileSizeHigh=0x0, nFileSizeLow=0x50b)) returned 1 [0295.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0295.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cc0 | out: pbBuffer=0x12810cc0) returned 1 [0295.384] ReadFile (in: hFile=0x468, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x12a31d1c*=0x50b, lpOverlapped=0x0) returned 1 [0295.385] GetFileType (hFile=0x468) returned 0x1 [0295.385] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.385] WriteFile (in: hFile=0x468, lpBuffer=0x1285c000*, nNumberOfBytesToWrite=0x50b, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x1285c000*, lpNumberOfBytesWritten=0x12a31d00*=0x50b, lpOverlapped=0x12a31d0c) returned 1 [0295.385] GetFileType (hFile=0x468) returned 0x1 [0295.385] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x50b, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0295.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0295.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0295.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d78 | out: pbBuffer=0x12810d78) returned 1 [0295.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\N9DS8B65_.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\n9ds8b65_.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0295.386] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.386] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.387] CloseHandle (hObject=0x45c) returned 1 [0295.387] CloseHandle (hObject=0x468) returned 1 [0295.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d90 | out: pbBuffer=0x12810d90) returned 1 [0295.387] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\N9DS8B65_.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\n9ds8b65_.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\#_THIS_FILE_IS_ENCRYPTED_[7D00462997901923]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\#_this_file_is_encrypted_[7d00462997901923]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\cWpF2Ydq1srY.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\cwpf2ydq1sry.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.389] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\cWpF2Ydq1srY.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\cwpf2ydq1sry.flv"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cbeff50, ftCreationTime.dwHighDateTime=0x1d824cf, ftLastAccessTime.dwLowDateTime=0xe72739a0, ftLastAccessTime.dwHighDateTime=0x1d82789, ftLastWriteTime.dwLowDateTime=0xe72739a0, ftLastWriteTime.dwHighDateTime=0x1d82789, nFileSizeHigh=0x0, nFileSizeLow=0x16b9f)) returned 1 [0295.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0295.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810dd8 | out: pbBuffer=0x12810dd8) returned 1 [0295.390] ReadFile (in: hFile=0x468, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a31d1c*=0x16b9f, lpOverlapped=0x0) returned 1 [0295.394] GetFileType (hFile=0x468) returned 0x1 [0295.394] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.394] WriteFile (in: hFile=0x468, lpBuffer=0x12df8000*, nNumberOfBytesToWrite=0x16b9f, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12df8000*, lpNumberOfBytesWritten=0x12a31d00*=0x16b9f, lpOverlapped=0x12a31d0c) returned 1 [0295.395] GetFileType (hFile=0x468) returned 0x1 [0295.395] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x16b9f, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0295.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0295.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0295.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e90 | out: pbBuffer=0x12810e90) returned 1 [0295.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\cWpF2Ydq1srY.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\cwpf2ydq1sry.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0295.396] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.396] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.397] CloseHandle (hObject=0x45c) returned 1 [0295.397] CloseHandle (hObject=0x468) returned 1 [0295.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ea8 | out: pbBuffer=0x12810ea8) returned 1 [0295.410] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\cWpF2Ydq1srY.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\cwpf2ydq1sry.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qGjg\\#_THIS_FILE_IS_ENCRYPTED_[8023FF559DBD8544]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qgjg\\#_this_file_is_encrypted_[8023ff559dbd8544]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.442] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.463] SetEvent (hEvent=0x1d0) returned 1 [0295.501] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.526] SetEvent (hEvent=0x1b8) returned 1 [0295.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\4j-0Qf7Vs7_HvpB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\4j-0qf7vs7_hvpb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.527] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\4j-0Qf7Vs7_HvpB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\4j-0qf7vs7_hvpb.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af93900, ftCreationTime.dwHighDateTime=0x1d827c6, ftLastAccessTime.dwLowDateTime=0xe7ea9100, ftLastAccessTime.dwHighDateTime=0x1d829f7, ftLastWriteTime.dwLowDateTime=0xe7ea9100, ftLastWriteTime.dwHighDateTime=0x1d829f7, nFileSizeHigh=0x0, nFileSizeLow=0x13c3a)) returned 1 [0295.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0295.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10008 | out: pbBuffer=0x12b10008) returned 1 [0295.527] ReadFile (in: hFile=0x470, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12855d1c*=0x13c3a, lpOverlapped=0x0) returned 1 [0295.530] GetFileType (hFile=0x470) returned 0x1 [0295.530] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.530] WriteFile (in: hFile=0x470, lpBuffer=0x12e18000*, nNumberOfBytesToWrite=0x13c3a, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e18000*, lpNumberOfBytesWritten=0x12855d00*=0x13c3a, lpOverlapped=0x12855d0c) returned 1 [0295.531] GetFileType (hFile=0x470) returned 0x1 [0295.531] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x13c3a, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0295.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0295.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0295.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b100c0 | out: pbBuffer=0x12b100c0) returned 1 [0295.532] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\4j-0Qf7Vs7_HvpB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\4j-0qf7vs7_hvpb.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.532] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.532] WriteFile (in: hFile=0x44c, lpBuffer=0x12a6a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6a000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.532] CloseHandle (hObject=0x44c) returned 1 [0295.532] CloseHandle (hObject=0x470) returned 1 [0295.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b100d8 | out: pbBuffer=0x12b100d8) returned 1 [0295.533] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\4j-0Qf7Vs7_HvpB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\4j-0qf7vs7_hvpb.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\#_THIS_FILE_IS_ENCRYPTED_[AD83852F9A34425F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\#_this_file_is_encrypted_[ad83852f9a34425f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.534] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.567] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\3v_K3nV_SJQYX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\3v_k3nv_sjqyx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.568] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\3v_K3nV_SJQYX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\3v_k3nv_sjqyx.avi"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47126440, ftCreationTime.dwHighDateTime=0x1d81e0f, ftLastAccessTime.dwLowDateTime=0x20b017f0, ftLastAccessTime.dwHighDateTime=0x1d82055, ftLastWriteTime.dwLowDateTime=0x20b017f0, ftLastWriteTime.dwHighDateTime=0x1d82055, nFileSizeHigh=0x0, nFileSizeLow=0x15800)) returned 1 [0295.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6340 | out: pbBuffer=0x12ac6340) returned 1 [0295.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10120 | out: pbBuffer=0x12b10120) returned 1 [0295.569] ReadFile (in: hFile=0x468, lpBuffer=0x129a8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129a8000*, lpNumberOfBytesRead=0x12a2fd1c*=0x15800, lpOverlapped=0x0) returned 1 [0295.572] GetFileType (hFile=0x468) returned 0x1 [0295.572] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.572] WriteFile (in: hFile=0x468, lpBuffer=0x129e8000*, nNumberOfBytesToWrite=0x15800, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x129e8000*, lpNumberOfBytesWritten=0x12a2fd00*=0x15800, lpOverlapped=0x12a2fd0c) returned 1 [0295.592] GetFileType (hFile=0x468) returned 0x1 [0295.592] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x15800, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0295.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0295.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0295.593] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b101d8 | out: pbBuffer=0x12b101d8) returned 1 [0295.593] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\3v_K3nV_SJQYX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\3v_k3nv_sjqyx.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.593] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.593] WriteFile (in: hFile=0x470, lpBuffer=0x12a6a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6a500*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.610] CloseHandle (hObject=0x470) returned 1 [0295.630] CloseHandle (hObject=0x468) returned 1 [0295.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b101f0 | out: pbBuffer=0x12b101f0) returned 1 [0295.643] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\3v_K3nV_SJQYX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\3v_k3nv_sjqyx.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\#_THIS_FILE_IS_ENCRYPTED_[DDA98899DC37DB64]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\#_this_file_is_encrypted_[dda98899dc37db64]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.749] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.762] SetEvent (hEvent=0xfc) returned 1 [0295.762] SwitchToThread () returned 1 [0295.778] SetEvent (hEvent=0xfc) returned 1 [0295.778] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0295.788] SetEvent (hEvent=0xfc) returned 1 [0295.788] SetEvent (hEvent=0x454) returned 1 [0295.788] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.789] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0295.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0295.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0295.790] ReadFile (in: hFile=0x470, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a2fd1c*=0x1f8, lpOverlapped=0x0) returned 1 [0295.791] GetFileType (hFile=0x470) returned 0x1 [0295.791] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.792] WriteFile (in: hFile=0x470, lpBuffer=0x12a48400*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12a48400*, lpNumberOfBytesWritten=0x12a2fd00*=0x1f8, lpOverlapped=0x12a2fd0c) returned 1 [0295.792] GetFileType (hFile=0x470) returned 0x1 [0295.792] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x1f8, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.792] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0295.792] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0295.793] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0295.793] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0295.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.793] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.793] WriteFile (in: hFile=0x474, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.805] CloseHandle (hObject=0x474) returned 1 [0295.805] CloseHandle (hObject=0x470) returned 1 [0295.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0295.805] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[7469AA3354ACF7F4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[7469aa3354acf7f4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.807] SetEvent (hEvent=0x454) returned 1 [0295.807] CreateFileW (lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.808] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0295.808] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0295.808] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914350 | out: pbBuffer=0x12914350) returned 1 [0295.809] ReadFile (in: hFile=0x470, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12a2fd1c*=0xae, lpOverlapped=0x0) returned 1 [0295.810] GetFileType (hFile=0x470) returned 0x1 [0295.810] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.811] WriteFile (in: hFile=0x470, lpBuffer=0x1291d080*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x1291d080*, lpNumberOfBytesWritten=0x12a2fd00*=0xae, lpOverlapped=0x12a2fd0c) returned 1 [0295.811] GetFileType (hFile=0x470) returned 0x1 [0295.811] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xae, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0295.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0295.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0295.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914478 | out: pbBuffer=0x12914478) returned 1 [0295.812] CreateFileW (lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.812] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.812] WriteFile (in: hFile=0x474, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.826] CloseHandle (hObject=0x474) returned 1 [0295.826] CloseHandle (hObject=0x470) returned 1 [0295.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129144b0 | out: pbBuffer=0x129144b0) returned 1 [0295.827] MoveFileExW (lpExistingFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="C:\\Users\\#_THIS_FILE_IS_ENCRYPTED_[3A136CBCB741ABD6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\#_this_file_is_encrypted_[3a136cbcb741abd6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.861] SetEvent (hEvent=0x420) returned 1 [0295.875] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0305.957] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x7b8 Thread: id = 3 os_tid = 0x8e8 [0100.413] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0xe1ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xe1ff30*=0xf0) returned 1 [0100.413] VirtualQuery (in: lpAddress=0xe1ff40, lpBuffer=0xe1ff40, dwLength=0x1c | out: lpBuffer=0xe1ff40*(BaseAddress=0xe1f000, AllocationBase=0xd20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.427] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.466] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.659] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0100.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0101.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0102.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0102.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0103.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0103.140] SetEvent (hEvent=0xfc) returned 1 [0103.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0103.667] timeEndPeriod (uPeriod=0x1) returned 0x0 [0103.667] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x110 [0103.667] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0103.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0103.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.168] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.208] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.434] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.480] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.535] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.732] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.873] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0106.951] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.217] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.370] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0107.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.238] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.292] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.368] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.478] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.494] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.553] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.713] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.805] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0108.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.023] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.125] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.273] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.501] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.549] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.601] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.699] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.781] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.866] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0109.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.116] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.169] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.247] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.297] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0110.442] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0111.127] SetEvent (hEvent=0x10c) returned 1 [0111.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0111.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0111.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0111.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0111.679] timeEndPeriod (uPeriod=0x1) returned 0x0 [0111.680] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0113.056] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0113.057] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.333] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0113.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.616] timeEndPeriod (uPeriod=0x1) returned 0x0 [0113.616] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0113.805] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0113.806] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0113.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.861] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0113.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0113.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.217] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.289] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.445] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.620] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.661] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0114.868] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.526] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.666] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.732] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.960] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0115.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.078] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.232] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.266] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.340] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.448] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0116.863] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0117.026] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0117.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0117.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0117.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0117.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0118.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0118.880] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0118.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0118.967] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0119.007] timeEndPeriod (uPeriod=0x1) returned 0x0 [0119.007] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0120.482] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0120.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.593] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.635] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.687] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.719] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0120.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.034] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.121] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.270] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.412] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.456] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.510] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.564] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.609] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.750] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0121.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.012] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.062] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.277] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.457] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.617] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.882] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0122.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.031] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.749] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.993] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0123.999] timeEndPeriod (uPeriod=0x1) returned 0x0 [0124.000] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0124.085] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0124.086] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.124] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.208] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.294] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.309] timeEndPeriod (uPeriod=0x1) returned 0x0 [0124.310] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0124.429] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0124.429] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.547] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.614] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0124.957] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.089] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.171] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.456] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.502] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0125.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.148] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.423] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.713] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0126.863] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.293] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.457] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.766] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0127.987] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.107] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.368] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0128.977] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.126] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.219] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.301] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.494] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.674] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0129.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0129.788] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0129.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.171] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.225] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.946] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.953] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0130.975] timeEndPeriod (uPeriod=0x1) returned 0x0 [0130.976] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0130.979] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0130.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.176] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.586] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.612] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.642] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.704] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.878] SetEvent (hEvent=0x10c) returned 1 [0131.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.938] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0131.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.022] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.064] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.133] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.287] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.325] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0132.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0133.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0134.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0137.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0138.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0138.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0143.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0146.148] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0146.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0147.349] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0148.347] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0148.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0148.505] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0148.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0149.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0149.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0150.381] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0150.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0150.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0150.684] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0150.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0151.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0151.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0152.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0152.648] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0154.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0154.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0155.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0155.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0156.103] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0156.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0156.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.538] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.727] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0157.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.132] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.215] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.535] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.882] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0158.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.055] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.365] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.750] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.805] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0159.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0160.062] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0160.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0160.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0160.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0160.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.052] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.404] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.575] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0161.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0162.206] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0162.383] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0162.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0162.704] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0162.965] SetEvent (hEvent=0x3f8) returned 1 [0162.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0163.121] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0163.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0163.299] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0163.449] SetEvent (hEvent=0x10c) returned 1 [0163.450] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0163.602] timeEndPeriod (uPeriod=0x1) returned 0x0 [0163.602] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0163.844] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0163.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.364] SetEvent (hEvent=0x10c) returned 1 [0164.364] SetEvent (hEvent=0x40c) returned 1 [0164.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826e00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x408 [0164.428] CloseHandle (hObject=0x408) returned 1 [0164.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.622] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0164.957] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.531] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.679] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.915] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0165.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.125] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.202] SetEvent (hEvent=0x420) returned 1 [0166.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.406] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0166.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.023] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.040] timeEndPeriod (uPeriod=0x1) returned 0x0 [0167.040] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0167.098] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0167.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.286] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.520] SetEvent (hEvent=0x420) returned 1 [0167.520] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.528] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.601] SetEvent (hEvent=0x420) returned 1 [0167.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.616] SetEvent (hEvent=0x1d0) returned 1 [0167.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.628] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.634] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.650] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.660] timeEndPeriod (uPeriod=0x1) returned 0x0 [0167.660] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0167.674] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0167.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.748] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.766] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.771] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.791] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.798] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.816] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.820] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.831] timeEndPeriod (uPeriod=0x1) returned 0x0 [0167.831] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0167.832] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0167.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.953] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0167.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.012] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.052] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.092] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.096] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.096] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0168.172] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0168.172] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.221] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.245] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.247] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.265] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.298] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.301] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.307] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.321] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.348] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.351] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.548] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.552] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.559] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.575] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.582] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.598] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.598] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0168.604] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0168.604] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.614] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.639] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.642] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.642] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0168.649] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0168.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.807] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.816] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.836] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.846] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.934] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.951] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.964] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.967] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0168.988] timeEndPeriod (uPeriod=0x1) returned 0x0 [0168.988] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0169.000] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0169.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.099] timeEndPeriod (uPeriod=0x1) returned 0x0 [0169.099] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0169.102] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0169.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.186] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.225] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.245] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.265] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.269] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.285] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.286] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.348] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.359] timeEndPeriod (uPeriod=0x1) returned 0x0 [0169.359] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0169.368] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0169.369] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.469] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.478] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.490] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.512] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.520] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.538] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.546] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.554] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.575] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.585] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.588] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.605] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.676] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.680] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.688] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.704] timeEndPeriod (uPeriod=0x1) returned 0x0 [0169.704] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0169.709] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0169.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.727] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.766] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.853] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0169.882] timeEndPeriod (uPeriod=0x1) returned 0x0 [0169.882] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0170.071] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0170.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.179] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.230] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.239] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.294] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.314] timeEndPeriod (uPeriod=0x1) returned 0x0 [0170.314] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0170.379] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0170.379] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.387] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.408] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.421] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.423] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.429] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.542] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.590] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.626] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.722] timeEndPeriod (uPeriod=0x1) returned 0x0 [0170.722] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0170.725] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0170.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.889] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0170.973] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.087] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.508] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.546] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.601] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.650] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.680] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.689] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.747] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0171.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.078] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.120] timeEndPeriod (uPeriod=0x1) returned 0x0 [0172.162] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0172.330] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0172.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.523] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.544] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.798] timeEndPeriod (uPeriod=0x1) returned 0x0 [0172.798] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0172.870] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0172.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0172.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.068] timeEndPeriod (uPeriod=0x1) returned 0x0 [0173.068] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0173.083] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0173.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.139] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.300] SetEvent (hEvent=0x3f8) returned 1 [0173.300] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.444] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.651] SetEvent (hEvent=0x40c) returned 1 [0173.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.769] SetEvent (hEvent=0x40c) returned 1 [0173.769] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0173.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.202] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.221] SetEvent (hEvent=0x1d0) returned 1 [0174.221] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.254] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.254] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.349] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.349] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.381] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.403] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.409] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.492] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.492] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.518] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.518] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.543] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.543] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.548] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.549] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.594] SetEvent (hEvent=0x1d0) returned 1 [0174.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.604] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.616] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.616] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.623] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.635] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.655] SetEvent (hEvent=0x19c) returned 1 [0174.655] SetEvent (hEvent=0x420) returned 1 [0174.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.659] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.677] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.677] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.708] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.708] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.724] SetEvent (hEvent=0x420) returned 1 [0174.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.727] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.858] timeEndPeriod (uPeriod=0x1) returned 0x0 [0174.859] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0174.863] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0174.863] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.869] SetEvent (hEvent=0x420) returned 1 [0174.869] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0174.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.025] SetEvent (hEvent=0xfc) returned 1 [0175.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.034] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.039] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.046] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.061] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0175.092] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.097] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.149] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.232] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.243] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.283] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.293] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.329] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0175.344] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.432] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0175.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.494] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.548] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.701] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.771] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.871] SetEvent (hEvent=0x19c) returned 1 [0175.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0175.925] SetEvent (hEvent=0x40c) returned 1 [0175.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.025] SetEvent (hEvent=0x420) returned 1 [0176.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.156] SetEvent (hEvent=0xf4) returned 1 [0176.156] SetEvent (hEvent=0x10c) returned 1 [0176.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.227] SetEvent (hEvent=0x10c) returned 1 [0176.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.279] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.332] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.382] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.435] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.500] SetEvent (hEvent=0x1d0) returned 1 [0176.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.557] timeEndPeriod (uPeriod=0x1) returned 0x0 [0176.557] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0176.570] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0176.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0176.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.072] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.226] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.387] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0177.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.096] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.419] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0178.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0179.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0179.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0179.597] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0179.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0179.991] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.187] SetEvent (hEvent=0x3cc) returned 1 [0180.187] SetEvent (hEvent=0x420) returned 1 [0180.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.201] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.212] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.212] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0180.470] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.489] SetEvent (hEvent=0x420) returned 1 [0180.489] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.501] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.505] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.505] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0180.545] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.575] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.575] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0180.594] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.626] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.706] timeEndPeriod (uPeriod=0x1) returned 0x0 [0180.706] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0180.914] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0180.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0180.988] SetEvent (hEvent=0x420) returned 1 [0180.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.014] SetEvent (hEvent=0x3f4) returned 1 [0181.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.117] SetEvent (hEvent=0x19c) returned 1 [0181.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.127] SetEvent (hEvent=0x19c) returned 1 [0181.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.137] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.174] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.183] timeEndPeriod (uPeriod=0x1) returned 0x0 [0181.183] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0181.190] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0181.190] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.201] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.272] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.358] SetEvent (hEvent=0x3f8) returned 1 [0181.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.384] SetEvent (hEvent=0x3f4) returned 1 [0181.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.547] timeEndPeriod (uPeriod=0x1) returned 0x0 [0181.547] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0181.716] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0181.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.747] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.799] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.807] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.810] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0181.985] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.081] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.220] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.251] SetEvent (hEvent=0xf4) returned 1 [0182.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.262] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.265] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.270] timeEndPeriod (uPeriod=0x1) returned 0x0 [0182.270] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0182.327] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0182.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.353] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.381] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.386] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.415] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.419] timeEndPeriod (uPeriod=0x1) returned 0x0 [0182.419] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0182.603] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0182.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.784] timeEndPeriod (uPeriod=0x1) returned 0x0 [0182.784] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0182.790] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0182.790] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.810] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.853] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.891] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0182.996] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.054] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.160] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.584] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.886] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0183.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.016] timeEndPeriod (uPeriod=0x1) returned 0x0 [0184.016] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0184.024] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0184.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.053] timeEndPeriod (uPeriod=0x1) returned 0x0 [0184.053] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0184.058] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0184.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.087] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.184] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.701] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0184.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.060] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.215] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.387] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.691] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.739] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0185.940] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.083] SetEvent (hEvent=0x3f4) returned 1 [0186.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.221] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.415] timeEndPeriod (uPeriod=0x1) returned 0x0 [0186.415] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0186.464] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0186.464] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.809] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.825] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.850] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0186.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.033] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.046] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.296] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.726] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.785] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.806] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.824] timeEndPeriod (uPeriod=0x1) returned 0x0 [0187.824] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0187.835] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0187.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.898] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.944] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0187.995] timeEndPeriod (uPeriod=0x1) returned 0x0 [0187.996] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0188.078] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0188.078] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.169] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.194] SetEvent (hEvent=0xfc) returned 1 [0188.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.219] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.240] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.381] timeEndPeriod (uPeriod=0x1) returned 0x0 [0188.381] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0188.407] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0188.407] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.431] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.448] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.520] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.544] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.547] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.553] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.559] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.567] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.756] timeEndPeriod (uPeriod=0x1) returned 0x0 [0188.756] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0188.764] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0188.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.793] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.818] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.847] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.878] timeEndPeriod (uPeriod=0x1) returned 0x0 [0188.878] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0188.884] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0188.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.917] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.930] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.952] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0188.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.068] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.087] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.140] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.140] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0189.146] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0189.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.298] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.298] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0189.301] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0189.302] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.334] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.334] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0189.354] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0189.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.379] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.415] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.416] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0189.521] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0189.521] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.531] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.549] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.582] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.722] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.722] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0189.789] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0189.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0189.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.136] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.206] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.265] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.317] SetEvent (hEvent=0x3f8) returned 1 [0190.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.392] timeEndPeriod (uPeriod=0x1) returned 0x0 [0190.392] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0190.414] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0190.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.454] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.504] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.517] timeEndPeriod (uPeriod=0x1) returned 0x0 [0190.518] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0190.520] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0190.520] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.607] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0190.891] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0191.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0191.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0191.605] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0191.859] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0192.213] SetEvent (hEvent=0x3f8) returned 1 [0192.421] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0192.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.107] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.447] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.615] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.819] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0193.999] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0193.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.390] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.577] timeEndPeriod (uPeriod=0x1) returned 0x0 [0194.618] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0194.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0194.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.074] timeEndPeriod (uPeriod=0x1) returned 0x0 [0195.074] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0195.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0195.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.343] SetEvent (hEvent=0x40c) returned 1 [0195.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.557] SetEvent (hEvent=0x3f8) returned 1 [0195.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.680] SetEvent (hEvent=0xfc) returned 1 [0195.680] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0195.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.168] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.445] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.634] SetEvent (hEvent=0xfc) returned 1 [0196.634] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.639] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.669] timeEndPeriod (uPeriod=0x1) returned 0x0 [0196.669] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0196.684] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0196.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.783] SetEvent (hEvent=0xfc) returned 1 [0196.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.791] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.901] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.933] timeEndPeriod (uPeriod=0x1) returned 0x0 [0196.933] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0196.957] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0196.957] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.977] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.983] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0196.998] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.035] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.039] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.057] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.068] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.135] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.190] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.211] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.211] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.304] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.312] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.331] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.335] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.340] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.349] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.352] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.368] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.371] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.371] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.373] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.373] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.384] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.388] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.400] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.469] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.486] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.523] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.609] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.609] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.614] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.614] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.635] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.640] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.670] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.670] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.672] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.765] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.765] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.769] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.781] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.908] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.908] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.912] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.933] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.946] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0197.964] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.964] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0197.968] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.968] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.021] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.021] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0198.038] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.057] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.062] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.087] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.106] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.136] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.202] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.202] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0198.204] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.230] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.234] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.239] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.245] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.266] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.272] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.276] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.351] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.412] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.432] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.440] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.456] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.456] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0198.555] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.559] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.559] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0198.578] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.586] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.599] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.617] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.628] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.772] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.798] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.809] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.812] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.816] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.820] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.837] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.841] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.917] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.931] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.933] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.944] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.948] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.951] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.965] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.965] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0198.967] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.967] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.977] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.980] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0198.982] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.022] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.026] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.026] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.028] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.028] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.050] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.108] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.108] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.135] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.135] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.142] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.149] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.152] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.162] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.172] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.184] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.249] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.256] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.259] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.259] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.263] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.270] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.276] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.278] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.299] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.314] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.323] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.329] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.353] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.356] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.356] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.360] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.360] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.458] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.480] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.510] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.510] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.514] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.567] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.664] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.664] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.668] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.688] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.691] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.694] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.705] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.705] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.749] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.749] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.751] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.751] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.761] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.807] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.809] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.819] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.822] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.822] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0199.825] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.825] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.922] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.935] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.940] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.993] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0199.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.023] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.033] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.060] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.068] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.069] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.070] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.249] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.249] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.256] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.270] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.272] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.278] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.312] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.315] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.315] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.319] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.324] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.324] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.330] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.337] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.382] SwitchToThread () returned 1 [0200.388] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.390] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.393] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.439] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.439] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.446] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.480] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.480] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.555] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.567] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.643] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.643] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.705] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.718] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.718] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.728] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.782] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.782] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.783] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.807] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.831] SetEvent (hEvent=0x3f4) returned 1 [0200.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.873] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.873] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0200.877] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.877] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.892] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.908] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0200.991] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.020] SetEvent (hEvent=0x40c) returned 1 [0201.020] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.035] SetEvent (hEvent=0x40c) returned 1 [0201.035] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.058] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.059] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.065] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.075] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.084] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.097] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.130] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.131] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.166] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.167] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.193] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.195] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.205] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.206] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.226] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.229] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.230] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.244] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.251] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.270] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.279] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.297] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.299] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.299] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.374] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.379] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.382] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.386] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.390] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.390] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.396] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.420] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.420] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.424] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.440] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.443] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.443] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.556] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.586] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.593] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.601] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.609] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.612] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.636] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.642] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.646] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.650] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.662] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.662] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0201.723] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.727] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.739] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0201.902] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.902] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.176] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.458] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0202.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.453] timeEndPeriod (uPeriod=0x1) returned 0x0 [0203.453] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0203.482] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0203.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.805] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.883] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0203.917] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.055] SetEvent (hEvent=0xfc) returned 1 [0204.055] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.185] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.239] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.281] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.329] timeEndPeriod (uPeriod=0x1) returned 0x0 [0204.329] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0204.342] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0204.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.349] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.360] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.370] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.379] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.385] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.400] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.404] timeEndPeriod (uPeriod=0x1) returned 0x0 [0204.404] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0204.411] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0204.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.414] timeEndPeriod (uPeriod=0x1) returned 0x0 [0204.414] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0204.452] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0204.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.476] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.486] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.612] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.634] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.688] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.700] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.767] timeEndPeriod (uPeriod=0x1) returned 0x0 [0204.767] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0204.773] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0204.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.798] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.866] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.874] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.981] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0204.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.030] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.071] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.085] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.140] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.162] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.234] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.260] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.260] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.375] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.401] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.401] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.432] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.489] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.502] SetEvent (hEvent=0xfc) returned 1 [0205.502] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.522] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.607] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.608] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.623] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.628] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.629] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.637] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.679] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.733] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.742] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.758] SetEvent (hEvent=0xfc) returned 1 [0205.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.774] SetEvent (hEvent=0x10c) returned 1 [0205.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.808] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.808] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.826] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.836] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.890] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.891] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.906] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.906] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.909] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.920] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.921] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0205.931] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0205.931] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0205.981] timeEndPeriod (uPeriod=0x1) returned 0x0 [0205.981] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.094] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.226] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.242] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.242] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.248] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.266] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.281] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.285] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.286] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.287] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.287] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.332] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.348] SetEvent (hEvent=0x3f4) returned 1 [0206.348] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.354] SetEvent (hEvent=0x3f4) returned 1 [0206.354] SetEvent (hEvent=0x19c) returned 1 [0206.354] SetEvent (hEvent=0x40c) returned 1 [0206.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.368] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.382] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.385] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.385] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.395] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.481] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.481] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.497] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.515] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.521] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.521] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.530] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.534] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.534] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.536] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.537] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.546] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.564] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.596] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0206.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.606] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.703] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.819] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.879] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0206.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.035] timeEndPeriod (uPeriod=0x1) returned 0x0 [0207.035] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0207.056] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0207.056] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.145] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.194] timeEndPeriod (uPeriod=0x1) returned 0x0 [0207.194] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0207.264] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0207.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.450] SetEvent (hEvent=0xfc) returned 1 [0207.450] SetEvent (hEvent=0x420) returned 1 [0207.450] SetEvent (hEvent=0x1d0) returned 1 [0207.450] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.607] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.739] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.874] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0207.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.125] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.149] timeEndPeriod (uPeriod=0x1) returned 0x0 [0208.149] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0208.452] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0208.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.691] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.722] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.760] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.886] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.892] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.896] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.902] timeEndPeriod (uPeriod=0x1) returned 0x0 [0208.903] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0208.922] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0208.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.931] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0208.982] timeEndPeriod (uPeriod=0x1) returned 0x0 [0208.982] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0209.009] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0209.010] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.075] timeEndPeriod (uPeriod=0x1) returned 0x0 [0209.075] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0209.149] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0209.149] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.933] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.938] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0209.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.027] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.106] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.112] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.121] timeEndPeriod (uPeriod=0x1) returned 0x0 [0210.121] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0210.162] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0210.162] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.220] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.249] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.269] timeEndPeriod (uPeriod=0x1) returned 0x0 [0210.269] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0210.275] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0210.275] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.288] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.307] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.329] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.332] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.352] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.410] timeEndPeriod (uPeriod=0x1) returned 0x0 [0210.410] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0210.420] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0210.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.435] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.490] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.506] timeEndPeriod (uPeriod=0x1) returned 0x0 [0210.506] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0210.508] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0210.508] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.726] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.883] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0210.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.240] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.403] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.469] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.760] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0211.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.011] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.369] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.712] SetEvent (hEvent=0xfc) returned 1 [0212.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.942] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.966] SetEvent (hEvent=0x10c) returned 1 [0212.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.986] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.991] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0212.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.010] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.114] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.114] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.121] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.121] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.214] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.397] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.397] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.407] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.408] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.427] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.450] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.459] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.462] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.480] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.487] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.494] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.494] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.571] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.599] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.606] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.623] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.623] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.630] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.692] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.692] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.698] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.849] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.849] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.883] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.883] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.934] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.945] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.948] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.982] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.982] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0213.992] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0213.999] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.999] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0214.019] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.020] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.113] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.121] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.124] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.125] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0214.132] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.132] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.162] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.176] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.195] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.221] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.221] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0214.358] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.400] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.407] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.410] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.415] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.517] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.522] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.522] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0214.543] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0214.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.715] SetEvent (hEvent=0xf4) returned 1 [0214.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.760] SetEvent (hEvent=0xf4) returned 1 [0214.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.798] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.811] SetEvent (hEvent=0x420) returned 1 [0214.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.820] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.877] SetEvent (hEvent=0x3f4) returned 1 [0214.877] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.898] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0214.928] timeEndPeriod (uPeriod=0x1) returned 0x0 [0214.928] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0215.194] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0215.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.420] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.442] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.510] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.542] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.552] SetEvent (hEvent=0x1b8) returned 1 [0215.552] SetEvent (hEvent=0x1d0) returned 1 [0215.553] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.559] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0215.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.163] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.679] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0216.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.026] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.321] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.522] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0217.952] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.052] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.285] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.408] SetEvent (hEvent=0xf4) returned 1 [0218.408] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.566] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.735] SetEvent (hEvent=0x3f8) returned 1 [0218.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.808] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0218.888] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.936] SetEvent (hEvent=0x3cc) returned 1 [0218.936] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0218.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.062] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.116] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.239] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.704] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.750] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.837] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0219.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0220.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0220.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0220.128] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0220.219] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0220.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0221.032] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0221.278] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0221.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0221.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0221.958] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0221.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0222.147] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0222.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0222.303] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0222.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0222.519] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0222.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0222.671] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0222.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0222.824] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0222.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.001] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.165] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.166] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.319] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.434] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.434] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.494] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.494] SetEvent (hEvent=0x19c) returned 1 [0223.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.537] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0223.537] SetEvent (hEvent=0x1d0) returned 1 [0223.537] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0223.791] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.061] SetEvent (hEvent=0x40c) returned 1 [0224.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.108] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.152] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.185] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0224.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.219] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0224.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.457] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.468] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.534] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0224.612] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.677] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.684] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.722] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.745] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0224.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.883] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.886] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.889] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.893] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.898] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.930] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0224.946] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.980] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0224.998] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.003] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.081] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.085] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.148] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.161] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.172] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.174] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.186] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0225.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.479] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.505] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0225.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.527] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.544] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.548] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.567] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.568] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.587] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0225.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.766] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.780] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.830] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.842] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0225.904] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0226.060] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.830] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0226.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.020] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.481] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.661] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0227.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0228.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.000] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0229.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.175] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.285] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.288] timeEndPeriod (uPeriod=0x1) returned 0x0 [0229.288] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0229.303] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0229.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.374] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0229.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.418] timeEndPeriod (uPeriod=0x1) returned 0x0 [0229.418] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0229.433] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0229.433] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0229.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.540] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0229.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.713] SetEvent (hEvent=0xfc) returned 1 [0229.713] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.787] timeEndPeriod (uPeriod=0x1) returned 0x0 [0229.787] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0229.800] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0229.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.805] timeEndPeriod (uPeriod=0x1) returned 0x0 [0229.805] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0229.812] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0229.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0229.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.011] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.011] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.016] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.022] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.028] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.028] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.033] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.034] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.057] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.064] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.066] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.076] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.082] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.082] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.089] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.089] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.137] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.222] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.284] SetEvent (hEvent=0xfc) returned 1 [0230.284] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.340] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.371] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.379] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.379] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.483] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.486] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.500] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.500] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.535] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.535] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.544] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.648] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.660] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.660] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.671] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.677] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.736] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.739] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.742] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.747] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.747] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.751] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.800] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.881] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.890] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.908] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.960] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.968] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.968] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0230.975] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.991] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.994] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0230.998] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.998] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.029] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.029] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.097] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.195] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.212] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.220] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.224] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.224] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.231] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.239] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.252] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.262] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.263] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.267] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.270] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.288] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.365] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.377] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.385] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.463] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.477] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.481] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.481] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.506] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.521] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.527] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.589] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.590] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.654] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.660] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.661] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.669] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.676] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.677] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.693] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.694] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.728] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.748] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.772] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.882] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.889] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.898] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.898] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.907] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.922] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.965] timeEndPeriod (uPeriod=0x1) returned 0x0 [0231.965] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0231.976] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0231.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.983] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0231.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.002] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.060] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.078] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.103] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.404] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0232.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.087] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.545] timeEndPeriod (uPeriod=0x1) returned 0x0 [0233.545] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0233.638] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0233.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0233.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.035] timeEndPeriod (uPeriod=0x1) returned 0x0 [0234.036] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0234.080] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0234.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.106] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.758] SetEvent (hEvent=0xfc) returned 1 [0234.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0234.925] SetEvent (hEvent=0xfc) returned 1 [0234.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.134] SetEvent (hEvent=0xfc) returned 1 [0235.134] SetEvent (hEvent=0x1d0) returned 1 [0235.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.217] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.282] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0235.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.334] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0235.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.386] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.780] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.970] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.985] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0235.988] timeEndPeriod (uPeriod=0x1) returned 0x0 [0235.988] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.064] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.066] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.103] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.193] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.196] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.196] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.212] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.212] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.219] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.221] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.309] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.358] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.409] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.429] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.466] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.475] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.478] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.480] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.571] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.571] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.576] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.667] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.667] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.671] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.691] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.717] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.752] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.799] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.911] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.911] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.926] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.955] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.964] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0236.969] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.969] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0236.971] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.971] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.011] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.096] SetEvent (hEvent=0x19c) returned 1 [0237.096] SetEvent (hEvent=0x40c) returned 1 [0237.096] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.101] SetEvent (hEvent=0x19c) returned 1 [0237.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.125] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.143] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.173] timeEndPeriod (uPeriod=0x1) returned 0x0 [0237.173] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0237.179] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0237.179] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.182] timeEndPeriod (uPeriod=0x1) returned 0x0 [0237.182] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0237.187] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0237.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.243] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.373] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.412] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.440] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.548] SetEvent (hEvent=0x1d0) returned 1 [0237.548] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.562] SetEvent (hEvent=0x1d0) returned 1 [0237.562] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.569] timeEndPeriod (uPeriod=0x1) returned 0x0 [0237.569] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0237.577] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0237.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.590] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.597] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.640] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.740] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.751] SetEvent (hEvent=0x19c) returned 1 [0237.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.777] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.781] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.787] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.853] timeEndPeriod (uPeriod=0x1) returned 0x0 [0237.853] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0237.866] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0237.866] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.882] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.900] SetEvent (hEvent=0x19c) returned 1 [0237.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0237.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.010] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.045] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.050] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.068] timeEndPeriod (uPeriod=0x1) returned 0x0 [0238.069] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0238.077] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0238.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.107] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.112] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.138] SetEvent (hEvent=0x19c) returned 1 [0238.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.158] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.177] SetEvent (hEvent=0x420) returned 1 [0238.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.184] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.208] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.222] timeEndPeriod (uPeriod=0x1) returned 0x0 [0238.222] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0238.227] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0238.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.243] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.275] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.293] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.300] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.361] SetEvent (hEvent=0x420) returned 1 [0238.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.411] SetEvent (hEvent=0x1d0) returned 1 [0238.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.421] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.427] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.435] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.439] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.443] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.511] timeEndPeriod (uPeriod=0x1) returned 0x0 [0238.511] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0238.530] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0238.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.537] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.547] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.586] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.640] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.708] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.731] timeEndPeriod (uPeriod=0x1) returned 0x0 [0238.731] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0238.735] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0238.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.769] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.968] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0238.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.003] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.003] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0239.065] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.150] SetEvent (hEvent=0x19c) returned 1 [0239.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.174] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.176] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.176] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0239.205] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.234] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.234] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0239.261] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.295] SetEvent (hEvent=0x19c) returned 1 [0239.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0239.579] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.579] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0239.863] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.863] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0240.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0240.243] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0240.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0240.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.133] timeEndPeriod (uPeriod=0x1) returned 0x0 [0241.133] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0241.215] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0241.215] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.481] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0241.917] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.160] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.700] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.829] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.877] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.890] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.893] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0242.930] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.054] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.054] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0243.077] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0243.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.085] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.101] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.126] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.168] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.209] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.276] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.285] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.288] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.301] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.325] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.345] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.351] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.373] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.373] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0243.431] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0243.431] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.454] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.557] SetEvent (hEvent=0x420) returned 1 [0243.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.585] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.599] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.599] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0243.675] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0243.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.811] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.811] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0243.824] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0243.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.853] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.900] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.935] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.959] SetEvent (hEvent=0x420) returned 1 [0243.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.982] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.991] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0243.998] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.998] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.007] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.050] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.058] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.058] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.067] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.068] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.089] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.122] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.122] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.138] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.179] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.214] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.216] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.216] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.223] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.225] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.306] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.437] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.449] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.449] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.452] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.466] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.508] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.624] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.671] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.671] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.678] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.678] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.684] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.688] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.688] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.695] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.823] SetEvent (hEvent=0x3f8) returned 1 [0244.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.870] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.874] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.874] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.884] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.906] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.919] SetEvent (hEvent=0x3f8) returned 1 [0244.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.939] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.945] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.949] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.949] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0244.956] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0244.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.058] timeEndPeriod (uPeriod=0x1) returned 0x0 [0245.058] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0245.062] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0245.062] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.276] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.290] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.298] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.434] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.481] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.501] timeEndPeriod (uPeriod=0x1) returned 0x0 [0245.501] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0245.507] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0245.507] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.522] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.527] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.553] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.653] SetEvent (hEvent=0x3f8) returned 1 [0245.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.679] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.785] timeEndPeriod (uPeriod=0x1) returned 0x0 [0245.785] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0245.797] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0245.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.812] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.850] timeEndPeriod (uPeriod=0x1) returned 0x0 [0245.850] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0245.873] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0245.874] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.945] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.952] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.956] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.967] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.980] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.986] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0245.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.269] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.404] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.445] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.805] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.880] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.922] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0246.964] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.137] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.179] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.408] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.762] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0247.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0247.844] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0247.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.017] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0248.017] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.100] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0248.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.223] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0248.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.352] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0248.352] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.548] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.791] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.881] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0248.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0249.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0249.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0249.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0249.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0249.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0250.168] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0250.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0250.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0250.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.067] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.550] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.625] timeEndPeriod (uPeriod=0x1) returned 0x0 [0251.625] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0251.666] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0251.666] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0251.935] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.026] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.030] timeEndPeriod (uPeriod=0x1) returned 0x0 [0252.030] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0252.048] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0252.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.137] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.284] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.304] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.508] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.522] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.555] timeEndPeriod (uPeriod=0x1) returned 0x0 [0252.555] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0252.557] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0252.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.564] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.596] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.676] SetEvent (hEvent=0x420) returned 1 [0252.676] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.712] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.715] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.771] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.911] timeEndPeriod (uPeriod=0x1) returned 0x0 [0252.911] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0252.919] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0252.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0252.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.051] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.127] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.147] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.163] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.202] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.294] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.308] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0253.311] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.362] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.387] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.398] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.402] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0253.408] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.464] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.504] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.577] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.597] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.642] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.661] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.845] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.882] SetEvent (hEvent=0x420) returned 1 [0253.882] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.885] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.888] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.940] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0253.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.035] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.151] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.158] timeEndPeriod (uPeriod=0x1) returned 0x0 [0254.158] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0254.163] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0254.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.273] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.277] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.331] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.346] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.354] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.552] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.593] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.658] timeEndPeriod (uPeriod=0x1) returned 0x0 [0254.658] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0254.663] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0254.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.723] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.793] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.810] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.833] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0254.935] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.772] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.820] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.949] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.952] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0255.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.033] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.277] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.278] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0256.314] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.351] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.393] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.474] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.502] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.507] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.507] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0256.512] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.512] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.518] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.887] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0256.944] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.052] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.279] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.423] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.483] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.524] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.562] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0257.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.114] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.114] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0258.151] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0258.151] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.275] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.319] timeEndPeriod (uPeriod=0x1) returned 0x0 [0258.319] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0258.338] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0258.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.490] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.747] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0258.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.139] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.152] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.193] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.209] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.217] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.509] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.522] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.583] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.585] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.585] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0259.591] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.601] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.615] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.636] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.659] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.659] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0259.663] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.704] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.704] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0259.711] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.747] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.765] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.795] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.798] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.853] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0259.869] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.307] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.318] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.339] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.348] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.451] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.451] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.451] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.479] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.485] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.485] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0260.489] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.489] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.505] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.515] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.518] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.771] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.784] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.881] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.935] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.948] SetEvent (hEvent=0x40c) returned 1 [0260.948] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.959] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.959] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0260.966] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.982] timeEndPeriod (uPeriod=0x1) returned 0x0 [0260.982] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0260.984] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.984] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0260.999] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.018] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.033] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.044] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.067] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.077] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.089] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.102] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.107] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.149] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.155] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.184] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.232] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.598] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0261.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.796] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.846] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.902] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.909] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.915] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.924] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.931] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.948] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.952] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.979] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0261.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.030] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.039] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0262.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.070] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.108] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.161] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.284] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.290] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.301] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.316] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0262.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.342] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.351] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.390] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.400] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.403] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.406] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.409] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.411] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.416] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.423] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.430] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0262.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.566] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.577] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0262.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0262.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.007] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.048] SetEvent (hEvent=0x19c) returned 1 [0263.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.061] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.085] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.092] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.156] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.164] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.199] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.219] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.240] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.243] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.251] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.389] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.401] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.423] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.485] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.521] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.607] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.622] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.633] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.636] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.671] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.830] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.845] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.847] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.850] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.852] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.855] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.858] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.860] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0263.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.937] SetEvent (hEvent=0x19c) returned 1 [0263.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.940] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0263.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.085] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.093] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.100] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.103] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.107] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.109] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.123] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.124] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0264.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.312] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.360] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.761] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.847] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0264.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.014] timeEndPeriod (uPeriod=0x1) returned 0x0 [0265.014] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0265.030] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0265.031] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.081] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.168] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.208] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.210] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.314] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.403] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.706] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.891] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0265.949] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.001] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0266.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.071] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0266.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.187] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0266.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.247] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0266.247] SetEvent (hEvent=0x420) returned 1 [0266.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.294] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0266.294] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.336] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.418] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.427] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.429] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.432] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.434] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.437] timeEndPeriod (uPeriod=0x1) returned 0x0 [0266.437] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0266.529] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0266.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.553] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.554] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.565] timeEndPeriod (uPeriod=0x1) returned 0x0 [0266.565] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0266.734] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0266.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.750] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.751] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.758] timeEndPeriod (uPeriod=0x1) returned 0x0 [0266.758] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0266.873] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0266.873] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.911] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.981] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.986] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.989] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.993] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0266.996] timeEndPeriod (uPeriod=0x1) returned 0x0 [0266.996] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.036] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.064] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.136] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.180] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.186] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.219] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.222] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.249] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.255] SetEvent (hEvent=0xfc) returned 1 [0267.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.258] SetEvent (hEvent=0x19c) returned 1 [0267.258] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.264] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.320] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.324] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.324] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.359] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.364] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.369] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.373] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.380] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.381] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.389] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.389] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.397] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.399] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.407] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.409] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.416] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.424] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.433] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.438] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.458] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.461] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.467] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.475] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.479] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.486] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.494] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.494] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.509] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.509] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.518] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.521] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.525] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.559] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.569] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.575] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.581] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.585] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.590] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.605] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.625] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.625] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.640] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.640] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.682] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.690] SetEvent (hEvent=0xfc) returned 1 [0267.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.701] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.704] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.704] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.728] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.728] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.738] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.742] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.747] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.768] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.768] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.774] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.801] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.805] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.805] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.817] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.835] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.838] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.845] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.847] timeEndPeriod (uPeriod=0x1) returned 0x0 [0267.848] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0267.871] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0267.871] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.878] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.891] SetEvent (hEvent=0xf4) returned 1 [0267.892] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.895] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.902] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.905] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.920] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0267.921] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.283] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.366] timeEndPeriod (uPeriod=0x1) returned 0x0 [0268.366] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0268.417] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0268.417] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.529] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.592] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.755] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0268.936] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.237] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.318] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.436] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.705] timeEndPeriod (uPeriod=0x1) returned 0x0 [0269.715] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0269.757] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0269.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.776] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0269.905] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.005] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.005] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0270.109] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.109] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.318] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.354] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.354] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0270.516] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.614] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.639] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.645] SetEvent (hEvent=0x19c) returned 1 [0270.646] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.651] SetEvent (hEvent=0xfc) returned 1 [0270.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.720] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.724] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.726] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.733] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.780] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.780] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0270.789] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.881] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.881] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0270.884] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0270.884] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.894] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.898] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.936] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0270.982] timeEndPeriod (uPeriod=0x1) returned 0x0 [0270.983] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0271.230] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0271.230] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.241] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.245] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.257] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.260] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.263] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.284] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.292] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.295] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.310] timeEndPeriod (uPeriod=0x1) returned 0x0 [0271.528] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0271.528] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0271.528] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.696] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.729] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.749] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.752] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.759] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.787] timeEndPeriod (uPeriod=0x1) returned 0x0 [0271.787] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0271.794] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0271.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.803] SetEvent (hEvent=0x1d0) returned 1 [0271.803] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.819] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.823] timeEndPeriod (uPeriod=0x1) returned 0x0 [0271.824] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0271.966] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0271.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.968] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.971] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.978] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.981] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0271.984] timeEndPeriod (uPeriod=0x1) returned 0x0 [0271.984] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0272.211] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0272.211] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.223] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.227] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.233] timeEndPeriod (uPeriod=0x1) returned 0x0 [0272.233] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0272.235] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0272.235] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.302] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.335] SetEvent (hEvent=0x1b8) returned 1 [0272.335] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.352] SetEvent (hEvent=0x104) returned 1 [0272.352] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.481] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.489] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.492] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.494] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.495] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.504] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.509] timeEndPeriod (uPeriod=0x1) returned 0x0 [0272.509] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0272.526] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0272.527] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.543] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.550] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.560] timeEndPeriod (uPeriod=0x1) returned 0x0 [0272.560] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0272.577] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0272.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.597] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.599] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.612] timeEndPeriod (uPeriod=0x1) returned 0x0 [0272.612] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0272.622] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0272.622] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.662] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.670] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.707] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.741] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.783] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.792] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.822] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.840] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.905] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.936] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0272.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.025] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.037] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.037] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0273.069] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.084] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.104] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.117] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.139] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.161] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.161] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0273.183] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.183] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.190] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.194] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.194] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0273.200] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.258] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.350] SetEvent (hEvent=0x40c) returned 1 [0273.350] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.363] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.368] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.393] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.415] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.428] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.459] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.473] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.484] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.496] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.501] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.501] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0273.509] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.509] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.523] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.535] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.560] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.599] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.603] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.607] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.609] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.615] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.622] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.643] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.647] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.664] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.674] timeEndPeriod (uPeriod=0x1) returned 0x0 [0273.674] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0273.692] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0273.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0273.704] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.099] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.137] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.137] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0274.150] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.167] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.207] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.224] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.224] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0274.233] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.279] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.279] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0274.283] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.283] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.308] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.316] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.323] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.327] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.331] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.341] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.353] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.359] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.366] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.386] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.391] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.395] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.404] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.414] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.419] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.424] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.426] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.440] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.449] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.454] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.465] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.474] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.479] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.528] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.542] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.573] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.585] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.589] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.619] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.631] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.633] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.634] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.638] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.643] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.643] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0274.649] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.661] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.666] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.689] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.693] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.697] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.703] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.710] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.721] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.735] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.744] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.754] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.830] timeEndPeriod (uPeriod=0x1) returned 0x0 [0274.832] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0274.848] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0274.848] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.856] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.916] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.922] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.928] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.933] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.937] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.968] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.971] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.973] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.982] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.988] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.993] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.995] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0274.997] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.000] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.003] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.013] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.019] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.024] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.029] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.031] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.033] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.047] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.056] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.059] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.129] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.135] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.135] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.144] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.157] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.159] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.161] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.163] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.166] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.169] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.176] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.180] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.182] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.187] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.191] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.194] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.209] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.221] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.238] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.244] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.244] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.247] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.254] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.258] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.265] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.272] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.281] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.282] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.289] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.289] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.294] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.294] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.302] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.303] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.310] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.315] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.338] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.372] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.380] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.389] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.393] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.413] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.429] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.452] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.457] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.464] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.475] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.486] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.488] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.490] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.493] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.496] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.497] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.500] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.500] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.509] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.511] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.518] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.530] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.539] SetEvent (hEvent=0x1d0) returned 1 [0275.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.545] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.549] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.558] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.562] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.571] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.582] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.591] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.597] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.671] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.758] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.811] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.857] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.858] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0275.896] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.896] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.903] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0275.959] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.050] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.106] timeEndPeriod (uPeriod=0x1) returned 0x0 [0276.106] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0276.121] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0276.122] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.226] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.438] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.547] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.757] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.823] SetEvent (hEvent=0x420) returned 1 [0276.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.866] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0276.990] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.035] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.234] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.234] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0277.259] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.444] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.536] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.539] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.590] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.598] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.599] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0277.625] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.666] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.666] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0277.673] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.858] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.858] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0277.876] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.890] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.892] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.929] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.965] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.968] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.974] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0277.986] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.986] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0277.993] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.993] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.003] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.006] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.009] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.011] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.020] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.022] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.024] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.024] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.038] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.038] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.041] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.053] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.061] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.063] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.065] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.068] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.073] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.084] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.090] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.164] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.164] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.203] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.206] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.215] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.217] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.220] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.229] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.231] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.242] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.267] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.273] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.273] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.277] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.277] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.279] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.313] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.317] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.319] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.353] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.365] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.367] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.369] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.371] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.375] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.460] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.494] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.497] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.501] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.503] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.510] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.514] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.516] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.519] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.519] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.551] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.551] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.554] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.556] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.557] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.565] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.568] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.582] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.582] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.594] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.594] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.598] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.608] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.639] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.665] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.675] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.675] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.685] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.688] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.707] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.714] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.719] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.740] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.745] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.749] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.749] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.768] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.768] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.770] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.780] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.794] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.797] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.799] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.802] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.806] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.814] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.818] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.821] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.824] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.831] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.831] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.838] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.843] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.846] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.848] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.861] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.864] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.864] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.872] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.876] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.877] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.879] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.883] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.886] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.889] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.897] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.899] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.901] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.906] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.908] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.928] timeEndPeriod (uPeriod=0x1) returned 0x0 [0278.929] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0278.940] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0278.940] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0278.949] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.040] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.118] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.128] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.131] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.143] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.150] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.152] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.177] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.181] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.189] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.192] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.196] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.200] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.204] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.215] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.222] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.226] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.230] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.374] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0279.435] timeEndPeriod (uPeriod=0x1) returned 0x0 [0279.435] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0279.496] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0279.496] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.206] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.206] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0280.216] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.356] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.449] timeEndPeriod (uPeriod=0x1) returned 0x0 [0280.449] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0280.697] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0280.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0280.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0281.531] SetEvent (hEvent=0x19c) returned 1 [0281.531] SetEvent (hEvent=0x3f8) returned 1 [0281.541] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0281.769] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0281.922] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0282.037] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0282.185] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0282.601] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0282.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.173] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.249] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.329] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.409] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.665] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.785] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.950] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0283.987] timeEndPeriod (uPeriod=0x1) returned 0x0 [0283.987] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0284.042] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0284.042] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.262] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.396] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.491] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.641] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.656] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0284.668] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.668] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0287.926] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0287.926] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.057] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.105] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.148] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.289] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.333] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.378] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.421] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.519] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.561] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.615] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.773] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0288.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.211] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.211] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0289.275] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.275] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.324] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.328] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.334] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.628] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.690] SetEvent (hEvent=0xf4) returned 1 [0289.690] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.702] SetEvent (hEvent=0x1d0) returned 1 [0289.702] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.730] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.826] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0289.992] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0289.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.036] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.083] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.297] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.343] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.402] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.455] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.517] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.566] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.617] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.753] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.912] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0290.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.073] timeEndPeriod (uPeriod=0x1) returned 0x0 [0291.073] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0291.255] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0291.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.422] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.526] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.673] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.739] timeEndPeriod (uPeriod=0x1) returned 0x0 [0291.739] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0291.778] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0291.778] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.913] SetEvent (hEvent=0x3f8) returned 1 [0291.913] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0291.980] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.030] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0292.030] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.069] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.108] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.226] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.322] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.454] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.528] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.746] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.774] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.820] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.859] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.865] timeEndPeriod (uPeriod=0x1) returned 0x0 [0292.865] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0292.953] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0292.953] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0292.957] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.001] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.008] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.014] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.018] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.092] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.095] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.108] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.110] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.125] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.125] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.134] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.134] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.137] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.141] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.145] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.150] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.151] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.198] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.198] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.201] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.203] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.213] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.218] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.228] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.233] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.244] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.246] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.250] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.262] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.274] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.277] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.283] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.287] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.288] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.291] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.313] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.316] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.362] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.362] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.376] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.401] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.446] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.458] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.465] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.523] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.523] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.534] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.540] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.581] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.581] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.585] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.585] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.611] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.618] SetEvent (hEvent=0xf4) returned 1 [0293.618] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.621] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.622] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.632] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.634] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.636] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.636] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.650] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.650] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.658] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.663] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.665] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.667] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.675] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.680] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.681] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.689] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.689] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.709] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.716] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.725] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.772] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.844] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.849] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.864] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.936] timeEndPeriod (uPeriod=0x1) returned 0x0 [0293.936] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0293.947] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0293.947] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.958] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.972] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0293.976] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.058] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.066] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.066] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.082] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.082] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.129] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.134] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.134] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.139] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.241] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.254] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.254] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.271] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.271] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.280] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.344] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.351] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.351] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.361] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.361] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.388] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.392] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.431] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.476] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.499] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.512] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.555] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.563] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.566] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.570] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.574] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.578] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.588] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.588] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.613] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.613] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.617] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.623] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.637] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.648] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.651] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.654] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.669] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.672] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.683] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.685] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.740] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.752] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.756] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.760] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.764] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.767] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.772] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.772] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.777] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.777] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.781] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.789] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.791] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.791] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.808] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.808] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.810] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.813] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.817] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.827] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.832] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.834] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.847] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.862] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.865] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.867] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.872] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.875] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.880] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.882] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.882] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.904] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.904] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.907] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.914] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.919] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.925] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.932] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.941] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.943] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.950] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.950] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.962] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.969] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0294.972] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.972] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0294.975] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.975] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.048] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.072] SetEvent (hEvent=0x1b8) returned 1 [0295.072] SetEvent (hEvent=0xf4) returned 1 [0295.072] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.091] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.197] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.261] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.274] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.274] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.282] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.282] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.287] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.305] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.318] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.324] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.324] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.330] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.330] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.405] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.439] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.439] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.453] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.453] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.498] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.502] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.503] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.506] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.506] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.534] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.564] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.572] SetEvent (hEvent=0x420) returned 1 [0295.572] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.575] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.580] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.582] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.587] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.593] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.600] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.606] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.610] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.620] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.625] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.627] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.637] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.637] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.644] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.644] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.649] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.652] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.655] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.660] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.668] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.670] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.674] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.711] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.722] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.744] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.744] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.760] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.760] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.763] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.780] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.780] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.788] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.788] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.804] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.815] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.831] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.836] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.838] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.838] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0295.847] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.847] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.851] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.854] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.860] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.875] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0295.877] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.877] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0300.101] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0300.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0300.153] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0300.204] timeEndPeriod (uPeriod=0x1) returned 0x0 [0300.204] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x0 [0302.748] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.749] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0302.786] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0302.825] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0302.866] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0302.921] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0302.963] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.005] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.049] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.094] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.140] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.293] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.482] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.523] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.559] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.602] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.645] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.686] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.731] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.799] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.839] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.880] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.923] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.962] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0303.998] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.043] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.080] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.123] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.170] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.216] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.253] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.293] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.357] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.470] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.513] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.630] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.695] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.734] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.779] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.828] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.909] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xe1fae4, ulCount=0x10, ulNumEntriesRemoved=0xe1fac8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xe1fae4, ulNumEntriesRemoved=0xe1fac8) returned 0 [0304.910] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0304.961] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.003] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.046] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.088] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.146] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.294] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.425] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.532] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.576] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.681] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0305.902] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.012] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.074] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.120] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.255] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.299] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0306.316] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.316] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xea60) returned 0x102 [0316.338] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xc33a) returned 0x0 [0316.505] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0316.517] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.579] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.616] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.657] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.705] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.743] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.782] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.823] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.948] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0316.992] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.030] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.071] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.115] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.154] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.205] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.248] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.288] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.326] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.394] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.469] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.471] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) returned 0x102 [0317.472] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0xe1fed8) Thread: id = 4 os_tid = 0xe18 [0100.660] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x328fff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x328fff30*=0xf8) returned 1 [0100.660] VirtualQuery (in: lpAddress=0x328fff40, lpBuffer=0x328fff40, dwLength=0x1c | out: lpBuffer=0x328fff40*(BaseAddress=0x328ff000, AllocationBase=0x32800000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12832000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0100.661] CloseHandle (hObject=0xfc) returned 1 [0100.661] SetEvent (hEvent=0xf4) returned 1 [0100.661] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xfc [0100.661] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0100.780] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0102.369] SetEvent (hEvent=0xf4) returned 1 [0102.594] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0103.235] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0104.091] SetEvent (hEvent=0xf4) returned 1 [0104.091] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0106.040] SwitchToThread () returned 1 [0106.112] SetEvent (hEvent=0x104) returned 1 [0106.120] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0110.115] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0110.169] SwitchToThread () returned 1 [0110.180] SetEvent (hEvent=0x10c) returned 1 [0110.298] SetEvent (hEvent=0x10c) returned 1 [0110.313] GetProcAddress (hModule=0x75310000, lpProcName="GetAddrInfoW") returned 0x75322180 [0110.314] GetAddrInfoW (in: pNodeName="api.telegram.org", pServiceName=0x0, pHints=0x12825f94*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12825f50 | out: ppResult=0x12825f50*=0xb2ac00*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb3c830*(sa_family=2, sin_port=0x0, sin_addr="149.154.167.220"), ai_next=0x0)) returned 0 [0113.045] SetEvent (hEvent=0x110) returned 1 [0113.046] GetProcAddress (hModule=0x75310000, lpProcName="FreeAddrInfoW") returned 0x75325ee0 [0113.046] FreeAddrInfoW (pAddrInfo=0xb2ac00*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0xb3c830*(sa_family=2, sin_port=0x0, sin_addr="149.154.167.220"), ai_next=0x0)) [0113.057] SetEvent (hEvent=0x10c) returned 1 [0113.225] LoadLibraryExW (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x75310000 [0113.225] GetProcAddress (hModule=0x75310000, lpProcName="WSASocketW") returned 0x7531e7d0 [0113.225] WSASocketW (af=2, type=1, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x81) returned 0x1a4 [0113.243] GetProcAddress (hModule=0x75310000, lpProcName="setsockopt") returned 0x7531ecc0 [0113.243] setsockopt (s=0x1a4, level=65535, optname=32, optval="\x01", optlen=4) returned -1 [0113.295] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0x1a8 [0113.295] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x32f00000 [0113.296] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x1a8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a8 [0113.296] SetFileCompletionNotificationModes (FileHandle=0x1a4, Flags=0x3) returned 1 [0113.309] SetEvent (hEvent=0x10c) returned 1 [0113.335] SetEvent (hEvent=0x104) returned 1 [0113.335] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x6875) returned 0x102 [0123.590] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x4073) returned 0x102 [0134.580] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1578) returned 0x102 [0147.525] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0150.859] SwitchToThread () returned 1 [0151.260] SetEvent (hEvent=0x10c) returned 1 [0155.488] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360)) returned 1 [0156.069] SetEvent (hEvent=0x1d0) returned 1 [0156.101] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR" (normalized: "c:\\boot\\pt-br"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0156.539] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0157.449] CreateFileW (lpFileName="C:\\Boot\\pt-BR" (normalized: "c:\\boot\\pt-br"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0157.450] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0157.539] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.539] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0157.540] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0157.540] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0157.540] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0158.134] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-br\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.135] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.215] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.274] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.274] WriteFile (in: hFile=0x408, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.276] CloseHandle (hObject=0x408) returned 1 [0158.423] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0158.545] SetEvent (hEvent=0x1d0) returned 1 [0158.545] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160)) returned 1 [0158.546] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT" (normalized: "c:\\boot\\pt-pt"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.546] CreateFileW (lpFileName="C:\\Boot\\pt-PT" (normalized: "c:\\boot\\pt-pt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.546] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0158.556] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.556] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.556] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0158.557] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.557] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0158.557] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-pt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.557] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.557] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.607] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.607] WriteFile (in: hFile=0x408, lpBuffer=0x12c1b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c1b300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.609] CloseHandle (hObject=0x408) returned 1 [0158.609] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0158.610] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358)) returned 1 [0158.727] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc" (normalized: "c:\\boot\\qps-ploc"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.727] CreateFileW (lpFileName="C:\\Boot\\qps-ploc" (normalized: "c:\\boot\\qps-ploc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.727] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0158.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0158.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.728] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0158.728] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\qps-ploc\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.728] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\qps-ploc\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.729] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\qps-ploc\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.790] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.790] WriteFile (in: hFile=0x408, lpBuffer=0x12c1c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c1c600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.791] CloseHandle (hObject=0x408) returned 1 [0158.792] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160)) returned 1 [0158.793] GetFileAttributesExW (in: lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60)) returned 1 [0158.793] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ro-RO" (normalized: "c:\\boot\\ro-ro"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.838] CreateFileW (lpFileName="C:\\Boot\\ro-RO" (normalized: "c:\\boot\\ro-ro"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.839] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0158.839] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.839] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.839] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.839] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0158.839] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ro-RO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ro-ro\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.839] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ro-ro\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.839] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ro-ro\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.840] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.840] WriteFile (in: hFile=0x408, lpBuffer=0x12c1d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c1d900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.841] CloseHandle (hObject=0x408) returned 1 [0158.841] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960)) returned 1 [0158.842] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU" (normalized: "c:\\boot\\ru-ru"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.842] CreateFileW (lpFileName="C:\\Boot\\ru-RU" (normalized: "c:\\boot\\ru-ru"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.842] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0158.842] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.842] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.842] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0158.842] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.842] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0158.842] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ru-ru\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.842] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ru-ru\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.843] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ru-ru\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.883] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.883] WriteFile (in: hFile=0x408, lpBuffer=0x12c1ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c1ec00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.884] CloseHandle (hObject=0x408) returned 1 [0158.885] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0158.885] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60)) returned 1 [0158.955] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sk-SK" (normalized: "c:\\boot\\sk-sk"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.956] CreateFileW (lpFileName="C:\\Boot\\sk-SK" (normalized: "c:\\boot\\sk-sk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.956] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0158.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.956] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0158.956] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sk-SK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sk-sk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.956] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sk-sk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.957] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sk-sk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.957] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.957] WriteFile (in: hFile=0x408, lpBuffer=0x12c4a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c4a000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.958] CloseHandle (hObject=0x408) returned 1 [0158.968] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58)) returned 1 [0158.969] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sl-SI" (normalized: "c:\\boot\\sl-si"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0158.969] CreateFileW (lpFileName="C:\\Boot\\sl-SI" (normalized: "c:\\boot\\sl-si"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.969] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0158.970] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.970] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0158.970] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.970] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0158.970] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sl-SI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sl-si\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0158.970] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sl-si\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0158.970] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sl-si\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0158.971] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0158.971] WriteFile (in: hFile=0x408, lpBuffer=0x12c4b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c4b300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0158.972] CloseHandle (hObject=0x408) returned 1 [0158.973] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0159.055] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS" (normalized: "c:\\boot\\sr-latn-cs"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.055] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS" (normalized: "c:\\boot\\sr-latn-cs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.056] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0159.056] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.056] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.056] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.056] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.056] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0159.056] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-cs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.057] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-cs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.057] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-cs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.333] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.334] WriteFile (in: hFile=0x408, lpBuffer=0x12c4c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c4c600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.335] CloseHandle (hObject=0x408) returned 1 [0159.349] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0159.349] SetEvent (hEvent=0x1d0) returned 1 [0159.364] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58)) returned 1 [0159.364] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-RS" (normalized: "c:\\boot\\sr-latn-rs"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.436] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS" (normalized: "c:\\boot\\sr-latn-rs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.436] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0159.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.436] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0159.487] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-rs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.488] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.488] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sr-latn-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.489] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.489] WriteFile (in: hFile=0x408, lpBuffer=0x12c4d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c4d900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.490] CloseHandle (hObject=0x408) returned 1 [0159.491] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0159.491] SetEvent (hEvent=0x3f4) returned 1 [0159.491] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE" (normalized: "c:\\boot\\sv-se"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.491] CreateFileW (lpFileName="C:\\Boot\\sv-SE" (normalized: "c:\\boot\\sv-se"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.491] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0159.492] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.492] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.492] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0159.492] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sv-se\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.492] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sv-se\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.492] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\sv-se\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.495] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.495] WriteFile (in: hFile=0x408, lpBuffer=0x12c4ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c4ec00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.497] CloseHandle (hObject=0x408) returned 1 [0159.497] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960)) returned 1 [0159.497] GetFileAttributesExW (in: lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58)) returned 1 [0159.600] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR" (normalized: "c:\\boot\\tr-tr"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.601] CreateFileW (lpFileName="C:\\Boot\\tr-TR" (normalized: "c:\\boot\\tr-tr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.601] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0159.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.601] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0159.602] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\tr-tr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.602] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\tr-tr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.602] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\tr-tr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.681] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.681] WriteFile (in: hFile=0x408, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.682] CloseHandle (hObject=0x408) returned 1 [0159.683] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558)) returned 1 [0159.683] GetFileAttributesExW (in: lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160)) returned 1 [0159.683] GetFileAttributesExW (in: lpFileName="C:\\Boot\\uk-UA" (normalized: "c:\\boot\\uk-ua"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.744] CreateFileW (lpFileName="C:\\Boot\\uk-UA" (normalized: "c:\\boot\\uk-ua"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.744] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0159.744] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.744] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.744] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.744] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0159.745] GetFileAttributesExW (in: lpFileName="C:\\Boot\\uk-UA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\uk-ua\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.745] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\uk-ua\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.745] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\uk-ua\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.745] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.746] WriteFile (in: hFile=0x408, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.747] CloseHandle (hObject=0x408) returned 1 [0159.747] GetFileAttributesExW (in: lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60)) returned 1 [0159.748] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN" (normalized: "c:\\boot\\zh-cn"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.748] CreateFileW (lpFileName="C:\\Boot\\zh-CN" (normalized: "c:\\boot\\zh-cn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.748] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0159.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.749] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0159.749] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-cn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.749] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-cn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.749] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-cn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.802] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.802] WriteFile (in: hFile=0x408, lpBuffer=0x12b12600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12b12600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.803] CloseHandle (hObject=0x408) returned 1 [0159.804] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960)) returned 1 [0159.804] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560)) returned 1 [0159.848] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK" (normalized: "c:\\boot\\zh-hk"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.848] CreateFileW (lpFileName="C:\\Boot\\zh-HK" (normalized: "c:\\boot\\zh-hk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.848] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0159.848] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.848] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.848] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.848] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.848] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0159.848] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-hk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.849] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-hk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.849] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-hk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.901] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.901] WriteFile (in: hFile=0x408, lpBuffer=0x12b13900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12b13900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.902] CloseHandle (hObject=0x408) returned 1 [0159.902] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958)) returned 1 [0159.903] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558)) returned 1 [0159.947] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW" (normalized: "c:\\boot\\zh-tw"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.948] CreateFileW (lpFileName="C:\\Boot\\zh-TW" (normalized: "c:\\boot\\zh-tw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.948] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0159.948] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.948] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0159.948] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0159.948] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.948] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0159.948] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-tw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.949] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-tw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.949] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\zh-tw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.956] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0159.956] WriteFile (in: hFile=0x408, lpBuffer=0x12b14c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12b14c00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0159.957] CloseHandle (hObject=0x408) returned 1 [0159.958] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960)) returned 1 [0159.958] GetFileAttributesExW (in: lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560)) returned 1 [0159.958] GetFileAttributesExW (in: lpFileName="C:\\Documents and Settings" (normalized: "c:\\documents and settings"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.959] CreateFileW (lpFileName="C:\\Documents and Settings" (normalized: "c:\\documents and settings"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x408 [0159.959] GetProcAddress (hModule=0x75600000, lpProcName="GetFileInformationByHandle") returned 0x75626a60 [0159.960] GetFileInformationByHandle (in: hFile=0x408, lpFileInformation=0x12829c14 | out: lpFileInformation=0x12829c14) returned 1 [0159.969] GetProcAddress (hModule=0x75600000, lpProcName="GetFileInformationByHandleEx") returned 0x75640ea0 [0159.969] GetFileInformationByHandleEx (in: hFile=0x408, FileInformationClass=0x9, lpFileInformation=0x12829c0c, dwBufferSize=0x8 | out: lpFileInformation=0x12829c0c) returned 1 [0159.969] CloseHandle (hObject=0x408) returned 1 [0159.969] GetFileAttributesExW (in: lpFileName="C:\\PerfLogs" (normalized: "c:\\perflogs"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.970] CreateFileW (lpFileName="C:\\PerfLogs" (normalized: "c:\\perflogs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.970] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0159.970] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.970] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.970] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0159.971] GetFileAttributesExW (in: lpFileName="C:\\PerfLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\perflogs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829824 | out: lpFileInformation=0x12829824*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.971] CreateFileW (lpFileName="C:\\PerfLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\perflogs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.971] CreateFileW (lpFileName="C:\\PerfLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\perflogs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.972] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12829a34 | out: lpMode=0x12829a34) returned 0 [0159.972] WriteFile (in: hFile=0x408, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12829a34, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12829a34*=0x118a, lpOverlapped=0x0) returned 1 [0159.973] CloseHandle (hObject=0x408) returned 1 [0159.974] GetFileAttributesExW (in: lpFileName="C:\\Program Files" (normalized: "c:\\program files"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x9829bce, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x9829bce, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0159.974] CreateFileW (lpFileName="C:\\Program Files" (normalized: "c:\\program files"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.974] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x9829bce, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x9829bce, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x9829bce, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x9829bce, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf8c31cc2, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c31cc2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2f72013, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9701bb02, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9701bb02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf892ce6d, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf892ce6d, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b3095dc, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b3095dc, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b3095dc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde5c2433, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xf8b90af2, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b90af2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde5c2433, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xf8c25953, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c25953, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf22b9950, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf90764c0, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf90764c0, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8c3e01d, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c3e01d, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ebef3a1, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xf8b8bc6e, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b8bc6e, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WIA843~1")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b0f430, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b0f430, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0159.974] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8c3925b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c3925b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WINDOW~3")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b99355, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b99355, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~4")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8c2a800, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c2a800, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WI67CB~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf9078bf2, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf9078bf2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b04411, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b04411, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b65edb, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b65edb, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x2224dfa5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2224dfa5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WI7DB9~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc47584, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc47584, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0159.975] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.975] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0159.975] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)" (normalized: "c:\\program files (x86)"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0159.975] CreateFileW (lpFileName="C:\\Program Files (x86)" (normalized: "c:\\program files (x86)"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.975] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf7097510, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7097510, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8ba07f6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8ba07f6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b83b055, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xf8b14249, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b14249, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8aebdc8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8aebdc8, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde6b7421, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xf8af6d4c, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8af6d4c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde6dd69d, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xf8b94523, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b94523, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf62ae347, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf62ae347, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8c41aa1, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8c41aa1, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf906dc95, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf906dc95, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WINDOW~3")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf7d737b2, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf7d737b2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~4")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b86e6d, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b86e6d, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WI67CB~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf891956c, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf891956c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3436b38, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3436b38, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8b7d20f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf8b7d20f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf792d5f9, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf792d5f9, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0159.976] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.976] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0159.976] GetFileAttributesExW (in: lpFileName="C:\\ProgramData" (normalized: "c:\\programdata"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0159.977] CreateFileW (lpFileName="C:\\ProgramData" (normalized: "c:\\programdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.977] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0159.977] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.978] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0159.978] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829824 | out: lpFileInformation=0x12829824*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0159.978] CreateFileW (lpFileName="C:\\ProgramData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0159.978] CreateFileW (lpFileName="C:\\ProgramData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0159.978] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12829a34 | out: lpMode=0x12829a34) returned 0 [0159.978] WriteFile (in: hFile=0x408, lpBuffer=0x12c2f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12829a34, lpOverlapped=0x0 | out: lpBuffer=0x12c2f300*, lpNumberOfBytesWritten=0x12829a34*=0x118a, lpOverlapped=0x0) returned 1 [0159.980] CloseHandle (hObject=0x408) returned 1 [0159.982] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Application Data" (normalized: "c:\\programdata\\application data"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.982] CreateFileW (lpFileName="C:\\ProgramData\\Application Data" (normalized: "c:\\programdata\\application data"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x408 [0159.982] GetFileInformationByHandle (in: hFile=0x408, lpFileInformation=0x12829bb0 | out: lpFileInformation=0x12829bb0) returned 1 [0159.982] GetFileInformationByHandleEx (in: hFile=0x408, FileInformationClass=0x9, lpFileInformation=0x12829ba8, dwBufferSize=0x8 | out: lpFileInformation=0x12829ba8) returned 1 [0159.982] CloseHandle (hObject=0x408) returned 1 [0159.982] CreateFileW (lpFileName="C:\\Documents and Settings" (normalized: "c:\\documents and settings"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.983] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.983] CreateFileW (lpFileName="C:\\ProgramData\\Application Data" (normalized: "c:\\programdata\\application data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.983] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Application Data\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.983] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Comms" (normalized: "c:\\programdata\\comms"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0159.983] CreateFileW (lpFileName="C:\\ProgramData\\Comms" (normalized: "c:\\programdata\\comms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.064] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Comms\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0160.064] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.064] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.064] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0160.064] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\comms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.064] CreateFileW (lpFileName="C:\\ProgramData\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\comms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.064] CreateFileW (lpFileName="C:\\ProgramData\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\comms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.065] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0160.065] WriteFile (in: hFile=0x408, lpBuffer=0x12c30600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c30600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0160.067] CloseHandle (hObject=0x408) returned 1 [0160.068] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Desktop" (normalized: "c:\\programdata\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0160.068] CreateFileW (lpFileName="C:\\ProgramData\\Desktop" (normalized: "c:\\programdata\\desktop"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x408 [0160.068] GetFileInformationByHandle (in: hFile=0x408, lpFileInformation=0x12829bb0 | out: lpFileInformation=0x12829bb0) returned 1 [0160.068] GetFileInformationByHandleEx (in: hFile=0x408, FileInformationClass=0x9, lpFileInformation=0x12829ba8, dwBufferSize=0x8 | out: lpFileInformation=0x12829ba8) returned 1 [0160.068] CloseHandle (hObject=0x408) returned 1 [0160.068] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Documents" (normalized: "c:\\programdata\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0160.069] CreateFileW (lpFileName="C:\\ProgramData\\Documents" (normalized: "c:\\programdata\\documents"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x408 [0160.069] GetFileInformationByHandle (in: hFile=0x408, lpFileInformation=0x12829bb0 | out: lpFileInformation=0x12829bb0) returned 1 [0160.069] GetFileInformationByHandleEx (in: hFile=0x408, FileInformationClass=0x9, lpFileInformation=0x12829ba8, dwBufferSize=0x8 | out: lpFileInformation=0x12829ba8) returned 1 [0160.069] CloseHandle (hObject=0x408) returned 1 [0160.069] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft" (normalized: "c:\\programdata\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0160.069] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft" (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.069] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DataMart", cAlternateFileName="")) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0160.069] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MapData", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WDF", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMSIPC", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XboxLive", cAlternateFileName="")) returned 1 [0160.070] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.070] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0160.071] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.071] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.071] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.120] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0160.120] WriteFile (in: hFile=0x408, lpBuffer=0x12c31900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c31900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0160.122] CloseHandle (hObject=0x408) returned 1 [0160.122] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun" (normalized: "c:\\programdata\\microsoft\\clicktorun"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0160.122] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun" (normalized: "c:\\programdata\\microsoft\\clicktorun"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.122] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\*", lpFindFileData=0x12829a94 | out: lpFindFileData=0x12829a94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", cAlternateFileName="4BAD32~1")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d04153d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0160.123] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.123] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0160.123] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282975c | out: lpFileInformation=0x1282975c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.123] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.123] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.124] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282996c | out: lpMode=0x1282996c) returned 0 [0160.124] WriteFile (in: hFile=0x408, lpBuffer=0x12c32c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282996c, lpOverlapped=0x0 | out: lpBuffer=0x12c32c00*, lpNumberOfBytesWritten=0x1282996c*=0x118a, lpOverlapped=0x0) returned 1 [0160.125] CloseHandle (hObject=0x408) returned 1 [0160.126] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe"), fInfoLevelId=0x0, lpFileInformation=0x12829b58 | out: lpFileInformation=0x12829b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0160.126] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.126] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*", lpFindFileData=0x12829a30 | out: lpFindFileData=0x12829a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0160.126] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0160.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0160.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.127] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0160.127] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128296f8 | out: lpFileInformation=0x128296f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.127] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.128] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.128] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12829908 | out: lpMode=0x12829908) returned 0 [0160.128] WriteFile (in: hFile=0x408, lpBuffer=0x12c3a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12829908, lpOverlapped=0x0 | out: lpBuffer=0x12c3a000*, lpNumberOfBytesWritten=0x12829908*=0x118a, lpOverlapped=0x0) returned 1 [0160.129] CloseHandle (hObject=0x408) returned 1 [0160.130] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16"), fInfoLevelId=0x0, lpFileInformation=0x12829af4 | out: lpFileInformation=0x12829af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0160.130] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.130] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*", lpFindFileData=0x128299cc | out: lpFindFileData=0x128299cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0160.130] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.130] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0160.130] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0160.130] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0160.130] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.130] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0160.131] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829694 | out: lpFileInformation=0x12829694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.131] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.131] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.131] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128298a4 | out: lpMode=0x128298a4) returned 0 [0160.131] WriteFile (in: hFile=0x408, lpBuffer=0x12c3b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128298a4, lpOverlapped=0x0 | out: lpBuffer=0x12c3b300*, lpNumberOfBytesWritten=0x128298a4*=0x118a, lpOverlapped=0x0) returned 1 [0160.132] CloseHandle (hObject=0x408) returned 1 [0160.133] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765)) returned 1 [0160.133] SetEvent (hEvent=0x1b8) returned 1 [0160.133] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0160.133] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4)) returned 1 [0160.133] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16"), fInfoLevelId=0x0, lpFileInformation=0x12829af4 | out: lpFileInformation=0x12829af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0160.134] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.134] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*", lpFindFileData=0x128299cc | out: lpFindFileData=0x128299cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0160.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0160.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0160.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0160.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829a10 | out: lpFindFileData=0x12829a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.134] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0160.134] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829694 | out: lpFileInformation=0x12829694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0160.135] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0160.135] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.135] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x128298a4 | out: lpMode=0x128298a4) returned 0 [0160.135] WriteFile (in: hFile=0x408, lpBuffer=0x12c3c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128298a4, lpOverlapped=0x0 | out: lpBuffer=0x12c3c600*, lpNumberOfBytesWritten=0x128298a4*=0x118a, lpOverlapped=0x0) returned 1 [0160.137] CloseHandle (hObject=0x408) returned 1 [0160.137] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220)) returned 1 [0160.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0160.138] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0160.138] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0160.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220)) returned 1 [0160.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99d20 | out: pbBuffer=0x12a99d20) returned 1 [0160.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bde8 | out: pbBuffer=0x12a9bde8) returned 1 [0160.242] ReadFile (in: hFile=0x408, lpBuffer=0x12ac4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac4000*, lpNumberOfBytesRead=0x1282fd1c*=0x5220, lpOverlapped=0x0) returned 1 [0160.244] GetFileType (hFile=0x408) returned 0x1 [0160.244] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0160.244] WriteFile (in: hFile=0x408, lpBuffer=0x1289d500*, nNumberOfBytesToWrite=0x5220, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x1289d500*, lpNumberOfBytesWritten=0x1282fd00*=0x5220, lpOverlapped=0x1282fd0c) returned 1 [0160.245] GetFileType (hFile=0x408) returned 0x1 [0160.245] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x5220, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0162.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0162.264] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0162.429] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4)) returned 1 [0162.430] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99e20 | out: pbBuffer=0x12a99e20) returned 1 [0162.430] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9be70 | out: pbBuffer=0x12a9be70) returned 1 [0162.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9be80 | out: pbBuffer=0x12a9be80) returned 1 [0162.605] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0162.606] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0162.742] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0162.864] CloseHandle (hObject=0x1a0) returned 1 [0162.866] CloseHandle (hObject=0x424) returned 1 [0162.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9be98 | out: pbBuffer=0x12a9be98) returned 1 [0163.004] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\#_THIS_FILE_IS_ENCRYPTED_[89F19639FD327258]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\#_this_file_is_encrypted_[89f19639fd327258]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0163.055] SetEvent (hEvent=0x104) returned 1 [0163.064] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0163.643] SetEvent (hEvent=0x3f8) returned 1 [0163.643] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0163.844] SetEvent (hEvent=0x1b8) returned 1 [0163.859] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0164.080] SetEvent (hEvent=0x1b8) returned 1 [0164.081] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0164.210] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0164.223] SetEvent (hEvent=0x1b8) returned 1 [0164.223] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0164.331] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0164.332] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0164.332] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7a88c0, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a88c0, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266)) returned 1 [0164.332] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0164.332] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0164.333] ReadFile (in: hFile=0x41c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12927d1c*=0x266, lpOverlapped=0x0) returned 1 [0164.455] GetFileType (hFile=0x41c) returned 0x1 [0164.455] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.455] WriteFile (in: hFile=0x41c, lpBuffer=0x12b0c000*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12b0c000*, lpNumberOfBytesWritten=0x12927d00*=0x266, lpOverlapped=0x12927d0c) returned 1 [0164.456] GetFileType (hFile=0x41c) returned 0x1 [0164.456] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x266, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0164.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0164.457] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0164.457] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0164.457] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x410 [0164.457] GetConsoleMode (in: hConsoleHandle=0x410, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0164.457] WriteFile (in: hFile=0x410, lpBuffer=0x12bac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bac000*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.458] CloseHandle (hObject=0x410) returned 1 [0164.459] CloseHandle (hObject=0x41c) returned 1 [0164.459] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0164.459] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\#_THIS_FILE_IS_ENCRYPTED_[244E9AE06B9A4EBB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\#_this_file_is_encrypted_[244e9ae06b9a4ebb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0164.461] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0167.927] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0167.953] SetEvent (hEvent=0x40c) returned 1 [0167.953] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0167.955] SetEvent (hEvent=0x40c) returned 1 [0167.955] SetEvent (hEvent=0x1d0) returned 1 [0167.955] SwitchToThread () returned 1 [0168.011] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.026] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.179] SetEvent (hEvent=0x1d0) returned 1 [0168.179] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0168.180] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.180] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d08901, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x636e)) returned 1 [0168.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0168.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914780 | out: pbBuffer=0x12914780) returned 1 [0168.180] ReadFile (in: hFile=0x424, lpBuffer=0x12a28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a28000*, lpNumberOfBytesRead=0x12a67d1c*=0x636e, lpOverlapped=0x0) returned 1 [0168.195] GetFileType (hFile=0x424) returned 0x1 [0168.195] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.195] WriteFile (in: hFile=0x424, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x636e, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a67d00*=0x636e, lpOverlapped=0x12a67d0c) returned 1 [0168.195] GetFileType (hFile=0x424) returned 0x1 [0168.195] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x636e, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0168.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0168.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0168.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914878 | out: pbBuffer=0x12914878) returned 1 [0168.197] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0168.197] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.197] WriteFile (in: hFile=0x408, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.197] CloseHandle (hObject=0x408) returned 1 [0168.215] CloseHandle (hObject=0x424) returned 1 [0168.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129148a0 | out: pbBuffer=0x129148a0) returned 1 [0168.220] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[E76ECF273ED1CE3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[e76ecf273ed1ce3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.347] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.354] SetEvent (hEvent=0x1d0) returned 1 [0168.354] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0168.355] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.355] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a0dba7, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82a0dba7, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64ca2e69, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15286)) returned 1 [0168.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6e0 | out: pbBuffer=0x1280e6e0) returned 1 [0168.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810288 | out: pbBuffer=0x12810288) returned 1 [0168.355] ReadFile (in: hFile=0x19c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a67d1c*=0x15286, lpOverlapped=0x0) returned 1 [0168.366] GetFileType (hFile=0x19c) returned 0x1 [0168.367] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.367] WriteFile (in: hFile=0x19c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x15286, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12a67d00*=0x15286, lpOverlapped=0x12a67d0c) returned 1 [0168.367] GetFileType (hFile=0x19c) returned 0x1 [0168.367] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x15286, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0168.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0168.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0168.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810340 | out: pbBuffer=0x12810340) returned 1 [0168.368] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.369] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.369] WriteFile (in: hFile=0x41c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.369] CloseHandle (hObject=0x41c) returned 1 [0168.525] CloseHandle (hObject=0x19c) returned 1 [0168.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810358 | out: pbBuffer=0x12810358) returned 1 [0168.544] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[BE4632D17D91E644]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[be4632d17d91e644]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.671] SwitchToThread () returned 1 [0168.801] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.824] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.846] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0168.951] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.005] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.122] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.193] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.232] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.282] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.338] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.359] SetEvent (hEvent=0x10c) returned 1 [0169.359] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0169.369] SetEvent (hEvent=0x1d0) returned 1 [0169.370] SetEvent (hEvent=0x40c) returned 1 [0169.370] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0169.395] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0169.398] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0169.398] SetEvent (hEvent=0x1b8) returned 1 [0169.398] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0169.474] SetEvent (hEvent=0x10c) returned 1 [0169.474] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0170.123] SetEvent (hEvent=0x1b8) returned 1 [0170.123] SetEvent (hEvent=0x40c) returned 1 [0170.123] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0170.182] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0174.964] SetEvent (hEvent=0x3f8) returned 1 [0174.964] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0175.032] SetEvent (hEvent=0x420) returned 1 [0175.032] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.033] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.033] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa15fa13e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x159d)) returned 1 [0175.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0175.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0175.033] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12925d1c*=0x159d, lpOverlapped=0x0) returned 1 [0175.115] GetFileType (hFile=0x42c) returned 0x1 [0175.115] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.115] WriteFile (in: hFile=0x42c, lpBuffer=0x12bf8000*, nNumberOfBytesToWrite=0x159d, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12bf8000*, lpNumberOfBytesWritten=0x12925d00*=0x159d, lpOverlapped=0x12925d0c) returned 1 [0175.144] GetFileType (hFile=0x42c) returned 0x1 [0175.144] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x159d, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.144] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0175.144] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0175.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0175.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101c0 | out: pbBuffer=0x128101c0) returned 1 [0175.145] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0175.146] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.146] WriteFile (in: hFile=0x43c, lpBuffer=0x12b02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02500*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.155] CloseHandle (hObject=0x43c) returned 1 [0175.157] CloseHandle (hObject=0x42c) returned 1 [0175.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101d8 | out: pbBuffer=0x128101d8) returned 1 [0175.198] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\#_THIS_FILE_IS_ENCRYPTED_[D754FBFF815ECAC8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\#_this_file_is_encrypted_[d754fbff815ecac8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.228] SetEvent (hEvent=0x3f8) returned 1 [0175.228] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0175.228] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.228] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0175.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0175.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0175.229] ReadFile (in: hFile=0x15c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12925d1c*=0x10f, lpOverlapped=0x0) returned 1 [0175.231] GetFileType (hFile=0x15c) returned 0x1 [0175.231] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.231] WriteFile (in: hFile=0x15c, lpBuffer=0x12851b00*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12851b00*, lpNumberOfBytesWritten=0x12925d00*=0x10f, lpOverlapped=0x12925d0c) returned 1 [0175.244] GetFileType (hFile=0x15c) returned 0x1 [0175.244] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0175.246] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0175.246] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0175.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102e8 | out: pbBuffer=0x128102e8) returned 1 [0175.247] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.247] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.247] WriteFile (in: hFile=0x428, lpBuffer=0x12b02a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02a00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.271] CloseHandle (hObject=0x428) returned 1 [0175.272] CloseHandle (hObject=0x15c) returned 1 [0175.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810340 | out: pbBuffer=0x12810340) returned 1 [0175.273] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\#_THIS_FILE_IS_ENCRYPTED_[D814440E397413F3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\#_this_file_is_encrypted_[d814440e397413f3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.274] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0175.293] SetEvent (hEvent=0x40c) returned 1 [0175.293] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0175.293] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0175.294] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7)) returned 1 [0175.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d00 | out: pbBuffer=0x12844d00) returned 1 [0175.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810388 | out: pbBuffer=0x12810388) returned 1 [0175.294] ReadFile (in: hFile=0x438, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12921d1c*=0xbd7, lpOverlapped=0x0) returned 1 [0175.328] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0175.335] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0175.335] SetEvent (hEvent=0x110) returned 1 [0175.335] SetEvent (hEvent=0x40c) returned 1 [0175.336] GetFileType (hFile=0x438) returned 0x1 [0175.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.336] WriteFile (in: hFile=0x438, lpBuffer=0x12d5e000*, nNumberOfBytesToWrite=0xbd7, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12d5e000*, lpNumberOfBytesWritten=0x12921d00*=0xbd7, lpOverlapped=0x12921d0c) returned 1 [0175.336] GetFileType (hFile=0x438) returned 0x1 [0175.336] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xbd7, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0175.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0175.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0175.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810520 | out: pbBuffer=0x12810520) returned 1 [0175.338] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0175.338] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0175.338] WriteFile (in: hFile=0x15c, lpBuffer=0x12b03400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b03400*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.338] CloseHandle (hObject=0x15c) returned 1 [0175.340] CloseHandle (hObject=0x438) returned 1 [0175.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810538 | out: pbBuffer=0x12810538) returned 1 [0175.340] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[0FF8D39C26151C9A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\#_this_file_is_encrypted_[0ff8d39c26151c9a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.342] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0175.349] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0175.424] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0175.432] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0175.432] SetEvent (hEvent=0x110) returned 1 [0175.432] SetEvent (hEvent=0x3f8) returned 1 [0175.432] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0175.435] GetFileType (hFile=0x428) returned 0x1 [0175.435] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.435] WriteFile (in: hFile=0x428, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x1988, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12927d00*=0x1988, lpOverlapped=0x12927d0c) returned 1 [0175.435] GetFileType (hFile=0x428) returned 0x1 [0175.436] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x1988, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0175.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0175.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0175.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0175.436] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.437] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.437] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.437] CloseHandle (hObject=0x42c) returned 1 [0175.439] CloseHandle (hObject=0x428) returned 1 [0175.440] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914568 | out: pbBuffer=0x12914568) returned 1 [0175.440] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\#_THIS_FILE_IS_ENCRYPTED_[2952846CB8E67A8A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\#_this_file_is_encrypted_[2952846cb8e67a8a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.442] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.442] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0175.496] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.548] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1f35, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0175.548] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0175.548] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0175.548] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.548] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0175.550] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.552] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.552] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.553] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0175.553] WriteFile (in: hFile=0x428, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0175.554] CloseHandle (hObject=0x428) returned 1 [0175.555] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0175.600] SetEvent (hEvent=0x3f8) returned 1 [0175.600] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.601] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.601] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0175.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0175.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0175.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.602] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0175.602] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.602] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.602] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.603] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0175.603] WriteFile (in: hFile=0x428, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0175.605] CloseHandle (hObject=0x428) returned 1 [0175.605] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.606] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.606] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0175.606] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.606] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0175.606] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0175.607] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0175.607] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.607] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0175.607] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.607] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.607] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0175.659] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0175.659] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0175.660] CloseHandle (hObject=0x1a0) returned 1 [0175.661] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb)) returned 1 [0175.706] SetEvent (hEvent=0x3f8) returned 1 [0175.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec)) returned 1 [0175.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716)) returned 1 [0175.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b)) returned 1 [0175.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1f35)) returned 1 [0175.706] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.707] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0175.707] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b)) returned 1 [0175.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928300 | out: pbBuffer=0x12928300) returned 1 [0175.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146f0 | out: pbBuffer=0x129146f0) returned 1 [0175.707] ReadFile (in: hFile=0x428, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x22b, lpOverlapped=0x0) returned 1 [0175.709] GetFileType (hFile=0x428) returned 0x1 [0175.709] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0175.709] WriteFile (in: hFile=0x428, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0x22b, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x1282fd00*=0x22b, lpOverlapped=0x1282fd0c) returned 1 [0175.727] GetFileType (hFile=0x428) returned 0x1 [0175.727] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x22b, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0175.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0175.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0175.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0175.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129147e8 | out: pbBuffer=0x129147e8) returned 1 [0175.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.728] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0175.728] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0175.775] CloseHandle (hObject=0x42c) returned 1 [0175.776] CloseHandle (hObject=0x428) returned 1 [0175.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914810 | out: pbBuffer=0x12914810) returned 1 [0175.777] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[39CAD1A91C35198F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\#_this_file_is_encrypted_[39cad1a91c35198f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.923] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.923] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0175.923] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1f35)) returned 1 [0175.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928560 | out: pbBuffer=0x12928560) returned 1 [0175.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914878 | out: pbBuffer=0x12914878) returned 1 [0175.924] ReadFile (in: hFile=0x428, lpBuffer=0x12bcc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bcc000*, lpNumberOfBytesRead=0x1282fd1c*=0x1f35, lpOverlapped=0x0) returned 1 [0176.025] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0176.103] GetFileType (hFile=0x428) returned 0x1 [0176.103] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0176.104] WriteFile (in: hFile=0x428, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x1f35, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x1282fd00*=0x1f35, lpOverlapped=0x1282fd0c) returned 1 [0176.104] GetFileType (hFile=0x428) returned 0x1 [0176.104] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x1f35, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0176.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0176.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0176.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0176.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a180 | out: pbBuffer=0x12a9a180) returned 1 [0176.105] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0176.106] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0176.106] WriteFile (in: hFile=0x42c, lpBuffer=0x1285c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x1285c000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0176.106] CloseHandle (hObject=0x42c) returned 1 [0176.108] CloseHandle (hObject=0x428) returned 1 [0176.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1a8 | out: pbBuffer=0x12a9a1a8) returned 1 [0176.108] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\#_THIS_FILE_IS_ENCRYPTED_[F6970239EF3A68CA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\#_this_file_is_encrypted_[f6970239ef3a68ca]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0176.275] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0176.331] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0176.427] SetEvent (hEvent=0x19c) returned 1 [0176.428] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0176.428] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0176.428] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0176.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0176.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810150 | out: pbBuffer=0x12810150) returned 1 [0176.429] ReadFile (in: hFile=0x1a0, lpBuffer=0x12d36000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d36000*, lpNumberOfBytesRead=0x12927d1c*=0x10f, lpOverlapped=0x0) returned 1 [0176.431] GetFileType (hFile=0x1a0) returned 0x1 [0176.431] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.431] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a58d80*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12a58d80*, lpNumberOfBytesWritten=0x12927d00*=0x10f, lpOverlapped=0x12927d0c) returned 1 [0176.432] GetFileType (hFile=0x1a0) returned 0x1 [0176.432] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0176.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0176.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0176.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810208 | out: pbBuffer=0x12810208) returned 1 [0176.433] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0176.433] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0176.433] WriteFile (in: hFile=0x428, lpBuffer=0x12d62500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d62500*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0176.659] CloseHandle (hObject=0x428) returned 1 [0176.661] CloseHandle (hObject=0x1a0) returned 1 [0176.662] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0176.663] SetEvent (hEvent=0xf4) returned 1 [0176.663] SetEvent (hEvent=0x3f4) returned 1 [0176.664] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0176.664] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ce2cc2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0176.664] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0176.664] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0176.664] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0176.664] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0176.665] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.667] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.667] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0176.667] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0176.667] WriteFile (in: hFile=0x15c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0176.669] CloseHandle (hObject=0x15c) returned 1 [0176.669] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0176.724] SwitchToThread () returned 1 [0177.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0179.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0179.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0179.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0180.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810138 | out: pbBuffer=0x12810138) returned 1 [0180.175] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0180.176] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0180.176] WriteFile (in: hFile=0x42c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.176] CloseHandle (hObject=0x42c) returned 1 [0180.178] CloseHandle (hObject=0x1a0) returned 1 [0180.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810150 | out: pbBuffer=0x12810150) returned 1 [0180.179] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[E0EC5C21C31EBD55]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\#_this_file_is_encrypted_[e0ec5c21c31ebd55]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.180] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0180.180] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1cac)) returned 1 [0180.180] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0180.181] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0180.181] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0180.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444e0 | out: pbBuffer=0x128444e0) returned 1 [0180.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810198 | out: pbBuffer=0x12810198) returned 1 [0180.181] ReadFile (in: hFile=0x1a0, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a63d1c*=0x15c, lpOverlapped=0x0) returned 1 [0180.182] GetFileType (hFile=0x1a0) returned 0x1 [0180.183] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.183] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bf8000*, nNumberOfBytesToWrite=0x15c, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12bf8000*, lpNumberOfBytesWritten=0x12a63d00*=0x15c, lpOverlapped=0x12a63d0c) returned 1 [0180.183] GetFileType (hFile=0x1a0) returned 0x1 [0180.183] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x15c, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0180.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0180.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0180.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810330 | out: pbBuffer=0x12810330) returned 1 [0180.183] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0180.184] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0180.184] WriteFile (in: hFile=0x42c, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.428] SetEvent (hEvent=0x110) returned 1 [0180.428] CloseHandle (hObject=0x42c) returned 1 [0180.431] CloseHandle (hObject=0x1a0) returned 1 [0180.431] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914638 | out: pbBuffer=0x12914638) returned 1 [0180.431] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[BEC7C0011110DE24]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\#_this_file_is_encrypted_[bec7c0011110de24]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.625] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0180.632] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.632] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0180.632] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0180.632] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0180.632] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0180.632] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0180.633] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0180.633] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.633] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.633] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0180.634] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0180.634] WriteFile (in: hFile=0x1a0, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0180.635] CloseHandle (hObject=0x1a0) returned 1 [0180.636] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0180.636] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.636] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0180.636] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0180.636] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0180.636] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0180.636] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0180.636] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0180.637] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.637] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.637] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0180.848] SetEvent (hEvent=0x110) returned 1 [0180.848] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0180.848] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0180.849] CloseHandle (hObject=0x1a0) returned 1 [0180.850] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a)) returned 1 [0180.916] SetEvent (hEvent=0x1d0) returned 1 [0180.928] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710)) returned 1 [0180.929] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0180.929] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xd1c)) returned 1 [0180.930] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0180.930] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.930] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0da18e6, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0181.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0181.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0181.028] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.028] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.029] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.030] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.030] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.031] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0181.031] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0181.032] CloseHandle (hObject=0x1a0) returned 1 [0181.033] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.050] SetEvent (hEvent=0x420) returned 1 [0181.051] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.051] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.051] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0181.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0181.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0181.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.051] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0181.052] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.052] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.052] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.053] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0181.053] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0181.054] CloseHandle (hObject=0x3c4) returned 1 [0181.055] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.055] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.055] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.055] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.055] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0181.055] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.056] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.056] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.056] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.056] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.057] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0181.057] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0181.058] CloseHandle (hObject=0x3c4) returned 1 [0181.059] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663)) returned 1 [0181.059] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0181.059] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.059] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.059] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663)) returned 1 [0181.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844560 | out: pbBuffer=0x12844560) returned 1 [0181.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102f0 | out: pbBuffer=0x128102f0) returned 1 [0181.061] ReadFile (in: hFile=0x3c4, lpBuffer=0x129aa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x129aa000*, lpNumberOfBytesRead=0x12a63d1c*=0x663, lpOverlapped=0x0) returned 1 [0181.096] GetFileType (hFile=0x3c4) returned 0x1 [0181.096] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.096] WriteFile (in: hFile=0x3c4, lpBuffer=0x1290c700*, nNumberOfBytesToWrite=0x663, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1290c700*, lpNumberOfBytesWritten=0x12a63d00*=0x663, lpOverlapped=0x12a63d0c) returned 1 [0181.097] GetFileType (hFile=0x3c4) returned 0x1 [0181.097] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x663, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0181.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0181.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0181.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104b8 | out: pbBuffer=0x128104b8) returned 1 [0181.097] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0181.098] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.098] WriteFile (in: hFile=0x42c, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.098] CloseHandle (hObject=0x42c) returned 1 [0181.101] CloseHandle (hObject=0x3c4) returned 1 [0181.102] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104d0 | out: pbBuffer=0x128104d0) returned 1 [0181.102] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[FAADE9B040C5E123]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\#_this_file_is_encrypted_[faade9b040c5e123]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.103] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0da18e6, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8a0)) returned 1 [0181.104] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.151] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.151] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.155] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.155] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xebc2ab1, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x666, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0181.155] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0181.155] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0181.155] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.155] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.156] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.157] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.157] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.160] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0181.160] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d60000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d60000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0181.161] CloseHandle (hObject=0x3c4) returned 1 [0181.162] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.168] SetEvent (hEvent=0x1d0) returned 1 [0181.168] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.168] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.168] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.168] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.169] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0181.169] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0181.169] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.169] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.169] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.169] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.169] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.170] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0181.170] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d61300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d61300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0181.171] CloseHandle (hObject=0x3c4) returned 1 [0181.171] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.177] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0181.193] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.193] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0181.194] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.194] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0181.194] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.194] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0181.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.194] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.194] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.195] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0181.195] WriteFile (in: hFile=0x438, lpBuffer=0x12d62600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12d62600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0181.199] CloseHandle (hObject=0x438) returned 1 [0181.199] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5)) returned 1 [0181.200] SetEvent (hEvent=0x3f8) returned 1 [0181.200] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0181.203] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0181.219] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0181.219] SetEvent (hEvent=0xf4) returned 1 [0181.219] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0181.293] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.294] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.294] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0181.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0181.294] ReadFile (in: hFile=0x428, lpBuffer=0x12bfe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bfe000*, lpNumberOfBytesRead=0x12a63d1c*=0x10f, lpOverlapped=0x0) returned 1 [0181.296] GetFileType (hFile=0x428) returned 0x1 [0181.296] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.296] WriteFile (in: hFile=0x428, lpBuffer=0x12908900*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12908900*, lpNumberOfBytesWritten=0x12a63d00*=0x10f, lpOverlapped=0x12a63d0c) returned 1 [0181.296] GetFileType (hFile=0x428) returned 0x1 [0181.296] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0181.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0181.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0181.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0181.297] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0181.297] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.298] WriteFile (in: hFile=0x43c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.315] CloseHandle (hObject=0x43c) returned 1 [0181.316] CloseHandle (hObject=0x428) returned 1 [0181.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0181.317] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\#_THIS_FILE_IS_ENCRYPTED_[A02A2D3F09B59F05]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\#_this_file_is_encrypted_[a02a2d3f09b59f05]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.318] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.319] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.319] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18f51ef, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71d)) returned 1 [0181.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0181.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0181.319] ReadFile (in: hFile=0x428, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a63d1c*=0x71d, lpOverlapped=0x0) returned 1 [0181.358] GetFileType (hFile=0x428) returned 0x1 [0181.358] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.358] WriteFile (in: hFile=0x428, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x71d, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a63d00*=0x71d, lpOverlapped=0x12a63d0c) returned 1 [0181.399] GetFileType (hFile=0x428) returned 0x1 [0181.399] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x71d, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0181.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0181.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0181.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0181.400] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0181.400] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.400] WriteFile (in: hFile=0x15c, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.408] CloseHandle (hObject=0x15c) returned 1 [0181.410] CloseHandle (hObject=0x428) returned 1 [0181.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0181.419] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\#_THIS_FILE_IS_ENCRYPTED_[F7418E0AF4013702]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\#_this_file_is_encrypted_[f7418e0af4013702]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.526] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0181.527] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.527] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732)) returned 1 [0181.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e900 | out: pbBuffer=0x1280e900) returned 1 [0181.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a450 | out: pbBuffer=0x12a9a450) returned 1 [0181.527] ReadFile (in: hFile=0x42c, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a63d1c*=0x732, lpOverlapped=0x0) returned 1 [0181.547] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0181.728] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0182.159] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0182.238] GetFileType (hFile=0x428) returned 0x1 [0182.238] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.239] WriteFile (in: hFile=0x428, lpBuffer=0x1299e000*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1299e000*, lpNumberOfBytesWritten=0x12a63d00*=0xe63, lpOverlapped=0x12a63d0c) returned 1 [0182.239] GetFileType (hFile=0x428) returned 0x1 [0182.239] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xe63, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0182.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0182.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0182.240] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0182.240] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.240] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.240] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.241] CloseHandle (hObject=0x42c) returned 1 [0182.242] CloseHandle (hObject=0x428) returned 1 [0182.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145b8 | out: pbBuffer=0x129145b8) returned 1 [0182.242] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_5.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[6B4269A89DC4E8C4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[6b4269a89dc4e8c4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.244] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.244] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.244] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaa9d106f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8)) returned 1 [0182.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0182.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914600 | out: pbBuffer=0x12914600) returned 1 [0182.245] ReadFile (in: hFile=0x428, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a61d1c*=0x6eb8, lpOverlapped=0x0) returned 1 [0182.329] GetFileType (hFile=0x428) returned 0x1 [0182.329] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.329] WriteFile (in: hFile=0x428, lpBuffer=0x12cf0000*, nNumberOfBytesToWrite=0x6eb8, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12cf0000*, lpNumberOfBytesWritten=0x12a61d00*=0x6eb8, lpOverlapped=0x12a61d0c) returned 1 [0182.330] GetFileType (hFile=0x428) returned 0x1 [0182.330] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x6eb8, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0182.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0182.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0182.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129146c8 | out: pbBuffer=0x129146c8) returned 1 [0182.330] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.331] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.331] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58a00*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.331] CloseHandle (hObject=0x3c4) returned 1 [0182.337] CloseHandle (hObject=0x428) returned 1 [0182.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146e0 | out: pbBuffer=0x129146e0) returned 1 [0182.337] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\#_THIS_FILE_IS_ENCRYPTED_[B55F0558CEFEC13C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\#_this_file_is_encrypted_[b55f0558cefec13c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.339] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0182.381] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0182.386] SetEvent (hEvent=0x3f4) returned 1 [0182.386] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.386] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.386] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518)) returned 1 [0182.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ef60 | out: pbBuffer=0x1280ef60) returned 1 [0182.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8098 | out: pbBuffer=0x128e8098) returned 1 [0182.387] ReadFile (in: hFile=0x1a0, lpBuffer=0x129e6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e6000*, lpNumberOfBytesRead=0x12a61d1c*=0x1518, lpOverlapped=0x0) returned 1 [0182.556] GetFileType (hFile=0x1a0) returned 0x1 [0182.557] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.557] WriteFile (in: hFile=0x1a0, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x1518, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x12a61d00*=0x1518, lpOverlapped=0x12a61d0c) returned 1 [0182.557] GetFileType (hFile=0x1a0) returned 0x1 [0182.557] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1518, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0182.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0182.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0182.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101c0 | out: pbBuffer=0x128101c0) returned 1 [0182.558] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0182.558] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.558] WriteFile (in: hFile=0x15c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.558] CloseHandle (hObject=0x15c) returned 1 [0182.559] CloseHandle (hObject=0x1a0) returned 1 [0182.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101d8 | out: pbBuffer=0x128101d8) returned 1 [0182.560] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[F7538BA494DE3719]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[f7538ba494de3719]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.561] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038)) returned 1 [0182.561] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518)) returned 1 [0182.561] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.562] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.562] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038)) returned 1 [0182.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0182.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0182.562] ReadFile (in: hFile=0x1a0, lpBuffer=0x12a26000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a26000*, lpNumberOfBytesRead=0x12a61d1c*=0x20000, lpOverlapped=0x0) returned 1 [0182.618] GetFileType (hFile=0x1a0) returned 0x1 [0182.618] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.618] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d16000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12d16000*, lpNumberOfBytesWritten=0x12a61d00*=0x20000, lpOverlapped=0x12a61d0c) returned 1 [0182.620] GetFileType (hFile=0x1a0) returned 0x1 [0182.620] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0182.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0182.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0182.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810388 | out: pbBuffer=0x12810388) returned 1 [0182.621] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0182.621] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.621] WriteFile (in: hFile=0x448, lpBuffer=0x12a58500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58500*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.691] CloseHandle (hObject=0x448) returned 1 [0182.765] CloseHandle (hObject=0x1a0) returned 1 [0182.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103a0 | out: pbBuffer=0x128103a0) returned 1 [0182.765] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[9D8FD99F18F6AAC9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[9d8fd99f18f6aac9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.790] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0182.873] SetEvent (hEvent=0x420) returned 1 [0182.874] SetEvent (hEvent=0x3f4) returned 1 [0182.874] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0182.891] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0182.898] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0182.898] SetEvent (hEvent=0x420) returned 1 [0182.899] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0182.960] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0183.205] SetEvent (hEvent=0x19c) returned 1 [0183.205] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0183.205] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0183.205] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0183.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0183.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0183.206] ReadFile (in: hFile=0x42c, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0183.268] GetFileType (hFile=0x42c) returned 0x1 [0183.268] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.269] WriteFile (in: hFile=0x42c, lpBuffer=0x12cae000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12cae000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0183.269] GetFileType (hFile=0x42c) returned 0x1 [0183.269] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.270] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0183.270] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0183.270] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0183.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0183.271] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0183.271] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0183.271] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0183.272] CloseHandle (hObject=0x438) returned 1 [0183.564] CloseHandle (hObject=0x42c) returned 1 [0183.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101f8 | out: pbBuffer=0x128101f8) returned 1 [0183.575] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[B009EA440FD2299D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[b009ea440fd2299d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0183.577] SetEvent (hEvent=0x19c) returned 1 [0183.578] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0183.578] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0183.578] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000)) returned 1 [0183.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928480 | out: pbBuffer=0x12928480) returned 1 [0183.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0183.579] ReadFile (in: hFile=0x42c, lpBuffer=0x12cee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0183.675] GetFileType (hFile=0x42c) returned 0x1 [0183.675] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.675] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0183.676] GetFileType (hFile=0x42c) returned 0x1 [0183.676] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0183.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0183.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0183.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810308 | out: pbBuffer=0x12810308) returned 1 [0183.677] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0183.678] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0183.678] WriteFile (in: hFile=0x15c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0183.678] CloseHandle (hObject=0x15c) returned 1 [0183.704] CloseHandle (hObject=0x42c) returned 1 [0183.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810320 | out: pbBuffer=0x12810320) returned 1 [0183.705] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[22D07D0A80F144C1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[22d07d0a80f144c1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.020] SetEvent (hEvent=0x110) returned 1 [0184.020] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0184.070] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0184.075] SetEvent (hEvent=0x420) returned 1 [0184.075] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0184.099] SetEvent (hEvent=0x1d0) returned 1 [0184.100] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0184.100] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0184.100] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18637300, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x18637300, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x18637300, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x588124)) returned 1 [0184.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0184.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0184.101] ReadFile (in: hFile=0x428, lpBuffer=0x12d10000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d10000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0184.128] GetFileType (hFile=0x428) returned 0x1 [0184.128] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.128] WriteFile (in: hFile=0x428, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0184.129] GetFileType (hFile=0x428) returned 0x1 [0184.129] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0184.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0184.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0184.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0184.130] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0184.130] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0184.130] WriteFile (in: hFile=0x438, lpBuffer=0x12c38500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38500*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0184.159] CloseHandle (hObject=0x438) returned 1 [0185.101] CloseHandle (hObject=0x428) returned 1 [0185.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0185.604] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[A196AF2EBBA0A084]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[a196af2ebba0a084]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0185.606] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0185.734] SwitchToThread () returned 1 [0185.752] SetEvent (hEvent=0x420) returned 1 [0186.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0186.394] SetEvent (hEvent=0x1d0) returned 1 [0186.394] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0186.464] SetEvent (hEvent=0x420) returned 1 [0186.466] SwitchToThread () returned 1 [0186.558] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0186.753] SetEvent (hEvent=0x3f4) returned 1 [0186.753] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0186.798] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0186.807] SetEvent (hEvent=0x3f4) returned 1 [0186.807] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0186.825] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0186.827] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.828] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0186.836] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0186.837] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0186.837] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0186.837] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0186.846] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.846] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.847] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0186.847] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0186.847] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0186.849] CloseHandle (hObject=0x15c) returned 1 [0186.849] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0186.849] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.849] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0186.849] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0186.850] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0186.850] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0186.850] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0186.850] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.850] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.851] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0186.852] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0186.852] WriteFile (in: hFile=0x15c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0186.853] CloseHandle (hObject=0x15c) returned 1 [0186.853] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0186.855] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0186.855] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0186.856] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0186.856] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5b500, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x4f5b500, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x4f5b500, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x55f0fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0186.856] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0186.856] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0186.856] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0186.856] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0186.856] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0186.856] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0186.943] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0186.943] WriteFile (in: hFile=0x15c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0186.945] CloseHandle (hObject=0x15c) returned 1 [0186.946] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5b500, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x4f5b500, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x4f5b500, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x55f0fd)) returned 1 [0187.030] SetEvent (hEvent=0x3f4) returned 1 [0187.030] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000)) returned 1 [0187.037] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.037] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.037] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0187.038] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.038] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.038] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.038] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0187.038] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.039] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.039] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.039] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.039] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.041] CloseHandle (hObject=0x448) returned 1 [0187.041] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.056] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.056] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0187.056] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.056] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0187.056] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.056] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0187.057] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.057] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.057] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.058] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.058] WriteFile (in: hFile=0x43c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.060] CloseHandle (hObject=0x43c) returned 1 [0187.060] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.061] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.061] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0187.061] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.083] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec82c300, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xec82c300, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xec82c300, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.083] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.083] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.083] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0187.084] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.084] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.085] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.157] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.157] WriteFile (in: hFile=0x43c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.161] CloseHandle (hObject=0x43c) returned 1 [0187.170] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec82c300, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xec82c300, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xec82c300, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x554520)) returned 1 [0187.173] SetEvent (hEvent=0x1d0) returned 1 [0187.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.215] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.215] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.215] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.215] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.215] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.215] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.229] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.229] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.229] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.230] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.230] WriteFile (in: hFile=0x448, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.231] CloseHandle (hObject=0x448) returned 1 [0187.232] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.232] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.232] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0187.232] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.232] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0187.232] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.232] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0187.233] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.233] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.233] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.233] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.233] WriteFile (in: hFile=0x448, lpBuffer=0x12a6a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a6a000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.235] CloseHandle (hObject=0x448) returned 1 [0187.235] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.235] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.235] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0187.236] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.236] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb519600, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xeb519600, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xeb519600, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.236] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.236] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.236] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0187.247] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.247] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.247] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.328] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.328] WriteFile (in: hFile=0x42c, lpBuffer=0x12a6b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a6b300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.331] CloseHandle (hObject=0x42c) returned 1 [0187.333] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb519600, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xeb519600, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xeb519600, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a)) returned 1 [0187.333] SetEvent (hEvent=0x19c) returned 1 [0187.333] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.389] SetEvent (hEvent=0x19c) returned 1 [0187.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.448] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.448] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.448] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.449] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.449] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.449] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.449] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.449] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.449] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.450] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.450] WriteFile (in: hFile=0x42c, lpBuffer=0x12a3a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a3a000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.452] CloseHandle (hObject=0x42c) returned 1 [0187.452] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.452] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.452] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0187.453] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.453] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0187.453] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.453] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0187.453] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.453] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.454] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.454] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.454] WriteFile (in: hFile=0x42c, lpBuffer=0x12a3b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a3b300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.457] CloseHandle (hObject=0x42c) returned 1 [0187.457] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.457] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.458] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.458] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.458] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xfa960e00, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.458] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.458] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.458] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.458] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.458] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.459] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.537] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.537] WriteFile (in: hFile=0x428, lpBuffer=0x12a3c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a3c600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.539] CloseHandle (hObject=0x428) returned 1 [0187.540] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xfa960e00, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418)) returned 1 [0187.580] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.649] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.649] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.650] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.650] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.650] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.650] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.651] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.651] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.651] WriteFile (in: hFile=0x43c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.653] CloseHandle (hObject=0x43c) returned 1 [0187.653] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.672] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.672] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0187.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.672] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.672] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.673] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.673] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.674] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.674] WriteFile (in: hFile=0x43c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.687] CloseHandle (hObject=0x43c) returned 1 [0187.687] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.688] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.688] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0187.688] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.688] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xf833b400, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.688] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.688] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.689] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0187.689] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.689] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.689] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.694] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.694] WriteFile (in: hFile=0x43c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.696] CloseHandle (hObject=0x43c) returned 1 [0187.696] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xf833b400, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1)) returned 1 [0187.700] SetEvent (hEvent=0x19c) returned 1 [0187.700] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.709] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.709] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.709] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0187.710] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.710] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.710] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.710] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0187.710] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.710] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.710] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.711] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.711] WriteFile (in: hFile=0x428, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.712] CloseHandle (hObject=0x428) returned 1 [0187.713] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.713] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.713] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0187.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.714] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.714] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.714] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.714] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.714] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.715] WriteFile (in: hFile=0x428, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.716] CloseHandle (hObject=0x428) returned 1 [0187.717] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.717] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.717] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0187.717] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.717] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x681d000, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x681d000, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x681d000, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.717] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.718] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.718] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0187.718] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.718] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.718] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.739] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.739] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.740] CloseHandle (hObject=0x3c4) returned 1 [0187.741] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x681d000, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x681d000, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x681d000, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25)) returned 1 [0187.741] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.741] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.742] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.742] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.742] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.742] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.742] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.742] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.743] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.743] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.743] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.743] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.743] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.745] CloseHandle (hObject=0x3c4) returned 1 [0187.745] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.745] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.745] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0187.746] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.746] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0187.746] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.746] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0187.746] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.746] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.746] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.750] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.750] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a3a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a3a000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.752] CloseHandle (hObject=0x3c4) returned 1 [0187.752] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.752] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.752] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.752] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.752] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9153a800, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0x9153a800, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0x9153a800, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x1704ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.752] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.766] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.766] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.766] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.766] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.766] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.788] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.788] WriteFile (in: hFile=0x43c, lpBuffer=0x12a3b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a3b300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.790] CloseHandle (hObject=0x43c) returned 1 [0187.790] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9153a800, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0x9153a800, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0x9153a800, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x1704ac)) returned 1 [0187.790] SetEvent (hEvent=0x19c) returned 1 [0187.790] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000)) returned 1 [0187.807] SetEvent (hEvent=0x19c) returned 1 [0187.807] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.807] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.808] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0187.808] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.808] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0187.808] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.808] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0187.808] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.808] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.809] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.809] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.809] WriteFile (in: hFile=0x428, lpBuffer=0x12a3d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a3d900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.811] CloseHandle (hObject=0x428) returned 1 [0187.811] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.811] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.814] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0187.814] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.814] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0187.814] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.814] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0187.814] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.814] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.815] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.815] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0187.815] WriteFile (in: hFile=0x428, lpBuffer=0x12a3ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a3ec00*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0187.817] CloseHandle (hObject=0x428) returned 1 [0187.818] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.818] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.818] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0187.818] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.818] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc3166700, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0187.818] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0187.818] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.819] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0187.819] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.819] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.819] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.827] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0187.843] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0187.843] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0187.885] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.885] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0187.885] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa0211772, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272)) returned 1 [0187.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0187.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0187.886] ReadFile (in: hFile=0x448, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12d5fd1c*=0x272, lpOverlapped=0x0) returned 1 [0187.887] GetFileType (hFile=0x448) returned 0x1 [0187.887] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0187.887] WriteFile (in: hFile=0x448, lpBuffer=0x12a64000*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12a64000*, lpNumberOfBytesWritten=0x12d5fd00*=0x272, lpOverlapped=0x12d5fd0c) returned 1 [0187.888] GetFileType (hFile=0x448) returned 0x1 [0187.888] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0187.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0187.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0187.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0187.889] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0187.889] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.889] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0187.889] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0187.910] CloseHandle (hObject=0x3c4) returned 1 [0187.910] CloseHandle (hObject=0x448) returned 1 [0187.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0187.911] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\#_THIS_FILE_IS_ENCRYPTED_[4DD43301FA4541EF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\#_this_file_is_encrypted_[4dd43301fa4541ef]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.912] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.912] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.912] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398)) returned 1 [0187.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0187.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0187.913] ReadFile (in: hFile=0x448, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.934] GetFileType (hFile=0x448) returned 0x1 [0187.934] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.934] WriteFile (in: hFile=0x448, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0187.935] GetFileType (hFile=0x448) returned 0x1 [0187.936] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0187.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0187.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0187.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a318 | out: pbBuffer=0x12a9a318) returned 1 [0187.937] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.937] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.937] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.993] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.126] CloseHandle (hObject=0x1a0) returned 1 [0188.126] CloseHandle (hObject=0x448) returned 1 [0188.127] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.199] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.224] SetEvent (hEvent=0x3f8) returned 1 [0188.224] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.234] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.407] SetEvent (hEvent=0x3f8) returned 1 [0188.407] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.417] SetEvent (hEvent=0x3f4) returned 1 [0188.417] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.447] SetEvent (hEvent=0x3f8) returned 1 [0188.447] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0188.533] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.563] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.631] SetEvent (hEvent=0x1d0) returned 1 [0188.631] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.662] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.667] SetEvent (hEvent=0x1d0) returned 1 [0188.667] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.668] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.668] FindFirstFileW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0188.674] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.674] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x556e33d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0188.674] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c6200, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x6fc19112, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x58c6200, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0188.674] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0188.674] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 1 [0188.675] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.675] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0188.676] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.677] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.677] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.678] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0188.678] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0188.680] CloseHandle (hObject=0x42c) returned 1 [0188.680] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x556e33d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430)) returned 1 [0188.682] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.764] SetEvent (hEvent=0x1d0) returned 1 [0188.765] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c6200, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x6fc19112, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x58c6200, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c)) returned 1 [0188.780] SetEvent (hEvent=0xf4) returned 1 [0188.780] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f)) returned 1 [0188.804] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.813] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.844] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.855] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.913] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0188.930] SetEvent (hEvent=0x19c) returned 1 [0188.930] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.931] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0188.931] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.159] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.304] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.323] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.376] SetEvent (hEvent=0xf4) returned 1 [0189.376] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.376] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.376] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98400 | out: pbBuffer=0x12a98400) returned 1 [0189.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f40 | out: pbBuffer=0x12810f40) returned 1 [0189.376] ReadFile (in: hFile=0x438, lpBuffer=0x12a28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a28000*, lpNumberOfBytesRead=0x1282fd1c*=0xae, lpOverlapped=0x0) returned 1 [0189.377] GetFileType (hFile=0x438) returned 0x1 [0189.377] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.377] WriteFile (in: hFile=0x438, lpBuffer=0x12bde840*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bde840*, lpNumberOfBytesWritten=0x1282fd00*=0xae, lpOverlapped=0x1282fd0c) returned 1 [0189.377] GetFileType (hFile=0x438) returned 0x1 [0189.377] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xae, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0189.378] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0189.378] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0189.378] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810ff8 | out: pbBuffer=0x12810ff8) returned 1 [0189.378] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.378] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.378] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.413] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.529] SetEvent (hEvent=0x19c) returned 1 [0189.529] CloseHandle (hObject=0x1a0) returned 1 [0189.529] CloseHandle (hObject=0x438) returned 1 [0189.529] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811010 | out: pbBuffer=0x12811010) returned 1 [0189.529] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[62B897FCFB097E74]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\desktop\\#_this_file_is_encrypted_[62b897fcfb097e74]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.530] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.601] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0189.601] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0189.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0189.602] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x1282fd1c*=0x17c, lpOverlapped=0x0) returned 1 [0189.603] GetFileType (hFile=0x3c4) returned 0x1 [0189.603] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.603] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x1282fd00*=0x17c, lpOverlapped=0x1282fd0c) returned 1 [0189.603] GetFileType (hFile=0x3c4) returned 0x1 [0189.604] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x17c, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0189.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0189.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0189.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0189.605] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0189.605] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0189.605] WriteFile (in: hFile=0x15c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.650] CloseHandle (hObject=0x15c) returned 1 [0189.650] CloseHandle (hObject=0x3c4) returned 1 [0189.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0189.651] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Music\\#_THIS_FILE_IS_ENCRYPTED_[54B40E79362EC0F6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\music\\#_this_file_is_encrypted_[54b40e79362ec0f6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.651] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0189.814] SetEvent (hEvent=0x420) returned 1 [0189.814] SetEvent (hEvent=0x1d0) returned 1 [0189.814] SetEvent (hEvent=0x3f8) returned 1 [0189.814] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0189.864] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.075] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0190.086] SetEvent (hEvent=0xf4) returned 1 [0190.086] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.158] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.log\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0190.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0190.158] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\#_THIS_FILE_IS_ENCRYPTED_[45FAE26F71168B49]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\#_this_file_is_encrypted_[45fae26f71168b49]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.159] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0190.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x69d588a7, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x5c6e)) returned 1 [0190.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0190.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a050 | out: pbBuffer=0x12a9a050) returned 1 [0190.160] ReadFile (in: hFile=0x43c, lpBuffer=0x12a24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a24000*, lpNumberOfBytesRead=0x12a73d1c*=0x5c6e, lpOverlapped=0x0) returned 1 [0190.161] GetFileType (hFile=0x43c) returned 0x1 [0190.161] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.161] WriteFile (in: hFile=0x43c, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x5c6e, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x12a73d00*=0x5c6e, lpOverlapped=0x12a73d0c) returned 1 [0190.161] GetFileType (hFile=0x43c) returned 0x1 [0190.161] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x5c6e, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0190.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0190.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0190.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0190.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0190.162] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0190.162] WriteFile (in: hFile=0x428, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0190.162] CloseHandle (hObject=0x428) returned 1 [0190.163] CloseHandle (hObject=0x43c) returned 1 [0190.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0190.163] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\#_THIS_FILE_IS_ENCRYPTED_[BE646E9DF19EA4FD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\#_this_file_is_encrypted_[be646e9df19ea4fd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.167] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0190.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\sdiagnhost.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\sdiagnhost.exe.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.277] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0190.277] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\sdiagnhost.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\sdiagnhost.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f197fc, ftCreationTime.dwHighDateTime=0x1d7b059, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x15dd)) returned 1 [0190.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0190.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a178 | out: pbBuffer=0x12a9a178) returned 1 [0190.277] ReadFile (in: hFile=0x43c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a6fd1c*=0x15dd, lpOverlapped=0x0) returned 1 [0190.326] GetFileType (hFile=0x43c) returned 0x1 [0190.326] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.327] WriteFile (in: hFile=0x43c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x15dd, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12a6fd00*=0x15dd, lpOverlapped=0x12a6fd0c) returned 1 [0190.327] GetFileType (hFile=0x43c) returned 0x1 [0190.327] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x15dd, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0190.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0190.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0190.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0190.328] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\sdiagnhost.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\sdiagnhost.exe.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0190.328] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0190.328] WriteFile (in: hFile=0x448, lpBuffer=0x12c20a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0190.328] CloseHandle (hObject=0x448) returned 1 [0190.329] CloseHandle (hObject=0x43c) returned 1 [0190.329] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a268 | out: pbBuffer=0x12a9a268) returned 1 [0190.329] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\sdiagnhost.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\sdiagnhost.exe.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\#_THIS_FILE_IS_ENCRYPTED_[31E4B1C8ADE7FF93]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\#_this_file_is_encrypted_[31e4b1c8ade7ff93]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.330] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0190.330] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\frmcache.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a184b86, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a4e76b4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc)) returned 1 [0190.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844900 | out: pbBuffer=0x12844900) returned 1 [0190.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2b0 | out: pbBuffer=0x12a9a2b0) returned 1 [0190.331] ReadFile (in: hFile=0x43c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a6fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0190.391] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.405] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0190.405] SetEvent (hEvent=0x110) returned 1 [0190.405] SetEvent (hEvent=0x3f8) returned 1 [0190.406] GetFileType (hFile=0x43c) returned 0x1 [0190.406] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.406] WriteFile (in: hFile=0x43c, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x12a6fd00*=0x20000, lpOverlapped=0x12a6fd0c) returned 1 [0190.407] GetFileType (hFile=0x43c) returned 0x1 [0190.407] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0190.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0190.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0190.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0190.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a368 | out: pbBuffer=0x12a9a368) returned 1 [0190.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0190.409] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0190.409] WriteFile (in: hFile=0x428, lpBuffer=0x12c20f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0190.409] CloseHandle (hObject=0x428) returned 1 [0190.409] CloseHandle (hObject=0x43c) returned 1 [0190.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a380 | out: pbBuffer=0x12a9a380) returned 1 [0190.410] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\frmcache.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\#_THIS_FILE_IS_ENCRYPTED_[74CAAF3AD5EF74CF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\#_this_file_is_encrypted_[74caaf3ad5ef74cf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.412] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.454] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.505] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.519] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0190.519] SetEvent (hEvent=0x110) returned 1 [0190.519] SetEvent (hEvent=0x19c) returned 1 [0190.519] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0190.558] GetFileType (hFile=0x438) returned 0x1 [0190.558] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.558] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x1078, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12a73d00*=0x1078, lpOverlapped=0x12a73d0c) returned 1 [0190.559] GetFileType (hFile=0x438) returned 0x1 [0190.559] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1078, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0190.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0190.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0190.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0190.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.560] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0190.560] WriteFile (in: hFile=0x43c, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0190.560] CloseHandle (hObject=0x43c) returned 1 [0190.560] CloseHandle (hObject=0x438) returned 1 [0190.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0190.560] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\#_THIS_FILE_IS_ENCRYPTED_[99322264353AD0B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\#_this_file_is_encrypted_[99322264353ad0b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.607] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0190.660] SetEvent (hEvent=0xf4) returned 1 [0190.660] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.660] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0190.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407cb15, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x565d93a, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1400)) returned 1 [0190.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98200 | out: pbBuffer=0x12a98200) returned 1 [0190.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0190.661] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6dd1c*=0x1400, lpOverlapped=0x0) returned 1 [0190.661] GetFileType (hFile=0x438) returned 0x1 [0190.661] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0190.661] WriteFile (in: hFile=0x438, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x12a6dd00*=0x1400, lpOverlapped=0x12a6dd0c) returned 1 [0190.662] GetFileType (hFile=0x438) returned 0x1 [0190.662] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1400, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0190.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0190.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0190.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0190.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0190.662] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.662] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0190.663] WriteFile (in: hFile=0x43c, lpBuffer=0x12c20500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0190.663] CloseHandle (hObject=0x43c) returned 1 [0190.663] CloseHandle (hObject=0x438) returned 1 [0190.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0190.663] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\#_THIS_FILE_IS_ENCRYPTED_[E50169106D21D985]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\#_this_file_is_encrypted_[e50169106d21d985]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 0 [0190.663] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0190.891] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0191.605] SetEvent (hEvent=0xf4) returned 1 [0191.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.606] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0191.606] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed41862, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98400 | out: pbBuffer=0x12a98400) returned 1 [0191.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8488 | out: pbBuffer=0x128e8488) returned 1 [0191.607] ReadFile (in: hFile=0x43c, lpBuffer=0x12d30000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d30000*, lpNumberOfBytesRead=0x12a4bd1c*=0x0, lpOverlapped=0x0) returned 1 [0191.607] CloseHandle (hObject=0x43c) returned 1 [0191.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.607] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0191.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xab563468, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0191.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8498 | out: pbBuffer=0x128e8498) returned 1 [0191.608] ReadFile (in: hFile=0x43c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a4bd1c*=0x0, lpOverlapped=0x0) returned 1 [0191.608] CloseHandle (hObject=0x43c) returned 1 [0191.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65bc6f2, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65c9d91, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65c9d91, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.609] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65bc6f2, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65c9d91, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65c9d91, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0191.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65bc6f2, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65c9d91, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65c9d91, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65c9d91, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65c9d91, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65c9d91, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active", cAlternateFileName="")) returned 1 [0191.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.609] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0191.609] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.610] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.611] WriteFile (in: hFile=0x43c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.612] CloseHandle (hObject=0x43c) returned 1 [0191.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65c9d91, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf93005b8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf93005b8, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.614] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.614] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65c9d91, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf93005b8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf93005b8, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0191.614] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65c9d91, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf93005b8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf93005b8, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.614] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf65d265c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65d265c, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x3cebe1b, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecoveryStore.{309877BD-961C-11EC-B0BF-000FF3E16138}.dat", cAlternateFileName="RECOVE~1.DAT")) returned 1 [0191.614] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93005b8, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf93005b8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x3ced1ed, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="{36D9A683-961C-11EC-B0BF-000FF3E16138}.dat", cAlternateFileName="{36D9A~1.DAT")) returned 1 [0191.614] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.614] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0191.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.615] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0191.862] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0191.862] WriteFile (in: hFile=0x428, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0191.864] CloseHandle (hObject=0x428) returned 1 [0191.865] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{309877BD-961C-11EC-B0BF-000FF3E16138}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\recoverystore.{309877bd-961c-11ec-b0bf-000ff3e16138}.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf65d265c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65d265c, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x3cebe1b, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1600)) returned 1 [0191.865] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{36D9A683-961C-11EC-B0BF-000FF3E16138}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\{36d9a683-961c-11ec-b0bf-000ff3e16138}.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93005b8, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf93005b8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x3ced1ed, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0xe00)) returned 1 [0191.865] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.866] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0191.866] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.866] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.866] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0191.866] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0192.695] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0193.222] SetEvent (hEvent=0xf4) returned 1 [0193.545] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0195.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0196.241] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0196.459] SetEvent (hEvent=0x3f8) returned 1 [0196.459] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.638] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.672] SetEvent (hEvent=0x1d0) returned 1 [0196.672] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.686] SetEvent (hEvent=0x40c) returned 1 [0196.687] SetEvent (hEvent=0x3f4) returned 1 [0196.687] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0196.730] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0196.730] SetEvent (hEvent=0x3f4) returned 1 [0196.730] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0196.767] SetEvent (hEvent=0x1d0) returned 1 [0196.767] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.788] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.878] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.962] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0196.983] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.025] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.312] SetEvent (hEvent=0x19c) returned 1 [0197.312] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.316] SetEvent (hEvent=0x19c) returned 1 [0197.316] SwitchToThread () returned 1 [0197.319] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.335] SetEvent (hEvent=0x19c) returned 1 [0197.336] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\08dd48c4-4c22-48b1-8676-03955502381b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0197.336] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\08dd48c4-4c22-48b1-8676-03955502381b"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8494d29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8494d29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8496206, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa96)) returned 1 [0197.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0197.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0197.337] ReadFile (in: hFile=0x438, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12a73d1c*=0xa96, lpOverlapped=0x0) returned 1 [0197.340] GetFileType (hFile=0x438) returned 0x1 [0197.340] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.341] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0xa96, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a73d00*=0xa96, lpOverlapped=0x12a73d0c) returned 1 [0197.341] GetFileType (hFile=0x438) returned 0x1 [0197.341] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xa96, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0197.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0197.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0197.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0197.342] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\08dd48c4-4c22-48b1-8676-03955502381b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0197.342] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.343] WriteFile (in: hFile=0x448, lpBuffer=0x12a64000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a64000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0197.343] CloseHandle (hObject=0x448) returned 1 [0197.349] CloseHandle (hObject=0x438) returned 1 [0197.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0197.353] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\08dd48c4-4c22-48b1-8676-03955502381b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A9716F07793E74BB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a9716f07793e74bb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.493] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.495] SetEvent (hEvent=0x1d0) returned 1 [0197.495] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\136081f3-73a0-4ff7-b28c-3470de19bbf1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0197.496] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\136081f3-73a0-4ff7-b28c-3470de19bbf1"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b28e4c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b28e4c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b28e4c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2426)) returned 1 [0197.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0197.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0197.496] ReadFile (in: hFile=0x438, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a6dd1c*=0x2426, lpOverlapped=0x0) returned 1 [0197.514] GetFileType (hFile=0x438) returned 0x1 [0197.514] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.514] WriteFile (in: hFile=0x438, lpBuffer=0x12cd4000*, nNumberOfBytesToWrite=0x2426, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12cd4000*, lpNumberOfBytesWritten=0x12a6dd00*=0x2426, lpOverlapped=0x12a6dd0c) returned 1 [0197.515] GetFileType (hFile=0x438) returned 0x1 [0197.515] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x2426, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0197.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0197.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0197.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810120 | out: pbBuffer=0x12810120) returned 1 [0197.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\136081f3-73a0-4ff7-b28c-3470de19bbf1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.516] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.516] WriteFile (in: hFile=0x1a0, lpBuffer=0x128f6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x128f6000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.516] CloseHandle (hObject=0x1a0) returned 1 [0197.523] CloseHandle (hObject=0x438) returned 1 [0197.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810138 | out: pbBuffer=0x12810138) returned 1 [0197.531] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\136081f3-73a0-4ff7-b28c-3470de19bbf1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0FCCCE0DC228CB76]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0fccce0dc228cb76]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.669] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0197.672] SetEvent (hEvent=0x1d0) returned 1 [0197.672] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1604dfc0-3711-40f4-a312-5716bcf1c705"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0197.672] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.672] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1604dfc0-3711-40f4-a312-5716bcf1c705"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb6b457, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb6b457, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb6b457, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0)) returned 1 [0197.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb80 | out: pbBuffer=0x1280eb80) returned 1 [0197.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128491e0 | out: pbBuffer=0x128491e0) returned 1 [0197.673] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6fd1c*=0x1bc0, lpOverlapped=0x0) returned 1 [0197.676] GetFileType (hFile=0x438) returned 0x1 [0197.676] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.676] WriteFile (in: hFile=0x438, lpBuffer=0x12c3a000*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c3a000*, lpNumberOfBytesWritten=0x12a6fd00*=0x1bc0, lpOverlapped=0x12a6fd0c) returned 1 [0197.677] GetFileType (hFile=0x438) returned 0x1 [0197.677] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1bc0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0197.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0197.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0197.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128492f8 | out: pbBuffer=0x128492f8) returned 1 [0197.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1604dfc0-3711-40f4-a312-5716bcf1c705"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.677] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.678] WriteFile (in: hFile=0x1a0, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.678] CloseHandle (hObject=0x1a0) returned 1 [0197.704] CloseHandle (hObject=0x438) returned 1 [0197.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849310 | out: pbBuffer=0x12849310) returned 1 [0197.750] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1604dfc0-3711-40f4-a312-5716bcf1c705"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FB053FC03C5C86A4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[fb053fc03c5c86a4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.964] SetEvent (hEvent=0x110) returned 1 [0197.964] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0198.019] SetEvent (hEvent=0x1d0) returned 1 [0198.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\21676ba8-01cc-477b-8c3d-258e774a1164"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.020] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.020] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\21676ba8-01cc-477b-8c3d-258e774a1164"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb5b5f4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb5b5f4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb5dbcb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2084)) returned 1 [0198.020] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844e20 | out: pbBuffer=0x12844e20) returned 1 [0198.020] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810bd0 | out: pbBuffer=0x12810bd0) returned 1 [0198.020] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0198.033] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0198.033] SetEvent (hEvent=0x110) returned 1 [0198.033] SetEvent (hEvent=0x1d0) returned 1 [0198.034] ReadFile (in: hFile=0x438, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a4bd1c*=0x2084, lpOverlapped=0x0) returned 1 [0198.039] GetFileType (hFile=0x438) returned 0x1 [0198.040] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.040] WriteFile (in: hFile=0x438, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x2084, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12a4bd00*=0x2084, lpOverlapped=0x12a4bd0c) returned 1 [0198.040] GetFileType (hFile=0x438) returned 0x1 [0198.040] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x2084, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0198.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0198.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0198.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0198.041] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\21676ba8-01cc-477b-8c3d-258e774a1164"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.041] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.041] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d8c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d8c000*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.042] CloseHandle (hObject=0x1a0) returned 1 [0198.048] CloseHandle (hObject=0x438) returned 1 [0198.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0198.056] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\21676ba8-01cc-477b-8c3d-258e774a1164"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0BCAC17893C6907D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0bcac17893c6907d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.137] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0198.204] SetEvent (hEvent=0x19c) returned 1 [0198.204] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\29a9f36e-19fa-474e-a88b-9ee7c96dcba2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0198.204] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\29a9f36e-19fa-474e-a88b-9ee7c96dcba2"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49f4ff8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49f4ff8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49f62e6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2fff)) returned 1 [0198.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0198.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108b0 | out: pbBuffer=0x128108b0) returned 1 [0198.205] ReadFile (in: hFile=0x15c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a4bd1c*=0x2fff, lpOverlapped=0x0) returned 1 [0198.211] GetFileType (hFile=0x15c) returned 0x1 [0198.211] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.211] WriteFile (in: hFile=0x15c, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x2fff, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a4bd00*=0x2fff, lpOverlapped=0x12a4bd0c) returned 1 [0198.212] GetFileType (hFile=0x15c) returned 0x1 [0198.212] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2fff, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0198.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0198.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0198.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810968 | out: pbBuffer=0x12810968) returned 1 [0198.213] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\29a9f36e-19fa-474e-a88b-9ee7c96dcba2"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.214] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.214] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b14000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b14000*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.214] CloseHandle (hObject=0x1a0) returned 1 [0198.221] CloseHandle (hObject=0x15c) returned 1 [0198.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810980 | out: pbBuffer=0x12810980) returned 1 [0198.231] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\29a9f36e-19fa-474e-a88b-9ee7c96dcba2"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[B310EAD264CB2722]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[b310ead264cb2722]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.367] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0198.420] SetEvent (hEvent=0x19c) returned 1 [0198.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\33f63883-f0ae-4ab6-b4f0-30bb1951b381"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.421] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\33f63883-f0ae-4ab6-b4f0-30bb1951b381"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ea9c0d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4ea9c0d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4ea9c0d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8b27)) returned 1 [0198.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928500 | out: pbBuffer=0x12928500) returned 1 [0198.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7d8 | out: pbBuffer=0x12a9a7d8) returned 1 [0198.422] ReadFile (in: hFile=0x1a0, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12a4bd1c*=0x8b27, lpOverlapped=0x0) returned 1 [0198.426] GetFileType (hFile=0x1a0) returned 0x1 [0198.427] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.427] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a38000*, nNumberOfBytesToWrite=0x8b27, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a38000*, lpNumberOfBytesWritten=0x12a4bd00*=0x8b27, lpOverlapped=0x12a4bd0c) returned 1 [0198.427] GetFileType (hFile=0x1a0) returned 0x1 [0198.427] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x8b27, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0198.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0198.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0198.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a890 | out: pbBuffer=0x12a9a890) returned 1 [0198.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\33f63883-f0ae-4ab6-b4f0-30bb1951b381"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0198.429] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.429] WriteFile (in: hFile=0x448, lpBuffer=0x12b44a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44a00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.429] CloseHandle (hObject=0x448) returned 1 [0198.431] CloseHandle (hObject=0x1a0) returned 1 [0198.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8a8 | out: pbBuffer=0x12a9a8a8) returned 1 [0198.438] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\33f63883-f0ae-4ab6-b4f0-30bb1951b381"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[9F6077F0FD5606DD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[9f6077f0fd5606dd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.770] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0198.801] SetEvent (hEvent=0x1d0) returned 1 [0198.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3c5bb25a-c5b4-4565-a1c7-47ea3c32b62b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.801] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3c5bb25a-c5b4-4565-a1c7-47ea3c32b62b"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c74994, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c74994, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c770d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x235a)) returned 1 [0198.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0198.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810310 | out: pbBuffer=0x12810310) returned 1 [0198.802] ReadFile (in: hFile=0x3c4, lpBuffer=0x1299a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x1299a000*, lpNumberOfBytesRead=0x12a4bd1c*=0x235a, lpOverlapped=0x0) returned 1 [0198.805] GetFileType (hFile=0x3c4) returned 0x1 [0198.805] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.805] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x235a, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12a4bd00*=0x235a, lpOverlapped=0x12a4bd0c) returned 1 [0198.806] GetFileType (hFile=0x3c4) returned 0x1 [0198.806] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x235a, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0198.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0198.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0198.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c8 | out: pbBuffer=0x128103c8) returned 1 [0198.807] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3c5bb25a-c5b4-4565-a1c7-47ea3c32b62b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0198.807] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.807] WriteFile (in: hFile=0x448, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.807] CloseHandle (hObject=0x448) returned 1 [0198.810] CloseHandle (hObject=0x3c4) returned 1 [0198.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0198.814] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3c5bb25a-c5b4-4565-a1c7-47ea3c32b62b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[1988327CF75FD28B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[1988327cf75fd28b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.938] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0198.941] SetEvent (hEvent=0x3f4) returned 1 [0198.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\406e18d5-ec82-4fcc-82a8-2d148d067e02"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.942] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.942] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\406e18d5-ec82-4fcc-82a8-2d148d067e02"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82960d16, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82960d16, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82962239, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x341b)) returned 1 [0198.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0198.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810428 | out: pbBuffer=0x12810428) returned 1 [0198.942] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8c000*, lpNumberOfBytesRead=0x12a73d1c*=0x341b, lpOverlapped=0x0) returned 1 [0198.946] GetFileType (hFile=0x3c4) returned 0x1 [0198.946] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.946] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x341b, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a73d00*=0x341b, lpOverlapped=0x12a73d0c) returned 1 [0198.946] GetFileType (hFile=0x3c4) returned 0x1 [0198.946] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x341b, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0198.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0198.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0198.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104e0 | out: pbBuffer=0x128104e0) returned 1 [0198.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\406e18d5-ec82-4fcc-82a8-2d148d067e02"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.947] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.947] WriteFile (in: hFile=0x438, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0198.947] CloseHandle (hObject=0x438) returned 1 [0198.951] CloseHandle (hObject=0x3c4) returned 1 [0198.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104f8 | out: pbBuffer=0x128104f8) returned 1 [0198.953] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\406e18d5-ec82-4fcc-82a8-2d148d067e02"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[F474CC929FA19099]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[f474cc929fa19099]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.117] SetEvent (hEvent=0x110) returned 1 [0199.117] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0199.137] SetEvent (hEvent=0x1d0) returned 1 [0199.137] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4ca2e262-1b83-48ab-ba5b-2a052ba6485b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0199.138] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4ca2e262-1b83-48ab-ba5b-2a052ba6485b"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828dd133, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x828dd133, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x828dd133, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4825)) returned 1 [0199.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0199.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0199.139] ReadFile (in: hFile=0x3c4, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x4825, lpOverlapped=0x0) returned 1 [0199.146] GetFileType (hFile=0x3c4) returned 0x1 [0199.146] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.146] WriteFile (in: hFile=0x3c4, lpBuffer=0x1299a000*, nNumberOfBytesToWrite=0x4825, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x1299a000*, lpNumberOfBytesWritten=0x12a6dd00*=0x4825, lpOverlapped=0x12a6dd0c) returned 1 [0199.146] GetFileType (hFile=0x3c4) returned 0x1 [0199.146] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x4825, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0199.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0199.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0199.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0199.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4ca2e262-1b83-48ab-ba5b-2a052ba6485b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.147] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.147] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.147] CloseHandle (hObject=0x438) returned 1 [0199.149] CloseHandle (hObject=0x3c4) returned 1 [0199.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0199.153] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4ca2e262-1b83-48ab-ba5b-2a052ba6485b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0BD9569252E6E24F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0bd9569252e6e24f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.257] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0199.263] SetEvent (hEvent=0x1d0) returned 1 [0199.263] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\511b4ae9-cd73-4ed0-a899-602921314cec"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0199.264] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\511b4ae9-cd73-4ed0-a899-602921314cec"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4b06560, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4b06560, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4b07902, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c73)) returned 1 [0199.264] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0199.264] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848db0 | out: pbBuffer=0x12848db0) returned 1 [0199.264] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6fd1c*=0x2c73, lpOverlapped=0x0) returned 1 [0199.273] GetFileType (hFile=0x3c4) returned 0x1 [0199.273] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.273] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x2c73, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x12a6fd00*=0x2c73, lpOverlapped=0x12a6fd0c) returned 1 [0199.273] GetFileType (hFile=0x3c4) returned 0x1 [0199.274] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x2c73, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0199.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0199.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0199.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ed8 | out: pbBuffer=0x12848ed8) returned 1 [0199.275] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\511b4ae9-cd73-4ed0-a899-602921314cec"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.275] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.275] WriteFile (in: hFile=0x438, lpBuffer=0x128b2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2000*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.275] CloseHandle (hObject=0x438) returned 1 [0199.277] CloseHandle (hObject=0x3c4) returned 1 [0199.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848f20 | out: pbBuffer=0x12848f20) returned 1 [0199.279] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\511b4ae9-cd73-4ed0-a899-602921314cec"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[6D4601154079EA92]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[6d4601154079ea92]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.355] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0199.360] SetEvent (hEvent=0x1d0) returned 1 [0199.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b7e87c2-fc64-4f92-8d24-251de6af63c0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0199.361] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0199.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b7e87c2-fc64-4f92-8d24-251de6af63c0"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cefda3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cefda3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cefda3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5128)) returned 1 [0199.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0199.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b70 | out: pbBuffer=0x12810b70) returned 1 [0199.361] ReadFile (in: hFile=0x3c4, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a4bd1c*=0x5128, lpOverlapped=0x0) returned 1 [0199.433] GetFileType (hFile=0x3c4) returned 0x1 [0199.433] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0199.433] WriteFile (in: hFile=0x3c4, lpBuffer=0x1289d500*, nNumberOfBytesToWrite=0x5128, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x1289d500*, lpNumberOfBytesWritten=0x12a4bd00*=0x5128, lpOverlapped=0x12a4bd0c) returned 1 [0199.434] GetFileType (hFile=0x3c4) returned 0x1 [0199.434] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x5128, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0199.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0199.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0199.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0199.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c28 | out: pbBuffer=0x12810c28) returned 1 [0199.444] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b7e87c2-fc64-4f92-8d24-251de6af63c0"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.445] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0199.445] WriteFile (in: hFile=0x438, lpBuffer=0x12a90f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90f00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.445] CloseHandle (hObject=0x438) returned 1 [0199.477] CloseHandle (hObject=0x3c4) returned 1 [0199.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c40 | out: pbBuffer=0x12810c40) returned 1 [0199.484] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b7e87c2-fc64-4f92-8d24-251de6af63c0"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0CDF3CA5A0CF6D6C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0cdf3ca5a0cf6d6c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.705] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0199.749] SetEvent (hEvent=0x1d0) returned 1 [0199.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e234531-c2ba-4f08-bc11-2eca97a03e84"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0199.749] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e234531-c2ba-4f08-bc11-2eca97a03e84"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cfd55e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cfd55e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d37ecc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7b5)) returned 1 [0199.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286e0 | out: pbBuffer=0x129286e0) returned 1 [0199.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849970 | out: pbBuffer=0x12849970) returned 1 [0199.750] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0199.754] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0199.754] SetEvent (hEvent=0x110) returned 1 [0199.754] SetEvent (hEvent=0x1d0) returned 1 [0199.754] ReadFile (in: hFile=0x3c4, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a73d1c*=0x7b5, lpOverlapped=0x0) returned 1 [0199.772] GetFileType (hFile=0x3c4) returned 0x1 [0199.772] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.772] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x7b5, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12a73d00*=0x7b5, lpOverlapped=0x12a73d0c) returned 1 [0199.772] GetFileType (hFile=0x3c4) returned 0x1 [0199.772] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x7b5, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0199.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0199.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0199.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849a28 | out: pbBuffer=0x12849a28) returned 1 [0199.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e234531-c2ba-4f08-bc11-2eca97a03e84"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.774] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.774] WriteFile (in: hFile=0x438, lpBuffer=0x128b2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2f00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0199.774] CloseHandle (hObject=0x438) returned 1 [0199.782] CloseHandle (hObject=0x3c4) returned 1 [0199.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0199.785] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e234531-c2ba-4f08-bc11-2eca97a03e84"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[B1B7D162B71E45E5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[b1b7d162b71e45e5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.914] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0199.938] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.014] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.045] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.075] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.265] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.324] SetEvent (hEvent=0x3f4) returned 1 [0200.324] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0200.330] SetEvent (hEvent=0x420) returned 1 [0200.332] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0200.335] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0200.337] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0200.338] SetEvent (hEvent=0x1d0) returned 1 [0200.338] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0200.384] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0201.436] SetEvent (hEvent=0x3f4) returned 1 [0201.436] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0201.440] SetEvent (hEvent=0x3f4) returned 1 [0201.440] SetEvent (hEvent=0x40c) returned 1 [0201.440] SwitchToThread () returned 1 [0201.442] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0201.571] SetEvent (hEvent=0x40c) returned 1 [0201.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.571] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cb2b47, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8cb2b47, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8cb2b47, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d02)) returned 1 [0201.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0201.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0201.572] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x11d02, lpOverlapped=0x0) returned 1 [0201.602] GetFileType (hFile=0x1a0) returned 0x1 [0201.603] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.603] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x11d02, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a6dd00*=0x11d02, lpOverlapped=0x12a6dd0c) returned 1 [0201.603] GetFileType (hFile=0x1a0) returned 0x1 [0201.603] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x11d02, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0201.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0201.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0201.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0201.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.604] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.604] WriteFile (in: hFile=0x448, lpBuffer=0x12c38500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.604] CloseHandle (hObject=0x448) returned 1 [0201.611] CloseHandle (hObject=0x1a0) returned 1 [0201.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0201.618] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[24ADDA00768B5150]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[24adda00768b5150]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.758] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0203.330] SetEvent (hEvent=0x1d0) returned 1 [0203.330] SetEvent (hEvent=0x19c) returned 1 [0203.330] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.128] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.173] SetEvent (hEvent=0x420) returned 1 [0204.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.174] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7ed61, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7ed61, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec80102, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x1e3)) returned 1 [0204.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844460 | out: pbBuffer=0x12844460) returned 1 [0204.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100f8 | out: pbBuffer=0x128100f8) returned 1 [0204.176] ReadFile (in: hFile=0x448, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x12a73d1c*=0x1e3, lpOverlapped=0x0) returned 1 [0204.209] GetFileType (hFile=0x448) returned 0x1 [0204.209] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.209] WriteFile (in: hFile=0x448, lpBuffer=0x12c28200*, nNumberOfBytesToWrite=0x1e3, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12c28200*, lpNumberOfBytesWritten=0x12a73d00*=0x1e3, lpOverlapped=0x12a73d0c) returned 1 [0204.210] GetFileType (hFile=0x448) returned 0x1 [0204.210] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x1e3, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0204.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0204.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0204.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101b0 | out: pbBuffer=0x128101b0) returned 1 [0204.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.212] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.212] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.212] CloseHandle (hObject=0x3c4) returned 1 [0204.237] CloseHandle (hObject=0x448) returned 1 [0204.280] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101c8 | out: pbBuffer=0x128101c8) returned 1 [0204.280] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otelemediumcost.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[628A8A0EA253C684]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[628a8a0ea253c684]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.473] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.485] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.494] SetEvent (hEvent=0x3f8) returned 1 [0204.495] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0204.495] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.495] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa304b1cc, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa304c575, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x20b)) returned 1 [0204.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0204.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0204.496] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a73d1c*=0x20b, lpOverlapped=0x0) returned 1 [0204.502] GetFileType (hFile=0x1a0) returned 0x1 [0204.502] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.502] WriteFile (in: hFile=0x1a0, lpBuffer=0x128e4480*, nNumberOfBytesToWrite=0x20b, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x128e4480*, lpNumberOfBytesWritten=0x12a73d00*=0x20b, lpOverlapped=0x12a73d0c) returned 1 [0204.503] GetFileType (hFile=0x1a0) returned 0x1 [0204.503] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20b, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0204.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0204.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0204.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0204.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.504] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.504] WriteFile (in: hFile=0x438, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.514] CloseHandle (hObject=0x438) returned 1 [0204.521] CloseHandle (hObject=0x1a0) returned 1 [0204.615] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0204.615] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otelemediumcost.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[77B6FAF43AD25508]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[77b6faf43ad25508]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.784] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.795] SetEvent (hEvent=0x3f4) returned 1 [0204.795] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0204.800] SetEvent (hEvent=0x3f4) returned 1 [0204.800] SetEvent (hEvent=0x1d0) returned 1 [0204.800] SwitchToThread () returned 1 [0204.822] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0205.200] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0205.522] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0205.764] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.764] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0205.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1513eaa7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1513eaa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1526fd00, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0205.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844be0 | out: pbBuffer=0x12844be0) returned 1 [0205.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848548 | out: pbBuffer=0x12848548) returned 1 [0205.765] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x129abd1c*=0x16da, lpOverlapped=0x0) returned 1 [0205.770] GetFileType (hFile=0x1a0) returned 0x1 [0205.770] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0205.771] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x16da, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x129abd00*=0x16da, lpOverlapped=0x129abd0c) returned 1 [0205.771] GetFileType (hFile=0x1a0) returned 0x1 [0205.771] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x16da, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0205.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0205.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0205.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0205.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0205.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.773] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0205.773] WriteFile (in: hFile=0x15c, lpBuffer=0x12980f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12980f00*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0205.773] CloseHandle (hObject=0x15c) returned 1 [0205.779] CloseHandle (hObject=0x1a0) returned 1 [0205.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848648 | out: pbBuffer=0x12848648) returned 1 [0205.786] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[893CF5119B758E89]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[893cf5119b758e89]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.919] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0205.931] SetEvent (hEvent=0x10c) returned 1 [0205.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.932] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0205.932] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16071ad7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16071ad7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x161c908f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0205.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0205.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a760 | out: pbBuffer=0x12a9a760) returned 1 [0205.932] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0205.936] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0205.936] SetEvent (hEvent=0x10c) returned 1 [0205.936] ReadFile (in: hFile=0x15c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x1282fd1c*=0x140c0, lpOverlapped=0x0) returned 1 [0206.167] GetFileType (hFile=0x15c) returned 0x1 [0206.167] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.167] WriteFile (in: hFile=0x15c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1282fd00*=0x140c0, lpOverlapped=0x1282fd0c) returned 1 [0206.168] GetFileType (hFile=0x15c) returned 0x1 [0206.168] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0206.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0206.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0206.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0206.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0206.169] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0206.169] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0206.170] CloseHandle (hObject=0x438) returned 1 [0206.170] CloseHandle (hObject=0x15c) returned 1 [0206.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0206.170] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[5780A41D17974203]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[5780a41d17974203]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.171] SetEvent (hEvent=0x3f8) returned 1 [0206.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncconfig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.173] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0206.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e196bc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27eb206a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0206.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928620 | out: pbBuffer=0x12928620) returned 1 [0206.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0206.173] ReadFile (in: hFile=0x15c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0206.280] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0206.295] GetFileType (hFile=0x15c) returned 0x1 [0206.295] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.295] WriteFile (in: hFile=0x15c, lpBuffer=0x12ba0000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ba0000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0206.326] GetFileType (hFile=0x15c) returned 0x1 [0206.326] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0206.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0206.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0206.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0206.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncconfig.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0206.329] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0206.329] WriteFile (in: hFile=0x44c, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0206.330] CloseHandle (hObject=0x44c) returned 1 [0206.330] CloseHandle (hObject=0x15c) returned 1 [0206.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0206.330] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncconfig.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[36710025355A4946]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[36710025355a4946]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.496] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0206.545] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0206.606] SetEvent (hEvent=0x40c) returned 1 [0206.606] SetEvent (hEvent=0x1d0) returned 1 [0206.606] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0206.640] SetEvent (hEvent=0x10c) returned 1 [0206.640] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0206.689] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x29b4e321, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.690] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.690] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x29b4e321, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.690] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x29b4e321, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.690] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b4e321, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.690] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.691] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.691] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.691] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.691] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.692] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.692] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.694] CloseHandle (hObject=0x1a0) returned 1 [0206.694] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b4e321, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0206.758] SetEvent (hEvent=0x19c) returned 1 [0206.758] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.759] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0206.817] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd25ab06c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd25ab06c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd29d7222, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5dd86f0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd5dd86f0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd5e70f71, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda5ab377, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xda5ab377, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda8f2699, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb92c03, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbb92c03, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc26d7fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd4e444, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcd4e444, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdd66554a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42ba1e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe42ba1e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7c64fd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb1bd98b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeb1bd98b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeb3ad73a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc43b7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecc43b7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5c4b24e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77c8633, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77c8633, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d9801d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8878a7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8878a7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc424655, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcbbde9d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcbbde9d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd2fec9b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd704ae4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd704ae4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23231a2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0206.927] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2454520, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2454520, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x253922a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd2538864, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="is", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdab2e911, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe210ce16, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xecf187d5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ka", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee3f513b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="km-kh", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef1846bf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0e933a5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf2002503, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kok", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf25ac394, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79de4ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ky", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf89aa04e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eeba5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x32eeba5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4889ef2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9739439, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0206.928] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb006851, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb969ac6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc090d46, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mk", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc71f7fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ml-in", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd587570, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mn", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe46dff5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mr", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xffc1f3cf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0206.929] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fb07e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67fb07e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xae9cb73, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb9ac6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbbb9ac6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xddeae4a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1e38526, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3f00a8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7a4f09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ne-np", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xa0c0f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nn-no", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc593d87, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nso-za", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f40d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe50f40d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xefa8864, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd63fe7d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="or-in", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfcc5962, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10bd26fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x116ff8a5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prs-af", cAlternateFileName="")) returned 1 [0206.930] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13646246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e9e78d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14933008, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1018a7a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1018a7a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16b45b0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x172deef5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17bf5de5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rw", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x126710a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x126710a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1347c6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1347c6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x140b472d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sd-arab", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sd-arab-pk", cAlternateFileName="SD-ARA~1")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1478f592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1478f592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x149cb731, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16909517, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16909517, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16c7693c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17410332, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17410332, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x130000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0206.931] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.931] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0206.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.935] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0206.935] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0206.937] CloseHandle (hObject=0x3c4) returned 1 [0206.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd25ab06c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd25ab06c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd29d7222, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0206.938] SetEvent (hEvent=0x19c) returned 1 [0206.938] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5dd86f0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd5dd86f0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd5e70f71, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0206.938] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda5ab377, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xda5ab377, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda8f2699, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0206.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb92c03, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbb92c03, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc26d7fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0206.990] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd4e444, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcd4e444, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdd66554a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0206.990] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.991] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.991] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb92c03, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbb92c03, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc26d7fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0206.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fb40 | out: pbBuffer=0x1280fb40) returned 1 [0206.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b9a0 | out: pbBuffer=0x12a9b9a0) returned 1 [0206.991] ReadFile (in: hFile=0x15c, lpBuffer=0x12cb4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb4000*, lpNumberOfBytesRead=0x129a7d1c*=0x16da, lpOverlapped=0x0) returned 1 [0207.034] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0207.097] SetEvent (hEvent=0x40c) returned 1 [0207.097] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0207.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0207.495] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0207.495] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda5ab377, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xda5ab377, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda8f2699, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0207.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0207.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0207.495] ReadFile (in: hFile=0x448, lpBuffer=0x12cd4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd4000*, lpNumberOfBytesRead=0x129abd1c*=0x27f2, lpOverlapped=0x0) returned 1 [0207.557] GetFileType (hFile=0x448) returned 0x1 [0207.557] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0207.557] WriteFile (in: hFile=0x448, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x27f2, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x129abd00*=0x27f2, lpOverlapped=0x129abd0c) returned 1 [0207.558] GetFileType (hFile=0x448) returned 0x1 [0207.558] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x27f2, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0207.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0207.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0207.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0207.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102e0 | out: pbBuffer=0x128102e0) returned 1 [0207.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0207.559] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0207.559] WriteFile (in: hFile=0x438, lpBuffer=0x128aef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x128aef00*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0207.559] CloseHandle (hObject=0x438) returned 1 [0207.694] CloseHandle (hObject=0x448) returned 1 [0207.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810338 | out: pbBuffer=0x12810338) returned 1 [0207.784] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[82271888EF22B512]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[82271888ef22b512]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0208.880] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0208.882] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0208.882] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc43b7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecc43b7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5c4b24e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0208.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98dc0 | out: pbBuffer=0x12a98dc0) returned 1 [0208.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810750 | out: pbBuffer=0x12810750) returned 1 [0208.883] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x129add1c*=0x20000, lpOverlapped=0x0) returned 1 [0208.908] SetEvent (hEvent=0x110) returned 1 [0208.909] GetFileType (hFile=0x3c4) returned 0x1 [0208.909] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0208.909] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b88000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12b88000*, lpNumberOfBytesWritten=0x129add00*=0x20000, lpOverlapped=0x129add0c) returned 1 [0208.910] GetFileType (hFile=0x3c4) returned 0x1 [0208.910] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0208.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0208.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0208.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0208.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810808 | out: pbBuffer=0x12810808) returned 1 [0208.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0208.911] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0208.911] WriteFile (in: hFile=0x448, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0208.953] CloseHandle (hObject=0x448) returned 1 [0208.962] CloseHandle (hObject=0x3c4) returned 1 [0208.969] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344e8 | out: pbBuffer=0x12c344e8) returned 1 [0208.970] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[156FAC01F5BE81DF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[156fac01f5be81df]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0209.944] SetEvent (hEvent=0xf4) returned 1 [0209.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0209.945] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0209.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd704ae4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd704ae4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23231a2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0209.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928e60 | out: pbBuffer=0x12928e60) returned 1 [0209.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c346b0 | out: pbBuffer=0x12c346b0) returned 1 [0209.945] ReadFile (in: hFile=0x3c4, lpBuffer=0x129ce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x129ce000*, lpNumberOfBytesRead=0x129add1c*=0x20000, lpOverlapped=0x0) returned 1 [0209.955] GetFileType (hFile=0x3c4) returned 0x1 [0209.955] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0209.955] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x129add00*=0x20000, lpOverlapped=0x129add0c) returned 1 [0209.956] GetFileType (hFile=0x3c4) returned 0x1 [0209.956] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0209.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0209.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0209.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0209.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34768 | out: pbBuffer=0x12c34768) returned 1 [0209.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0209.957] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0209.957] WriteFile (in: hFile=0x448, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0209.961] CloseHandle (hObject=0x448) returned 1 [0209.965] CloseHandle (hObject=0x3c4) returned 1 [0209.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34780 | out: pbBuffer=0x12c34780) returned 1 [0209.975] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[EA0D6271BEF59598]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[ea0d6271bef59598]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.265] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0210.275] SetEvent (hEvent=0x1d0) returned 1 [0210.275] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0210.276] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0210.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1018a7a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1018a7a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0210.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844fa0 | out: pbBuffer=0x12844fa0) returned 1 [0210.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486e0 | out: pbBuffer=0x128486e0) returned 1 [0210.277] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x129add1c*=0x20000, lpOverlapped=0x0) returned 1 [0210.293] GetFileType (hFile=0x1a0) returned 0x1 [0210.293] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0210.293] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x129add00*=0x20000, lpOverlapped=0x129add0c) returned 1 [0210.294] GetFileType (hFile=0x1a0) returned 0x1 [0210.294] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0210.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0210.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0210.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0210.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128487c8 | out: pbBuffer=0x128487c8) returned 1 [0210.295] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0210.295] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0210.295] WriteFile (in: hFile=0x3c4, lpBuffer=0x12850f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12850f00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0210.318] CloseHandle (hObject=0x3c4) returned 1 [0210.325] CloseHandle (hObject=0x1a0) returned 1 [0210.329] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848940 | out: pbBuffer=0x12848940) returned 1 [0210.330] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[4E13A91DAC47DE4C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[4e13a91dac47de4c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0211.402] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0212.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0212.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0212.938] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35288 | out: pbBuffer=0x12c35288) returned 1 [0212.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0212.938] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0212.938] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c1c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c1c500*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0212.939] CloseHandle (hObject=0x3c4) returned 1 [0212.939] CloseHandle (hObject=0x1a0) returned 1 [0212.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c352a0 | out: pbBuffer=0x12c352a0) returned 1 [0212.939] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[5D537816DC71D1B8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[5d537816dc71d1b8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0212.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed5cd1ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0212.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0212.981] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed5cd1ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0212.981] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed5cd1ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0212.981] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5cd1ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0212.981] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0212.981] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0212.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0212.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0212.982] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0212.989] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0212.989] WriteFile (in: hFile=0x15c, lpBuffer=0x1297e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1297e000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0212.991] CloseHandle (hObject=0x15c) returned 1 [0212.991] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5cd1ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0212.994] SetEvent (hEvent=0x420) returned 1 [0212.994] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xede4b9d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.003] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xede4b9d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0213.003] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xede4b9d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.003] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede4b9d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee29dc95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.003] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.003] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0213.003] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.004] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.005] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.006] WriteFile (in: hFile=0x15c, lpBuffer=0x1297f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1297f300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.007] CloseHandle (hObject=0x15c) returned 1 [0213.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede4b9d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee29dc95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0213.008] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeea3742a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.026] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0213.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.147] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeea3742a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0213.148] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeea3742a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.148] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea3742a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef0c5c11, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.148] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.148] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0213.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.149] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.149] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.150] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.150] WriteFile (in: hFile=0x448, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.152] CloseHandle (hObject=0x448) returned 1 [0213.153] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea3742a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef0c5c11, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.191] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0497564, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.406] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0497564, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0213.406] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0497564, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.406] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0497564, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0dfa874, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.406] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.406] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0213.406] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.407] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.424] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.424] WriteFile (in: hFile=0x438, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.426] CloseHandle (hObject=0x438) returned 1 [0213.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0497564, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0dfa874, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0213.430] SetEvent (hEvent=0x10c) returned 1 [0213.430] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1bfc6d0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.430] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.431] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1bfc6d0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0213.431] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1bfc6d0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.431] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bfc6d0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1f43a35, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.431] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.431] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0213.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.431] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.434] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.434] WriteFile (in: hFile=0x15c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.435] CloseHandle (hObject=0x15c) returned 1 [0213.436] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bfc6d0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1f43a35, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0213.442] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf223ea69, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.451] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.451] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf223ea69, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0213.451] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf223ea69, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.451] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf223ea69, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf24ed57a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.451] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.451] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0213.452] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.452] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.452] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.453] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.453] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.455] CloseHandle (hObject=0x448) returned 1 [0213.455] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf223ea69, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf24ed57a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.461] SetEvent (hEvent=0xf4) returned 1 [0213.461] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5b19f9c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.467] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5b19f9c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0213.467] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5b19f9c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.467] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b19f9c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5d3009a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.467] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.467] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0213.467] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.470] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.470] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.472] CloseHandle (hObject=0x1a0) returned 1 [0213.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b19f9c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5d3009a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.481] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0213.481] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.481] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8878a7e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.481] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.481] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0213.481] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.483] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.483] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.484] CloseHandle (hObject=0x3c4) returned 1 [0213.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8878a7e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0213.487] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0213.572] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0213.731] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0213.736] SetEvent (hEvent=0x40c) returned 1 [0213.736] SetEvent (hEvent=0xf4) returned 1 [0213.737] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.737] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0213.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa977fad, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfaefb782, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0213.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0213.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0213.738] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12829d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0213.796] GetFileType (hFile=0x1a0) returned 0x1 [0213.796] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.797] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12829d00*=0x160c0, lpOverlapped=0x12829d0c) returned 1 [0213.798] GetFileType (hFile=0x1a0) returned 0x1 [0213.798] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0213.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0213.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0213.799] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0213.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.799] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0213.799] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.800] CloseHandle (hObject=0x3c4) returned 1 [0213.800] CloseHandle (hObject=0x1a0) returned 1 [0213.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0213.800] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\#_THIS_FILE_IS_ENCRYPTED_[EA7C8F95EA81D129]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\#_this_file_is_encrypted_[ea7c8f95ea81d129]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.802] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0213.827] SetEvent (hEvent=0x420) returned 1 [0213.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.828] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0213.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2f31ae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc63a815, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0213.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0213.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0213.829] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c9a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9a000*, lpNumberOfBytesRead=0x12be3d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0213.898] GetFileType (hFile=0x1a0) returned 0x1 [0213.898] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.898] WriteFile (in: hFile=0x1a0, lpBuffer=0x129c6000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x129c6000*, lpNumberOfBytesWritten=0x12be3d00*=0x162c0, lpOverlapped=0x12be3d0c) returned 1 [0213.899] GetFileType (hFile=0x1a0) returned 0x1 [0213.899] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.900] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0213.900] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0213.900] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0213.900] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810858 | out: pbBuffer=0x12810858) returned 1 [0213.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.901] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0213.901] WriteFile (in: hFile=0x3c4, lpBuffer=0x1297b400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x1297b400*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.901] CloseHandle (hObject=0x3c4) returned 1 [0213.901] CloseHandle (hObject=0x1a0) returned 1 [0213.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810870 | out: pbBuffer=0x12810870) returned 1 [0213.902] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\#_THIS_FILE_IS_ENCRYPTED_[6BDB03D4186AD038]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\#_this_file_is_encrypted_[6bdb03d4186ad038]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.949] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0214.021] SetEvent (hEvent=0x10c) returned 1 [0214.022] SetEvent (hEvent=0x40c) returned 1 [0214.022] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.037] SetEvent (hEvent=0x40c) returned 1 [0214.037] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.112] SetEvent (hEvent=0x3f8) returned 1 [0214.112] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.123] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.127] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0214.128] SetEvent (hEvent=0x110) returned 1 [0214.128] SetEvent (hEvent=0x40c) returned 1 [0214.128] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.136] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12cbfd0c | out: lpMode=0x12cbfd0c) returned 0 [0214.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12cbfad0 | out: lpFileInformation=0x12cbfad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fb07e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67fb07e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xae9cb73, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0214.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0214.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0214.137] ReadFile (in: hFile=0x438, lpBuffer=0x12a32000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12cbfd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a32000*, lpNumberOfBytesRead=0x12cbfd1c*=0x20000, lpOverlapped=0x0) returned 1 [0214.232] GetFileType (hFile=0x438) returned 0x1 [0214.232] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12cbfce4 | out: lpNewFilePointer=0x0) returned 1 [0214.232] WriteFile (in: hFile=0x438, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12cbfd00, lpOverlapped=0x12cbfd0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12cbfd00*=0x20000, lpOverlapped=0x12cbfd0c) returned 1 [0214.233] GetFileType (hFile=0x438) returned 0x1 [0214.233] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12cbfce4 | out: lpNewFilePointer=0x0) returned 1 [0214.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0214.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0214.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0214.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a660 | out: pbBuffer=0x12a9a660) returned 1 [0214.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.234] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12cbfd0c | out: lpMode=0x12cbfd0c) returned 0 [0214.234] WriteFile (in: hFile=0x42c, lpBuffer=0x1297a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12cbfd0c, lpOverlapped=0x0 | out: lpBuffer=0x1297a000*, lpNumberOfBytesWritten=0x12cbfd0c*=0x276, lpOverlapped=0x0) returned 1 [0214.399] CloseHandle (hObject=0x42c) returned 1 [0214.399] CloseHandle (hObject=0x438) returned 1 [0214.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a678 | out: pbBuffer=0x12a9a678) returned 1 [0214.399] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[D55D5A261F6E9358]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[d55d5a261f6e9358]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.603] SetEvent (hEvent=0x420) returned 1 [0214.603] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.640] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0214.640] SetEvent (hEvent=0x3f8) returned 1 [0214.640] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0214.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.669] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.670] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe640666, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0214.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0214.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0214.670] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12be7d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0214.716] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0214.790] GetFileType (hFile=0x1a0) returned 0x1 [0214.790] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.790] WriteFile (in: hFile=0x1a0, lpBuffer=0x12962000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12962000*, lpNumberOfBytesWritten=0x12be7d00*=0x160c0, lpOverlapped=0x12be7d0c) returned 1 [0214.791] GetFileType (hFile=0x1a0) returned 0x1 [0214.791] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0214.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0214.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0214.792] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810120 | out: pbBuffer=0x12810120) returned 1 [0214.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.792] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.792] WriteFile (in: hFile=0x438, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.792] CloseHandle (hObject=0x438) returned 1 [0214.792] CloseHandle (hObject=0x1a0) returned 1 [0214.793] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810138 | out: pbBuffer=0x12810138) returned 1 [0214.793] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\#_THIS_FILE_IS_ENCRYPTED_[823FFA8BF46DCBF4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\#_this_file_is_encrypted_[823ffa8bf46dcbf4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.794] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0214.794] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0214.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0214.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810180 | out: pbBuffer=0x12810180) returned 1 [0214.795] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12be3d1c*=0x16ec0, lpOverlapped=0x0) returned 1 [0214.845] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0214.845] SetEvent (hEvent=0x40c) returned 1 [0214.845] GetFileType (hFile=0x1a0) returned 0x1 [0214.845] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.845] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d72000*, nNumberOfBytesToWrite=0x16ec0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12d72000*, lpNumberOfBytesWritten=0x12be3d00*=0x16ec0, lpOverlapped=0x12be3d0c) returned 1 [0214.846] GetFileType (hFile=0x1a0) returned 0x1 [0214.846] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x16ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0214.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0214.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0214.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80b0 | out: pbBuffer=0x128e80b0) returned 1 [0214.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.848] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0214.848] WriteFile (in: hFile=0x448, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.848] CloseHandle (hObject=0x448) returned 1 [0214.848] CloseHandle (hObject=0x1a0) returned 1 [0214.849] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80c8 | out: pbBuffer=0x128e80c8) returned 1 [0214.849] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\#_THIS_FILE_IS_ENCRYPTED_[F048F1073A71F703]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\#_this_file_is_encrypted_[f048f1073a71f703]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.850] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.850] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0214.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf6d6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1489a4b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0214.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0214.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8110 | out: pbBuffer=0x128e8110) returned 1 [0214.850] ReadFile (in: hFile=0x1a0, lpBuffer=0x129bc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x129bc000*, lpNumberOfBytesRead=0x12be3d1c*=0x17ec0, lpOverlapped=0x0) returned 1 [0214.909] GetFileType (hFile=0x1a0) returned 0x1 [0214.910] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.910] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x17ec0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12be3d00*=0x17ec0, lpOverlapped=0x12be3d0c) returned 1 [0215.497] GetFileType (hFile=0x1a0) returned 0x1 [0215.497] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x17ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0215.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0215.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0215.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0215.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0215.498] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0215.499] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0215.499] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0215.506] CloseHandle (hObject=0x44c) returned 1 [0215.507] CloseHandle (hObject=0x1a0) returned 1 [0215.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a778 | out: pbBuffer=0x12a9a778) returned 1 [0215.513] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\#_THIS_FILE_IS_ENCRYPTED_[CB2A497DCE6AC0CF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\#_this_file_is_encrypted_[cb2a497dce6ac0cf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0215.578] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0217.415] SetEvent (hEvent=0x420) returned 1 [0218.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0218.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0218.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0218.794] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0218.980] SetEvent (hEvent=0xf4) returned 1 [0218.980] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x4c5) returned 0x102 [0229.063] SetEvent (hEvent=0x454) returned 1 [0229.063] SetEvent (hEvent=0x3cc) returned 1 [0229.063] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0229.198] SetEvent (hEvent=0x3cc) returned 1 [0229.248] SetEvent (hEvent=0x3cc) returned 1 [0229.287] SetEvent (hEvent=0x3cc) returned 1 [0229.287] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0229.305] SetEvent (hEvent=0x3cc) returned 1 [0229.305] SetEvent (hEvent=0x3f4) returned 1 [0229.306] CancelIoEx (hFile=0x3e4, lpOverlapped=0x12b1c014) returned 1 [0229.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5042992c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.307] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.308] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5042992c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.308] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5042992c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.308] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5042992c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x504e8433, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.308] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.308] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.311] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.311] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.313] CloseHandle (hObject=0x458) returned 1 [0229.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5042992c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x504e8433, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0229.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5068bb42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.316] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.316] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5068bb42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5068bb42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5068bb42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.316] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.316] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.316] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.318] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.318] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.320] CloseHandle (hObject=0x458) returned 1 [0229.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5068bb42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x509f95ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.333] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x509f95ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.333] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x509f95ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.333] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509f95ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.333] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.333] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.334] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.334] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.336] CloseHandle (hObject=0x458) returned 1 [0229.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509f95ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0229.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.337] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0229.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5068bb42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0229.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9abd0 | out: pbBuffer=0x12a9abd0) returned 1 [0229.338] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12be7d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0229.358] GetFileType (hFile=0x458) returned 0x1 [0229.358] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.358] WriteFile (in: hFile=0x458, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be7d00*=0x156c0, lpOverlapped=0x12be7d0c) returned 1 [0229.359] GetFileType (hFile=0x458) returned 0x1 [0229.359] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0229.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0229.360] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0229.360] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ac88 | out: pbBuffer=0x12a9ac88) returned 1 [0229.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0229.360] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0229.360] WriteFile (in: hFile=0x45c, lpBuffer=0x129fc000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.360] CloseHandle (hObject=0x45c) returned 1 [0229.360] CloseHandle (hObject=0x458) returned 1 [0229.360] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aca0 | out: pbBuffer=0x12a9aca0) returned 1 [0229.361] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\#_THIS_FILE_IS_ENCRYPTED_[0DD61BD1476D6143]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\#_this_file_is_encrypted_[0dd61bd1476d6143]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.418] SetEvent (hEvent=0x3f4) returned 1 [0229.418] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0229.437] SetEvent (hEvent=0x19c) returned 1 [0229.437] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0229.725] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0229.905] SetEvent (hEvent=0x1b8) returned 1 [0229.906] SetEvent (hEvent=0x454) returned 1 [0229.906] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0229.999] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0229.999] SetEvent (hEvent=0x454) returned 1 [0229.999] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0230.008] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0230.303] SetEvent (hEvent=0x3f4) returned 1 [0230.303] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0230.334] SetEvent (hEvent=0x3f4) returned 1 [0230.334] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0230.976] SetEvent (hEvent=0x1b8) returned 1 [0230.977] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0230.993] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0230.993] SetEvent (hEvent=0x1b8) returned 1 [0230.993] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0230.994] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.271] SetEvent (hEvent=0x454) returned 1 [0231.271] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.288] SetEvent (hEvent=0x454) returned 1 [0231.288] SetEvent (hEvent=0x40c) returned 1 [0231.288] SwitchToThread () returned 1 [0231.319] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.347] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.365] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.507] SetEvent (hEvent=0x40c) returned 1 [0231.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0231.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.518] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.518] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.671] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ab7dde1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="af", cAlternateFileName="")) returned 1 [0231.671] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b53a13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="am-et", cAlternateFileName="")) returned 1 [0231.671] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0231.671] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bc05a4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar", cAlternateFileName="")) returned 1 [0231.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c758e02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="as-in", cAlternateFileName="")) returned 1 [0231.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5e9b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2ca5e9b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0231.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd30f840f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd30f840f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3b4055a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0231.672] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f6c523, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3f6c523, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40775fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x60ab3475, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="az-latn-az", cAlternateFileName="AZ-LAT~1")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66c4da1e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="be", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x68687798, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e3f5924, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bn-bd", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6fb80d93, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bn-in", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x72a24d87, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bs-latn-ba", cAlternateFileName="BS-LAT~1")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7400c6b5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x747a5fbd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-es-valencia", cAlternateFileName="CA-ES-~1")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40775fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40775fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd410ff09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74e0e5c8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x756d8e23, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cy-gb", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7587ca25, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x761472c9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76af6cb3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7850a56c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-gb", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794fc152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0231.673] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd410ff09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd410ff09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4810e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79ce210c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd514dfac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd514dfac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b46d246, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fa", cAlternateFileName="")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bb21b30, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c353c50, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fil-ph", cAlternateFileName="")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc09dbdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc09dbdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc9dad7b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdde1efd1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdde1efd1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2f9dc06, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe663028c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe663028c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6d7d6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0231.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe73272cc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe73272cc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed477d8a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef2d450f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef2d450f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xefae0564, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf016ee08, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf016ee08, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf515bba6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5a72c24, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5a72c24, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfd98e121, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca54abd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x803b3583, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ga-ie", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gd", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80b26d07, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gd-latn", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gu", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ha-latn-ng", cAlternateFileName="HA-LAT~1")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832eff32, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x838271cc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83fc0aac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hy", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x844390b4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ig-ng", cAlternateFileName="")) returned 1 [0231.686] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="is", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3524796, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40052e7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ka", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xddeb7a58, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde75c030, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="km-kh", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdf0b004c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe086faec, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0df3254, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kok", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe170a286, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1f885e4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ky", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25f0e6c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a385d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1a385d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2245d34, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2e05889, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe67616a6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7458572, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7c3dff7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mk", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe84e29e6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ml-in", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8d3ad1a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mn", cAlternateFileName="")) returned 1 [0231.687] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed466d7c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mr", cAlternateFileName="")) returned 1 [0231.701] SetEvent (hEvent=0x110) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xeffa519c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b23a97, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6b23a97, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9af8e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb2aa39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc8b7ea2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0823ae2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0f70aa2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf17c8cd3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ne-np", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf429021d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5c88bd2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nn-no", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfa32a6a5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nso-za", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849bc788, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849bc788, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3150e345, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7718c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDriveSetup.exe", cAlternateFileName="ONEDRI~1.EXE")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ea3f14, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="or-in", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x86b4e06, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb9d14cf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12292aaa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1680305d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prs-af", cAlternateFileName="")) returned 1 [0231.702] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1cc25c4f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x215c2871, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2390227e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25ad31dc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d0a816, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x14d0a816, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16afe0f6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2637d1c9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27e76442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rw", cAlternateFileName="")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178673a6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x178673a6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdfde5d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1bdfde5d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f7a8c42, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0231.703] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x287b3807, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sd-arab", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2953d378, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sd-arab-pk", cAlternateFileName="SD-ARA~1")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29b59691, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="si-lk", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6f8a85, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2af21d74, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b969f9e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sq", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x214b780e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x214b780e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22a78c0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0231.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x237ffd48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x237ffd48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x245604a7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c0c3433, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl-ba", cAlternateFileName="SR-CYR~1")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cd6da83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl-rs", cAlternateFileName="SR-CYR~2")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2f2ae8e3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn-rs", cAlternateFileName="SR-LAT~1")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32ccbe0d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x336554be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sw", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25924c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25924c48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c240c38, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x34df519f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ta", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35cb5a72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="te", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da1851d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2da1851d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3089629e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x494c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry.dll", cAlternateFileName="TELEME~1.DLL")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3773e511, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tg", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a187045, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tg-cyrl", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ad66e62, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ba1b177, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ti", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ca9f233, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tk-tm", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e99da31, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tn-za", cAlternateFileName="")) returned 1 [0231.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f3bfc7c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3feecd85, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tt", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40be3896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ug", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4223d845, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ug-arab", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x429d715a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4451bff5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ur", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4622a987, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uz-latn-uz", cAlternateFileName="UZ-LAT~1")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47589b40, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328ec16f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x328ec16f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33af3cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x632c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VideoStreamingPlugin.dll", cAlternateFileName="VIDEOS~1.DLL")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353788c4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x353788c4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x368c78f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x684c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlmfds.dll", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3949b564, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3949b564, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a77d98f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4852f371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wo", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4b681c64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="xh-za", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x50dd3ddb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yo-ng", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x55bc2d1b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0231.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c07e05b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0231.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d3dd471, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zu-za", cAlternateFileName="")) returned 1 [0231.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.708] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.721] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.721] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.721] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.723] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0231.723] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0231.725] CloseHandle (hObject=0x458) returned 1 [0231.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5e9b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2ca5e9b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0231.725] SetEvent (hEvent=0x1b8) returned 1 [0231.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd30f840f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd30f840f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3b4055a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0231.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f6c523, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3f6c523, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40775fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0231.760] SetEvent (hEvent=0x40c) returned 1 [0231.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40775fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40775fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd410ff09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0231.774] SetEvent (hEvent=0x3cc) returned 1 [0231.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd410ff09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd410ff09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4810e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0231.883] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.907] SetEvent (hEvent=0x3f4) returned 1 [0231.907] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd514dfac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd514dfac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0231.921] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0231.976] SetEvent (hEvent=0x3f4) returned 1 [0231.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc09dbdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc09dbdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc9dad7b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0231.988] SetEvent (hEvent=0x40c) returned 1 [0231.988] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdde1efd1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdde1efd1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2f9dc06, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0232.081] SetEvent (hEvent=0x40c) returned 1 [0232.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe663028c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe663028c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6d7d6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0232.831] SetEvent (hEvent=0x1b8) returned 1 [0233.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe73272cc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe73272cc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed477d8a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0233.478] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0233.858] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef2d450f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef2d450f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xefae0564, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0233.923] SetEvent (hEvent=0x1d0) returned 1 [0233.924] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf016ee08, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf016ee08, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf515bba6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0234.038] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0234.201] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0234.855] SetEvent (hEvent=0x40c) returned 1 [0234.855] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0235.133] SetEvent (hEvent=0x1b8) returned 1 [0235.133] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0235.207] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0235.208] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0235.208] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5a72c24, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5a72c24, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfd98e121, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0235.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0235.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104b0 | out: pbBuffer=0x128104b0) returned 1 [0235.209] ReadFile (in: hFile=0x3e4, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12a65d1c*=0x20000, lpOverlapped=0x0) returned 1 [0235.610] GetFileType (hFile=0x3e4) returned 0x1 [0235.610] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.610] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ca0000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12ca0000*, lpNumberOfBytesWritten=0x12a65d00*=0x20000, lpOverlapped=0x12a65d0c) returned 1 [0235.611] GetFileType (hFile=0x3e4) returned 0x1 [0235.611] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0235.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0235.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0235.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8560 | out: pbBuffer=0x128e8560) returned 1 [0235.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0235.613] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0235.613] WriteFile (in: hFile=0x450, lpBuffer=0x128acf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x128acf00*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0235.670] CloseHandle (hObject=0x450) returned 1 [0235.867] CloseHandle (hObject=0x3e4) returned 1 [0235.969] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e85b8 | out: pbBuffer=0x128e85b8) returned 1 [0235.969] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[455644BF76A88006]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[455644bf76a88006]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.223] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0236.304] SetEvent (hEvent=0x420) returned 1 [0236.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0236.305] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0236.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdfde5d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1bdfde5d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f7a8c42, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0236.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0236.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0236.306] ReadFile (in: hFile=0x450, lpBuffer=0x12b90000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b90000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.353] GetFileType (hFile=0x450) returned 0x1 [0236.353] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.353] WriteFile (in: hFile=0x450, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0236.354] GetFileType (hFile=0x450) returned 0x1 [0236.354] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.354] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0236.354] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0236.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0236.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0236.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.356] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0236.356] WriteFile (in: hFile=0x3e4, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.399] CloseHandle (hObject=0x3e4) returned 1 [0236.410] CloseHandle (hObject=0x450) returned 1 [0236.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0236.415] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[20F95777E96E2E29]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[20f95777e96e2e29]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.573] SetEvent (hEvent=0x110) returned 1 [0236.573] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0236.578] SetEvent (hEvent=0x40c) returned 1 [0236.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0236.579] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0236.579] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328ec16f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x328ec16f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33af3cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x632c0)) returned 1 [0236.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0236.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34cb0 | out: pbBuffer=0x12c34cb0) returned 1 [0236.580] ReadFile (in: hFile=0x450, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.755] GetFileType (hFile=0x450) returned 0x1 [0236.755] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.755] WriteFile (in: hFile=0x450, lpBuffer=0x12960000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12960000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0236.756] GetFileType (hFile=0x450) returned 0x1 [0236.756] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0236.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0236.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0236.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a898 | out: pbBuffer=0x12a9a898) returned 1 [0236.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0236.757] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0236.757] WriteFile (in: hFile=0x458, lpBuffer=0x1285ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285ea00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.921] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0236.966] SetEvent (hEvent=0x1b8) returned 1 [0236.966] CloseHandle (hObject=0x458) returned 1 [0236.966] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.006] CloseHandle (hObject=0x450) returned 1 [0237.006] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0237.006] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[8E0490538F291EED]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[8e0490538f291eed]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.007] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.047] SetEvent (hEvent=0x1d0) returned 1 [0237.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncshell64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.047] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0237.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.048] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0237.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448d594d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x448d594d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45ee3647, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x210c0)) returned 1 [0237.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0237.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a060 | out: pbBuffer=0x12a9a060) returned 1 [0237.049] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0237.087] GetFileType (hFile=0x3e4) returned 0x1 [0237.087] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.087] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a20000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12a20000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0237.088] GetFileType (hFile=0x3e4) returned 0x1 [0237.088] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0237.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0237.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0237.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a148 | out: pbBuffer=0x12a9a148) returned 1 [0237.088] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0237.089] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0237.089] WriteFile (in: hFile=0x458, lpBuffer=0x1285e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285e000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.089] CloseHandle (hObject=0x458) returned 1 [0237.089] CloseHandle (hObject=0x3e4) returned 1 [0237.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0237.089] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\#_THIS_FILE_IS_ENCRYPTED_[EDC42BC8E93BD210]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\#_this_file_is_encrypted_[edc42bc8e93bd210]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.137] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.241] SetEvent (hEvent=0x420) returned 1 [0237.242] SetEvent (hEvent=0x1d0) returned 1 [0237.242] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0237.343] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0237.343] SetEvent (hEvent=0x420) returned 1 [0237.343] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0237.370] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.522] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0237.522] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b72988, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x71e855e0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0237.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0237.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0237.522] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a63d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0237.550] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.566] GetFileType (hFile=0x42c) returned 0x1 [0237.566] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.567] WriteFile (in: hFile=0x42c, lpBuffer=0x12d48000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12d48000*, lpNumberOfBytesWritten=0x12a63d00*=0x15cc0, lpOverlapped=0x12a63d0c) returned 1 [0237.567] GetFileType (hFile=0x42c) returned 0x1 [0237.567] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.567] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0237.574] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0237.574] SetEvent (hEvent=0x110) returned 1 [0237.574] SetEvent (hEvent=0x1d0) returned 1 [0237.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0237.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0237.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0237.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0237.575] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.576] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0237.576] WriteFile (in: hFile=0x450, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.576] CloseHandle (hObject=0x450) returned 1 [0237.576] CloseHandle (hObject=0x42c) returned 1 [0237.576] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0237.576] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\#_THIS_FILE_IS_ENCRYPTED_[6CC76FBA1089793F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\#_this_file_is_encrypted_[6cc76fba1089793f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.717] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.718] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0237.718] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a69ad0 | out: lpFileInformation=0x12a69ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757bdd52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75856614, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0237.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0237.718] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a69d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a69d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0237.736] GetFileType (hFile=0x42c) returned 0x1 [0237.736] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.736] WriteFile (in: hFile=0x42c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12a69d00, lpOverlapped=0x12a69d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12a69d00*=0x160c0, lpOverlapped=0x12a69d0c) returned 1 [0237.737] GetFileType (hFile=0x42c) returned 0x1 [0237.737] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0237.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0237.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0237.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f0 | out: pbBuffer=0x12a9a1f0) returned 1 [0237.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.738] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0237.738] WriteFile (in: hFile=0x44c, lpBuffer=0x12a60500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a69d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60500*, lpNumberOfBytesWritten=0x12a69d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.738] CloseHandle (hObject=0x44c) returned 1 [0237.738] CloseHandle (hObject=0x42c) returned 1 [0237.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0237.739] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\#_THIS_FILE_IS_ENCRYPTED_[304F54185F7F2FF9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\#_this_file_is_encrypted_[304f54185f7f2ff9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.776] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0237.889] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.891] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b265bb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0)) returned 1 [0237.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0237.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0237.891] ReadFile (in: hFile=0x42c, lpBuffer=0x1294e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1294e000*, lpNumberOfBytesRead=0x1282fd1c*=0x144c0, lpOverlapped=0x0) returned 1 [0237.906] GetFileType (hFile=0x42c) returned 0x1 [0237.906] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.906] WriteFile (in: hFile=0x42c, lpBuffer=0x129ca000*, nNumberOfBytesToWrite=0x144c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x129ca000*, lpNumberOfBytesWritten=0x1282fd00*=0x144c0, lpOverlapped=0x1282fd0c) returned 1 [0237.906] GetFileType (hFile=0x42c) returned 0x1 [0237.907] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x144c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0237.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0237.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0237.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a318 | out: pbBuffer=0x12a9a318) returned 1 [0237.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.908] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.908] WriteFile (in: hFile=0x450, lpBuffer=0x12a60a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0237.908] CloseHandle (hObject=0x450) returned 1 [0237.908] CloseHandle (hObject=0x42c) returned 1 [0237.908] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a330 | out: pbBuffer=0x12a9a330) returned 1 [0237.908] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\#_THIS_FILE_IS_ENCRYPTED_[21A95D44145120C9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\#_this_file_is_encrypted_[21a95d44145120c9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.049] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.052] SetEvent (hEvent=0x1b8) returned 1 [0238.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.053] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0238.053] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d62a39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794d5ee8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0238.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284c0 | out: pbBuffer=0x129284c0) returned 1 [0238.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a378 | out: pbBuffer=0x12a9a378) returned 1 [0238.053] ReadFile (in: hFile=0x42c, lpBuffer=0x12c9c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9c000*, lpNumberOfBytesRead=0x12a65d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0238.070] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.101] SetEvent (hEvent=0x1b8) returned 1 [0238.101] GetFileType (hFile=0x42c) returned 0x1 [0238.101] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.101] WriteFile (in: hFile=0x42c, lpBuffer=0x12d1c000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12d1c000*, lpNumberOfBytesWritten=0x12a65d00*=0x162c0, lpOverlapped=0x12a65d0c) returned 1 [0238.102] GetFileType (hFile=0x42c) returned 0x1 [0238.102] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.102] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0238.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0238.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0238.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a430 | out: pbBuffer=0x12a9a430) returned 1 [0238.103] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.104] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0238.104] WriteFile (in: hFile=0x44c, lpBuffer=0x12a60f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60f00*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.104] CloseHandle (hObject=0x44c) returned 1 [0238.104] CloseHandle (hObject=0x42c) returned 1 [0238.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a448 | out: pbBuffer=0x12a9a448) returned 1 [0238.104] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\#_THIS_FILE_IS_ENCRYPTED_[43BF171B15CC4731]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\#_this_file_is_encrypted_[43bf171b15cc4731]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.107] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.137] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285fd0c | out: lpMode=0x1285fd0c) returned 0 [0238.137] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285fad0 | out: lpFileInformation=0x1285fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2950a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c32dc26, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0238.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0238.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0238.137] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1285fd1c*=0x152c0, lpOverlapped=0x0) returned 1 [0238.155] GetFileType (hFile=0x3e4) returned 0x1 [0238.155] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.155] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d4a000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x1285fd00, lpOverlapped=0x1285fd0c | out: lpBuffer=0x12d4a000*, lpNumberOfBytesWritten=0x1285fd00*=0x152c0, lpOverlapped=0x1285fd0c) returned 1 [0238.156] GetFileType (hFile=0x3e4) returned 0x1 [0238.156] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0238.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0238.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0238.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0238.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.157] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1285fd0c | out: lpMode=0x1285fd0c) returned 0 [0238.157] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1285fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.157] CloseHandle (hObject=0x450) returned 1 [0238.157] CloseHandle (hObject=0x3e4) returned 1 [0238.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0238.157] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\#_THIS_FILE_IS_ENCRYPTED_[4BEC1880B947E482]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\#_this_file_is_encrypted_[4bec1880b947e482]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.158] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.175] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285fd0c | out: lpMode=0x1285fd0c) returned 0 [0238.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285fad0 | out: lpFileInformation=0x1285fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8049848e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ac0)) returned 1 [0238.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e560 | out: pbBuffer=0x1280e560) returned 1 [0238.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0238.176] ReadFile (in: hFile=0x3e4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1285fd1c*=0x16ac0, lpOverlapped=0x0) returned 1 [0238.181] GetFileType (hFile=0x3e4) returned 0x1 [0238.182] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.182] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x16ac0, lpNumberOfBytesWritten=0x1285fd00, lpOverlapped=0x1285fd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1285fd00*=0x16ac0, lpOverlapped=0x1285fd0c) returned 1 [0238.182] GetFileType (hFile=0x3e4) returned 0x1 [0238.182] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x16ac0, lpNewFilePointer=0x0, dwMoveMethod=0x1285fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.182] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0238.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0238.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0238.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848938 | out: pbBuffer=0x12848938) returned 1 [0238.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.183] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1285fd0c | out: lpMode=0x1285fd0c) returned 0 [0238.183] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1285fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.183] CloseHandle (hObject=0x450) returned 1 [0238.183] CloseHandle (hObject=0x3e4) returned 1 [0238.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848960 | out: pbBuffer=0x12848960) returned 1 [0238.184] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\#_THIS_FILE_IS_ENCRYPTED_[D552A3C721B71E33]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\#_this_file_is_encrypted_[d552a3c721b71e33]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.205] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.210] SetEvent (hEvent=0x1b8) returned 1 [0238.210] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.228] SetEvent (hEvent=0x19c) returned 1 [0238.228] SetEvent (hEvent=0x40c) returned 1 [0238.228] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.275] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.316] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.358] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.358] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0238.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836f6330, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x837b4d08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0238.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0238.359] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12925d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0238.400] GetFileType (hFile=0x42c) returned 0x1 [0238.400] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.401] WriteFile (in: hFile=0x42c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12925d00*=0x15cc0, lpOverlapped=0x12925d0c) returned 1 [0238.401] GetFileType (hFile=0x42c) returned 0x1 [0238.402] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0238.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0238.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0238.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0238.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.403] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0238.403] WriteFile (in: hFile=0x450, lpBuffer=0x12c22000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.403] CloseHandle (hObject=0x450) returned 1 [0238.404] CloseHandle (hObject=0x42c) returned 1 [0238.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0238.404] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\#_THIS_FILE_IS_ENCRYPTED_[4824B64ACD77D4B1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\#_this_file_is_encrypted_[4824b64acd77d4b1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.454] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.530] SetEvent (hEvent=0x420) returned 1 [0238.530] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.538] SetEvent (hEvent=0x19c) returned 1 [0238.539] SetEvent (hEvent=0x40c) returned 1 [0238.539] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.590] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.590] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8418a6bc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84223144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0)) returned 1 [0238.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0238.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0238.590] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x14ec0, lpOverlapped=0x0) returned 1 [0238.644] GetFileType (hFile=0x44c) returned 0x1 [0238.644] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.645] WriteFile (in: hFile=0x44c, lpBuffer=0x129aa000*, nNumberOfBytesToWrite=0x14ec0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x129aa000*, lpNumberOfBytesWritten=0x12855d00*=0x14ec0, lpOverlapped=0x12855d0c) returned 1 [0238.645] GetFileType (hFile=0x44c) returned 0x1 [0238.645] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x14ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0238.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0238.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0238.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0238.646] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.647] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.647] WriteFile (in: hFile=0x458, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.647] CloseHandle (hObject=0x458) returned 1 [0238.647] CloseHandle (hObject=0x44c) returned 1 [0238.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0238.648] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\#_THIS_FILE_IS_ENCRYPTED_[7EE999F345EF7D3F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\#_this_file_is_encrypted_[7ee999f345ef7d3f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde35637f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.650] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde35637f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0238.650] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde35637f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.650] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde35637f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde6c36dc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.650] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.650] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0238.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.651] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.651] WriteFile (in: hFile=0x44c, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.653] CloseHandle (hObject=0x44c) returned 1 [0238.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde35637f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde6c36dc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdeaa3767, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.654] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.654] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdeaa3767, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0238.655] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdeaa3767, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.655] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaa3767, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdee62eb6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.655] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.655] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0238.655] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.656] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.656] WriteFile (in: hFile=0x44c, lpBuffer=0x12b17300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b17300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.658] CloseHandle (hObject=0x44c) returned 1 [0238.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaa3767, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdee62eb6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0238.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.727] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde35637f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde6c36dc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0238.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34760 | out: pbBuffer=0x12c34760) returned 1 [0238.728] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0238.731] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0238.731] SetEvent (hEvent=0x110) returned 1 [0238.731] SetEvent (hEvent=0x420) returned 1 [0238.732] ReadFile (in: hFile=0x44c, lpBuffer=0x129d8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d8000*, lpNumberOfBytesRead=0x12855d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0238.739] GetFileType (hFile=0x44c) returned 0x1 [0238.739] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.739] WriteFile (in: hFile=0x44c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12855d00*=0x160c0, lpOverlapped=0x12855d0c) returned 1 [0238.740] GetFileType (hFile=0x44c) returned 0x1 [0238.740] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.752] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0238.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0238.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0238.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e95d0 | out: pbBuffer=0x128e95d0) returned 1 [0238.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.766] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.766] WriteFile (in: hFile=0x458, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.766] CloseHandle (hObject=0x458) returned 1 [0238.767] CloseHandle (hObject=0x44c) returned 1 [0238.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e95e8 | out: pbBuffer=0x128e95e8) returned 1 [0238.767] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\#_THIS_FILE_IS_ENCRYPTED_[927A7A7D6CA6E2BC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\#_this_file_is_encrypted_[927a7a7d6ca6e2bc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.784] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.791] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.923] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.943] SetEvent (hEvent=0x1d0) returned 1 [0238.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.944] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12dddac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1697913, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0238.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0238.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0238.945] ReadFile (in: hFile=0x450, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12829d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0238.964] GetFileType (hFile=0x450) returned 0x1 [0238.964] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.964] WriteFile (in: hFile=0x450, lpBuffer=0x129aa000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129aa000*, lpNumberOfBytesWritten=0x12829d00*=0x156c0, lpOverlapped=0x12829d0c) returned 1 [0238.965] GetFileType (hFile=0x450) returned 0x1 [0238.965] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0238.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0238.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0238.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0238.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.966] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.966] WriteFile (in: hFile=0x3e4, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.967] CloseHandle (hObject=0x3e4) returned 1 [0238.967] CloseHandle (hObject=0x450) returned 1 [0238.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0238.967] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\#_THIS_FILE_IS_ENCRYPTED_[49BD48731FED0099]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\#_this_file_is_encrypted_[49bd48731fed0099]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.968] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0238.970] SetEvent (hEvent=0x1d0) returned 1 [0238.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.971] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0238.971] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a9d74e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1e310fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286a0 | out: pbBuffer=0x129286a0) returned 1 [0238.972] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0238.972] ReadFile (in: hFile=0x450, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12853d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0238.998] GetFileType (hFile=0x450) returned 0x1 [0238.998] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.998] WriteFile (in: hFile=0x450, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12853d00*=0x15cc0, lpOverlapped=0x12853d0c) returned 1 [0238.999] GetFileType (hFile=0x450) returned 0x1 [0238.999] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0238.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0238.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0239.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0239.000] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0239.000] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0239.000] WriteFile (in: hFile=0x42c, lpBuffer=0x12af4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.000] CloseHandle (hObject=0x42c) returned 1 [0239.000] CloseHandle (hObject=0x450) returned 1 [0239.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0239.001] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\#_THIS_FILE_IS_ENCRYPTED_[C02EFC42F4EE5E6A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\#_this_file_is_encrypted_[c02efc42f4ee5e6a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.003] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0239.003] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe28ebb97, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2c590be, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0239.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129288a0 | out: pbBuffer=0x129288a0) returned 1 [0239.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8488 | out: pbBuffer=0x128e8488) returned 1 [0239.003] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0239.042] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0239.042] SetEvent (hEvent=0x110) returned 1 [0239.042] SetEvent (hEvent=0x420) returned 1 [0239.043] ReadFile (in: hFile=0x450, lpBuffer=0x12ab8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ab8000*, lpNumberOfBytesRead=0x12857d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0239.068] GetFileType (hFile=0x450) returned 0x1 [0239.068] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.069] WriteFile (in: hFile=0x450, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12857d00*=0x174c0, lpOverlapped=0x12857d0c) returned 1 [0239.069] GetFileType (hFile=0x450) returned 0x1 [0239.069] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0239.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd481 | out: pbBuffer=0x12afd481) returned 1 [0239.071] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd581 | out: pbBuffer=0x12afd581) returned 1 [0239.071] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8540 | out: pbBuffer=0x128e8540) returned 1 [0239.071] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0239.071] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0239.071] WriteFile (in: hFile=0x42c, lpBuffer=0x12af4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4a00*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.072] CloseHandle (hObject=0x42c) returned 1 [0239.072] CloseHandle (hObject=0x450) returned 1 [0239.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8558 | out: pbBuffer=0x128e8558) returned 1 [0239.072] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\#_THIS_FILE_IS_ENCRYPTED_[04774E90B1F8622F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\#_this_file_is_encrypted_[04774e90b1f8622f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.074] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0239.084] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0239.084] SetEvent (hEvent=0x1d0) returned 1 [0239.084] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0239.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.125] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0239.125] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a82a2d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe702bf73, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0239.125] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0239.125] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0239.125] ReadFile (in: hFile=0x44c, lpBuffer=0x12ba0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba0000*, lpNumberOfBytesRead=0x12851d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0239.155] GetFileType (hFile=0x44c) returned 0x1 [0239.155] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.155] WriteFile (in: hFile=0x44c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12851d00*=0x15ec0, lpOverlapped=0x12851d0c) returned 1 [0239.156] GetFileType (hFile=0x44c) returned 0x1 [0239.156] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0239.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0239.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0239.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0239.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0239.157] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0239.157] WriteFile (in: hFile=0x3e4, lpBuffer=0x12994000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12994000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.158] CloseHandle (hObject=0x3e4) returned 1 [0239.158] CloseHandle (hObject=0x44c) returned 1 [0239.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0239.158] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\#_THIS_FILE_IS_ENCRYPTED_[749EF97CB447848A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\#_this_file_is_encrypted_[749ef97cb447848a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.229] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0239.262] SetEvent (hEvent=0x1b8) returned 1 [0239.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.263] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0239.263] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe884ff12, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8c7c0a1, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0239.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0239.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810bb0 | out: pbBuffer=0x12810bb0) returned 1 [0239.264] ReadFile (in: hFile=0x44c, lpBuffer=0x129a0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a0000*, lpNumberOfBytesRead=0x12855d1c*=0x186c0, lpOverlapped=0x0) returned 1 [0239.298] GetFileType (hFile=0x44c) returned 0x1 [0239.298] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.298] WriteFile (in: hFile=0x44c, lpBuffer=0x12a20000*, nNumberOfBytesToWrite=0x186c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a20000*, lpNumberOfBytesWritten=0x12855d00*=0x186c0, lpOverlapped=0x12855d0c) returned 1 [0239.299] GetFileType (hFile=0x44c) returned 0x1 [0239.299] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x186c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0239.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0239.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0239.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c68 | out: pbBuffer=0x12810c68) returned 1 [0239.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0239.300] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0239.300] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.301] CloseHandle (hObject=0x42c) returned 1 [0239.301] CloseHandle (hObject=0x44c) returned 1 [0239.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c80 | out: pbBuffer=0x12810c80) returned 1 [0239.301] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\#_THIS_FILE_IS_ENCRYPTED_[670B08AA27793312]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\#_this_file_is_encrypted_[670b08aa27793312]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.303] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0239.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0be497, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef8f0a82, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0239.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98640 | out: pbBuffer=0x12a98640) returned 1 [0239.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cc8 | out: pbBuffer=0x12810cc8) returned 1 [0239.304] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0239.808] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0239.817] SetEvent (hEvent=0x110) returned 1 [0239.818] SetEvent (hEvent=0x1d0) returned 1 [0240.437] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0241.439] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0242.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0242.149] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0242.149] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1298fad0 | out: lpFileInformation=0x1298fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0502516, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0764d71, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0242.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0242.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0242.150] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1298fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1298fd1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0242.495] GetFileType (hFile=0x42c) returned 0x1 [0242.495] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0242.496] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x1298fd00, lpOverlapped=0x1298fd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1298fd00*=0x15cc0, lpOverlapped=0x1298fd0c) returned 1 [0242.496] GetFileType (hFile=0x42c) returned 0x1 [0242.497] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0242.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0242.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0242.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0242.788] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0242.788] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0242.789] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0242.789] WriteFile (in: hFile=0x44c, lpBuffer=0x12b1a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1298fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b1a000*, lpNumberOfBytesWritten=0x1298fd0c*=0x276, lpOverlapped=0x0) returned 1 [0242.789] CloseHandle (hObject=0x44c) returned 1 [0242.789] CloseHandle (hObject=0x42c) returned 1 [0242.789] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0242.819] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\#_THIS_FILE_IS_ENCRYPTED_[40F389B179B45B5A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\#_this_file_is_encrypted_[40f389b179b45b5a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0242.877] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0242.897] SetEvent (hEvent=0x420) returned 1 [0242.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0242.898] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0242.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12993ad0 | out: lpFileInformation=0x12993ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0aabfbc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0e3f813, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0242.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0242.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0242.899] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12993d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12993d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0242.906] GetFileType (hFile=0x42c) returned 0x1 [0242.906] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.906] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12993d00, lpOverlapped=0x12993d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12993d00*=0x15ec0, lpOverlapped=0x12993d0c) returned 1 [0242.907] GetFileType (hFile=0x42c) returned 0x1 [0242.907] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0242.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0242.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0242.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848938 | out: pbBuffer=0x12848938) returned 1 [0242.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0242.908] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0242.908] WriteFile (in: hFile=0x458, lpBuffer=0x12b1a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12993d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b1a500*, lpNumberOfBytesWritten=0x12993d0c*=0x276, lpOverlapped=0x0) returned 1 [0242.908] CloseHandle (hObject=0x458) returned 1 [0242.908] CloseHandle (hObject=0x42c) returned 1 [0242.908] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848960 | out: pbBuffer=0x12848960) returned 1 [0242.909] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\#_THIS_FILE_IS_ENCRYPTED_[103DD07AEB1B70A7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\#_this_file_is_encrypted_[103dd07aeb1b70a7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0242.932] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.049] SetEvent (hEvent=0x420) returned 1 [0243.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.050] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.050] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12993ad0 | out: lpFileInformation=0x12993ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56df403, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5b318da, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e800 | out: pbBuffer=0x1280e800) returned 1 [0243.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810de0 | out: pbBuffer=0x12810de0) returned 1 [0243.050] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0243.066] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0243.066] SetEvent (hEvent=0x110) returned 1 [0243.066] SetEvent (hEvent=0x420) returned 1 [0243.066] SetEvent (hEvent=0x19c) returned 1 [0243.067] ReadFile (in: hFile=0x458, lpBuffer=0x12cc0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12993d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc0000*, lpNumberOfBytesRead=0x12993d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0243.085] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.104] SetEvent (hEvent=0x19c) returned 1 [0243.104] GetFileType (hFile=0x458) returned 0x1 [0243.104] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.104] WriteFile (in: hFile=0x458, lpBuffer=0x12a36000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12993d00, lpOverlapped=0x12993d0c | out: lpBuffer=0x12a36000*, lpNumberOfBytesWritten=0x12993d00*=0x164c0, lpOverlapped=0x12993d0c) returned 1 [0243.105] GetFileType (hFile=0x458) returned 0x1 [0243.105] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0243.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0243.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0243.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e98 | out: pbBuffer=0x12810e98) returned 1 [0243.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0243.106] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.107] WriteFile (in: hFile=0x450, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12993d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12993d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.107] CloseHandle (hObject=0x450) returned 1 [0243.107] CloseHandle (hObject=0x458) returned 1 [0243.107] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810eb0 | out: pbBuffer=0x12810eb0) returned 1 [0243.107] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\#_THIS_FILE_IS_ENCRYPTED_[BF4F35A59F165A4E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\#_this_file_is_encrypted_[bf4f35a59f165a4e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.109] SetEvent (hEvent=0x1d0) returned 1 [0243.109] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.110] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12993ad0 | out: lpFileInformation=0x12993ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103e07d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cda3a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0243.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb00 | out: pbBuffer=0x1280eb00) returned 1 [0243.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ef8 | out: pbBuffer=0x12810ef8) returned 1 [0243.111] ReadFile (in: hFile=0x458, lpBuffer=0x12d40000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12993d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d40000*, lpNumberOfBytesRead=0x12993d1c*=0x16cc0, lpOverlapped=0x0) returned 1 [0243.127] VirtualAlloc (lpAddress=0x12da4000, dwSize=0x18000, flAllocationType=0x1000, flProtect=0x4) returned 0x12da4000 [0243.132] GetFileType (hFile=0x458) returned 0x1 [0243.132] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.132] WriteFile (in: hFile=0x458, lpBuffer=0x12da4000*, nNumberOfBytesToWrite=0x16cc0, lpNumberOfBytesWritten=0x12993d00, lpOverlapped=0x12993d0c | out: lpBuffer=0x12da4000*, lpNumberOfBytesWritten=0x12993d00*=0x16cc0, lpOverlapped=0x12993d0c) returned 1 [0243.133] GetFileType (hFile=0x458) returned 0x1 [0243.133] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x16cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0243.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0243.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0243.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34540 | out: pbBuffer=0x12c34540) returned 1 [0243.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.134] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.134] WriteFile (in: hFile=0x44c, lpBuffer=0x12be4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12993d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4500*, lpNumberOfBytesWritten=0x12993d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.135] CloseHandle (hObject=0x44c) returned 1 [0243.135] CloseHandle (hObject=0x458) returned 1 [0243.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34558 | out: pbBuffer=0x12c34558) returned 1 [0243.135] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\#_THIS_FILE_IS_ENCRYPTED_[6E4B59B57724F4BC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\#_this_file_is_encrypted_[6e4b59b57724f4bc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.141] GetFileType (hFile=0x3e4) returned 0x1 [0243.141] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.142] WriteFile (in: hFile=0x3e4, lpBuffer=0x129e0000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1298fd00, lpOverlapped=0x1298fd0c | out: lpBuffer=0x129e0000*, lpNumberOfBytesWritten=0x1298fd00*=0x164c0, lpOverlapped=0x1298fd0c) returned 1 [0243.142] GetFileType (hFile=0x3e4) returned 0x1 [0243.142] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0243.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0243.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0243.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848580 | out: pbBuffer=0x12848580) returned 1 [0243.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.143] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0243.143] WriteFile (in: hFile=0x458, lpBuffer=0x12b1a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1298fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b1a000*, lpNumberOfBytesWritten=0x1298fd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.144] CloseHandle (hObject=0x458) returned 1 [0243.144] CloseHandle (hObject=0x3e4) returned 1 [0243.144] SwitchToThread () returned 1 [0243.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848598 | out: pbBuffer=0x12848598) returned 1 [0243.147] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\#_THIS_FILE_IS_ENCRYPTED_[1ED6D2363B8395F7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\#_this_file_is_encrypted_[1ed6d2363b8395f7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0243.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0243.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0243.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128488f8 | out: pbBuffer=0x128488f8) returned 1 [0243.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.150] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.150] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b1a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b1a500*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.151] CloseHandle (hObject=0x3e4) returned 1 [0243.151] CloseHandle (hObject=0x42c) returned 1 [0243.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848930 | out: pbBuffer=0x12848930) returned 1 [0243.151] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\#_THIS_FILE_IS_ENCRYPTED_[EB556B1F28291A14]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\#_this_file_is_encrypted_[eb556b1f28291a14]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7d77b98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.159] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7d77b98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.159] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7d77b98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.159] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d77b98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832177f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.159] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.159] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.160] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.161] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.161] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.163] CloseHandle (hObject=0x42c) returned 1 [0243.164] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d77b98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832177f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0243.166] SetEvent (hEvent=0x19c) returned 1 [0243.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xabcf838, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.175] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xabcf838, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0243.175] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xabcf838, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.175] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcf838, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb5f1603, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.175] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.175] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0243.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.177] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.177] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.178] CloseHandle (hObject=0x3e4) returned 1 [0243.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcf838, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb5f1603, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0243.212] SetEvent (hEvent=0x1b8) returned 1 [0243.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xf3c8687, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.223] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xf3c8687, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.223] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xf3c8687, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.224] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c8687, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1207c939, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.224] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.224] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.224] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.233] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.233] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.274] CloseHandle (hObject=0x42c) returned 1 [0243.283] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c8687, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1207c939, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.286] SetEvent (hEvent=0x19c) returned 1 [0243.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x148de442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.293] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x148de442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.293] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x148de442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.293] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x148de442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x14ace4c5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.293] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.293] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.304] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.304] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.315] CloseHandle (hObject=0x458) returned 1 [0243.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x148de442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x14ace4c5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.324] SetEvent (hEvent=0x1b8) returned 1 [0243.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16423422, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.324] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.324] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16423422, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.325] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16423422, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.325] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16423422, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1674456a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.325] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.325] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.325] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.325] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.325] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.335] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.335] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.344] CloseHandle (hObject=0x458) returned 1 [0243.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16423422, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1674456a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0243.356] SetEvent (hEvent=0x19c) returned 1 [0243.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18f80014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.356] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.356] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.357] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.357] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b2c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18e9b2c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c03a060, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.357] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.357] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.357] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.374] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.449] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.449] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.495] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.496] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22862cea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2312d9e6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0243.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0243.497] ReadFile (in: hFile=0x3e4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1285bd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0243.519] GetFileType (hFile=0x3e4) returned 0x1 [0243.519] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.520] WriteFile (in: hFile=0x3e4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1285bd00*=0x15ec0, lpOverlapped=0x1285bd0c) returned 1 [0243.520] GetFileType (hFile=0x3e4) returned 0x1 [0243.520] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0243.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0243.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0243.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0243.521] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.521] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.521] WriteFile (in: hFile=0x44c, lpBuffer=0x12994000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12994000*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.522] CloseHandle (hObject=0x44c) returned 1 [0243.522] CloseHandle (hObject=0x3e4) returned 1 [0243.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0243.522] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\#_THIS_FILE_IS_ENCRYPTED_[93A85089E45A1AF5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\#_this_file_is_encrypted_[93a85089e45a1af5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.525] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.550] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f2857f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0243.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0243.551] ReadFile (in: hFile=0x44c, lpBuffer=0x12998000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12998000*, lpNumberOfBytesRead=0x1282fd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0243.560] GetFileType (hFile=0x44c) returned 0x1 [0243.560] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.560] WriteFile (in: hFile=0x44c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x1282fd00*=0x164c0, lpOverlapped=0x1282fd0c) returned 1 [0243.561] GetFileType (hFile=0x44c) returned 0x1 [0243.561] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0243.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0243.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0243.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0243.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.571] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.571] WriteFile (in: hFile=0x42c, lpBuffer=0x12994500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12994500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.571] CloseHandle (hObject=0x42c) returned 1 [0243.571] CloseHandle (hObject=0x44c) returned 1 [0243.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0243.572] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\#_THIS_FILE_IS_ENCRYPTED_[96E1955EBCC3ED5B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\#_this_file_is_encrypted_[96e1955ebcc3ed5b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.673] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.714] SetEvent (hEvent=0x1b8) returned 1 [0243.714] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.715] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.715] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275b3298, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27d029e2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0243.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a298 | out: pbBuffer=0x12a9a298) returned 1 [0243.716] ReadFile (in: hFile=0x44c, lpBuffer=0x129f0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f0000*, lpNumberOfBytesRead=0x1285bd1c*=0x156c0, lpOverlapped=0x0) returned 1 [0243.812] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.838] SetEvent (hEvent=0x1b8) returned 1 [0243.838] GetFileType (hFile=0x44c) returned 0x1 [0243.838] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.839] WriteFile (in: hFile=0x44c, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x1285bd00*=0x156c0, lpOverlapped=0x1285bd0c) returned 1 [0243.839] GetFileType (hFile=0x44c) returned 0x1 [0243.839] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0243.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0243.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0243.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34a30 | out: pbBuffer=0x12c34a30) returned 1 [0243.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.841] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.841] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.842] CloseHandle (hObject=0x3e4) returned 1 [0243.842] CloseHandle (hObject=0x44c) returned 1 [0243.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34a48 | out: pbBuffer=0x12c34a48) returned 1 [0243.842] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\#_THIS_FILE_IS_ENCRYPTED_[D0CB4A23031E7F3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\#_this_file_is_encrypted_[d0cb4a23031e7f3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.844] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0243.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.956] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.956] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9cd754, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2adf0c02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0243.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0243.957] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1285bd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0243.972] GetFileType (hFile=0x458) returned 0x1 [0243.972] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.973] WriteFile (in: hFile=0x458, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x1285bd00*=0x164c0, lpOverlapped=0x1285bd0c) returned 1 [0243.974] GetFileType (hFile=0x458) returned 0x1 [0243.974] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0243.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0243.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0243.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0243.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0243.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.975] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0243.975] WriteFile (in: hFile=0x42c, lpBuffer=0x12924000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12924000*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.976] CloseHandle (hObject=0x42c) returned 1 [0243.976] CloseHandle (hObject=0x458) returned 1 [0243.976] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0243.976] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\#_THIS_FILE_IS_ENCRYPTED_[FF428105A52EC401]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\#_this_file_is_encrypted_[ff428105a52ec401]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.067] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.091] SetEvent (hEvent=0x19c) returned 1 [0244.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.093] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.093] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b458fec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b8d1654, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0244.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0244.093] ReadFile (in: hFile=0x458, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0244.118] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.127] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0244.127] SetEvent (hEvent=0x110) returned 1 [0244.127] SetEvent (hEvent=0x1b8) returned 1 [0244.128] SetEvent (hEvent=0x420) returned 1 [0244.128] GetFileType (hFile=0x458) returned 0x1 [0244.128] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.128] WriteFile (in: hFile=0x458, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1282fd00*=0x164c0, lpOverlapped=0x1282fd0c) returned 1 [0244.129] GetFileType (hFile=0x458) returned 0x1 [0244.129] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0244.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0244.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0244.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848938 | out: pbBuffer=0x12848938) returned 1 [0244.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.131] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.131] WriteFile (in: hFile=0x42c, lpBuffer=0x12d02a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d02a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.131] CloseHandle (hObject=0x42c) returned 1 [0244.131] CloseHandle (hObject=0x458) returned 1 [0244.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848970 | out: pbBuffer=0x12848970) returned 1 [0244.131] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\#_THIS_FILE_IS_ENCRYPTED_[7467540D535EACE1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\#_this_file_is_encrypted_[7467540d535eace1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.133] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.134] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e00e27b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0244.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88460 | out: pbBuffer=0x12b88460) returned 1 [0244.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489d8 | out: pbBuffer=0x128489d8) returned 1 [0244.134] ReadFile (in: hFile=0x458, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0244.148] GetFileType (hFile=0x458) returned 0x1 [0244.148] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.148] WriteFile (in: hFile=0x458, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ec0, lpOverlapped=0x1282fd0c) returned 1 [0244.149] GetFileType (hFile=0x458) returned 0x1 [0244.149] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0244.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0244.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0244.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ab0 | out: pbBuffer=0x12848ab0) returned 1 [0244.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.151] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.151] WriteFile (in: hFile=0x450, lpBuffer=0x12d02f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d02f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.151] CloseHandle (hObject=0x450) returned 1 [0244.151] CloseHandle (hObject=0x458) returned 1 [0244.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ac8 | out: pbBuffer=0x12848ac8) returned 1 [0244.152] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\#_THIS_FILE_IS_ENCRYPTED_[FED0F2BFC2BCB822]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\#_this_file_is_encrypted_[fed0f2bfc2bcb822]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.168] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.192] SetEvent (hEvent=0x19c) returned 1 [0244.193] GetFileType (hFile=0x44c) returned 0x1 [0244.193] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.194] WriteFile (in: hFile=0x44c, lpBuffer=0x12c06000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c06000*, lpNumberOfBytesWritten=0x12829d00*=0x164c0, lpOverlapped=0x12829d0c) returned 1 [0244.194] GetFileType (hFile=0x44c) returned 0x1 [0244.194] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0244.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0244.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0244.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810440 | out: pbBuffer=0x12810440) returned 1 [0244.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.196] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.196] WriteFile (in: hFile=0x42c, lpBuffer=0x12d02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d02000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.196] CloseHandle (hObject=0x42c) returned 1 [0244.196] CloseHandle (hObject=0x44c) returned 1 [0244.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810458 | out: pbBuffer=0x12810458) returned 1 [0244.196] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\#_THIS_FILE_IS_ENCRYPTED_[C070426ABE8A315C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\#_this_file_is_encrypted_[c070426abe8a315c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.215] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.310] SetEvent (hEvent=0x19c) returned 1 [0244.310] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.311] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0244.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fecd60, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x335bca47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0244.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0244.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a150 | out: pbBuffer=0x12a9a150) returned 1 [0244.311] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12857d1c*=0x150c0, lpOverlapped=0x0) returned 1 [0244.325] GetFileType (hFile=0x44c) returned 0x1 [0244.325] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.325] WriteFile (in: hFile=0x44c, lpBuffer=0x12a10000*, nNumberOfBytesToWrite=0x150c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12a10000*, lpNumberOfBytesWritten=0x12857d00*=0x150c0, lpOverlapped=0x12857d0c) returned 1 [0244.326] GetFileType (hFile=0x44c) returned 0x1 [0244.326] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x150c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0244.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0244.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0244.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a218 | out: pbBuffer=0x12a9a218) returned 1 [0244.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.327] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0244.327] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.328] CloseHandle (hObject=0x42c) returned 1 [0244.328] CloseHandle (hObject=0x44c) returned 1 [0244.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a240 | out: pbBuffer=0x12a9a240) returned 1 [0244.328] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\#_THIS_FILE_IS_ENCRYPTED_[31A65B18AB8E9EC2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\#_this_file_is_encrypted_[31a65b18ab8e9ec2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.330] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.344] SetEvent (hEvent=0x19c) returned 1 [0244.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.345] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344c97b6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0244.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0244.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0244.345] ReadFile (in: hFile=0x44c, lpBuffer=0x12cba000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cba000*, lpNumberOfBytesRead=0x12829d1c*=0x152c0, lpOverlapped=0x0) returned 1 [0244.370] GetFileType (hFile=0x44c) returned 0x1 [0244.370] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.370] WriteFile (in: hFile=0x44c, lpBuffer=0x12d46000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d46000*, lpNumberOfBytesWritten=0x12829d00*=0x152c0, lpOverlapped=0x12829d0c) returned 1 [0244.370] GetFileType (hFile=0x44c) returned 0x1 [0244.371] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0244.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0244.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0244.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0244.372] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.372] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.372] WriteFile (in: hFile=0x42c, lpBuffer=0x12972000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12972000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.372] CloseHandle (hObject=0x42c) returned 1 [0244.372] CloseHandle (hObject=0x44c) returned 1 [0244.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0244.373] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\#_THIS_FILE_IS_ENCRYPTED_[59E0C766A78316A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\#_this_file_is_encrypted_[59e0c766a78316a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.449] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.452] SetEvent (hEvent=0x1b8) returned 1 [0244.452] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.453] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.453] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3570c0be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35c43302, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x178c0)) returned 1 [0244.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0244.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0244.454] ReadFile (in: hFile=0x44c, lpBuffer=0x12d88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d88000*, lpNumberOfBytesRead=0x1285bd1c*=0x178c0, lpOverlapped=0x0) returned 1 [0244.468] GetFileType (hFile=0x44c) returned 0x1 [0244.468] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.468] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x178c0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1285bd00*=0x178c0, lpOverlapped=0x1285bd0c) returned 1 [0244.469] GetFileType (hFile=0x44c) returned 0x1 [0244.469] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x178c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0244.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0244.470] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0244.482] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0244.482] SetEvent (hEvent=0x1b8) returned 1 [0244.483] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485a0 | out: pbBuffer=0x128485a0) returned 1 [0244.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.484] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.484] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.485] CloseHandle (hObject=0x3e4) returned 1 [0244.485] CloseHandle (hObject=0x44c) returned 1 [0244.485] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485b8 | out: pbBuffer=0x128485b8) returned 1 [0244.485] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\#_THIS_FILE_IS_ENCRYPTED_[F58CC0002F0A1903]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\#_this_file_is_encrypted_[f58cc0002f0a1903]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.488] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.509] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.515] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0244.516] SetEvent (hEvent=0x19c) returned 1 [0244.516] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.545] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39698686, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a092ece, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0)) returned 1 [0244.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0244.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0244.545] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1285bd1c*=0x170c0, lpOverlapped=0x0) returned 1 [0244.596] GetFileType (hFile=0x42c) returned 0x1 [0244.596] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.596] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x170c0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x1285bd00*=0x170c0, lpOverlapped=0x1285bd0c) returned 1 [0244.597] GetFileType (hFile=0x42c) returned 0x1 [0244.597] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x170c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0244.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0244.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0244.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0244.598] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.598] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.599] WriteFile (in: hFile=0x450, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.599] CloseHandle (hObject=0x450) returned 1 [0244.599] CloseHandle (hObject=0x42c) returned 1 [0244.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0244.599] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\#_THIS_FILE_IS_ENCRYPTED_[5E0F6F50D00C9307]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\#_this_file_is_encrypted_[5e0f6f50d00c9307]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.630] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0244.630] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee3c3c6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f32718f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0)) returned 1 [0244.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e540 | out: pbBuffer=0x1280e540) returned 1 [0244.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104b0 | out: pbBuffer=0x128104b0) returned 1 [0244.630] ReadFile (in: hFile=0x42c, lpBuffer=0x129ce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ce000*, lpNumberOfBytesRead=0x12927d1c*=0x17cc0, lpOverlapped=0x0) returned 1 [0244.645] GetFileType (hFile=0x42c) returned 0x1 [0244.645] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.646] WriteFile (in: hFile=0x42c, lpBuffer=0x12a24000*, nNumberOfBytesToWrite=0x17cc0, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12a24000*, lpNumberOfBytesWritten=0x12927d00*=0x17cc0, lpOverlapped=0x12927d0c) returned 1 [0244.647] GetFileType (hFile=0x42c) returned 0x1 [0244.647] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x17cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0244.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0244.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0244.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810568 | out: pbBuffer=0x12810568) returned 1 [0244.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.648] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0244.648] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a92500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92500*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.648] CloseHandle (hObject=0x3e4) returned 1 [0244.648] CloseHandle (hObject=0x42c) returned 1 [0244.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810580 | out: pbBuffer=0x12810580) returned 1 [0244.648] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\#_THIS_FILE_IS_ENCRYPTED_[B16518D468401CA0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\#_this_file_is_encrypted_[b16518d468401ca0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.678] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.684] SetEvent (hEvent=0x1b8) returned 1 [0244.684] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.685] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f8f6c52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3fe2e122, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0244.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e7e0 | out: pbBuffer=0x1280e7e0) returned 1 [0244.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128105c8 | out: pbBuffer=0x128105c8) returned 1 [0244.686] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.691] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0244.691] SetEvent (hEvent=0x110) returned 1 [0244.691] SetEvent (hEvent=0x1b8) returned 1 [0244.691] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0244.699] GetFileType (hFile=0x42c) returned 0x1 [0244.700] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.700] WriteFile (in: hFile=0x42c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12855d00*=0x156c0, lpOverlapped=0x12855d0c) returned 1 [0244.701] GetFileType (hFile=0x42c) returned 0x1 [0244.701] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0244.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0244.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0244.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810680 | out: pbBuffer=0x12810680) returned 1 [0244.702] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.762] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.763] WriteFile (in: hFile=0x458, lpBuffer=0x12a92a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.763] CloseHandle (hObject=0x458) returned 1 [0244.764] CloseHandle (hObject=0x42c) returned 1 [0244.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810698 | out: pbBuffer=0x12810698) returned 1 [0244.764] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\#_THIS_FILE_IS_ENCRYPTED_[921EBEE53468E5D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\#_this_file_is_encrypted_[921ebee53468e5d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.767] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.777] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0244.777] SetEvent (hEvent=0x19c) returned 1 [0244.777] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0244.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.790] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038b58c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40b97255, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0244.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0244.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0244.791] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x158c0, lpOverlapped=0x0) returned 1 [0244.808] GetFileType (hFile=0x42c) returned 0x1 [0244.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.808] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x158c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12829d00*=0x158c0, lpOverlapped=0x12829d0c) returned 1 [0244.808] GetFileType (hFile=0x42c) returned 0x1 [0244.808] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x158c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0244.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0244.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0244.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0244.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.809] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.809] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.810] CloseHandle (hObject=0x44c) returned 1 [0244.810] CloseHandle (hObject=0x42c) returned 1 [0244.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0244.810] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\#_THIS_FILE_IS_ENCRYPTED_[0E380A05058CE827]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\#_this_file_is_encrypted_[0e380a05058ce827]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.839] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0244.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.917] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.917] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47006399, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47373ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x166c0)) returned 1 [0244.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0244.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0244.917] ReadFile (in: hFile=0x42c, lpBuffer=0x12a06000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a06000*, lpNumberOfBytesRead=0x12855d1c*=0x166c0, lpOverlapped=0x0) returned 1 [0244.929] GetFileType (hFile=0x42c) returned 0x1 [0244.929] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.930] WriteFile (in: hFile=0x42c, lpBuffer=0x12a26000*, nNumberOfBytesToWrite=0x166c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a26000*, lpNumberOfBytesWritten=0x12855d00*=0x166c0, lpOverlapped=0x12855d0c) returned 1 [0244.930] GetFileType (hFile=0x42c) returned 0x1 [0244.930] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x166c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.930] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0244.930] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0244.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0244.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0244.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.931] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.931] WriteFile (in: hFile=0x44c, lpBuffer=0x12a92500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.931] CloseHandle (hObject=0x44c) returned 1 [0244.931] CloseHandle (hObject=0x42c) returned 1 [0244.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0244.932] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\#_THIS_FILE_IS_ENCRYPTED_[FF81BAD86D0FB76B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\#_this_file_is_encrypted_[ff81bad86d0fb76b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.964] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.964] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0244.964] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479435d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x48496726, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0244.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88400 | out: pbBuffer=0x12b88400) returned 1 [0244.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0244.965] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12851d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0245.050] GetFileType (hFile=0x42c) returned 0x1 [0245.050] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.050] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12851d00*=0x15ec0, lpOverlapped=0x12851d0c) returned 1 [0245.051] GetFileType (hFile=0x42c) returned 0x1 [0245.051] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0245.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0245.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0245.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342f0 | out: pbBuffer=0x12c342f0) returned 1 [0245.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.052] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0245.052] WriteFile (in: hFile=0x458, lpBuffer=0x12a92f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.053] CloseHandle (hObject=0x458) returned 1 [0245.053] CloseHandle (hObject=0x42c) returned 1 [0245.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34308 | out: pbBuffer=0x12c34308) returned 1 [0245.053] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\#_THIS_FILE_IS_ENCRYPTED_[ECC5178498397243]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\#_this_file_is_encrypted_[ecc5178498397243]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.055] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353788c4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x353788c4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x368c78f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x684c0)) returned 1 [0245.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88600 | out: pbBuffer=0x12b88600) returned 1 [0245.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34350 | out: pbBuffer=0x12c34350) returned 1 [0245.056] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0245.058] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0245.058] SetEvent (hEvent=0x110) returned 1 [0245.058] SetEvent (hEvent=0x19c) returned 1 [0245.059] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.065] GetFileType (hFile=0x42c) returned 0x1 [0245.065] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.065] WriteFile (in: hFile=0x42c, lpBuffer=0x12cba000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12cba000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0245.067] GetFileType (hFile=0x42c) returned 0x1 [0245.067] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0245.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0245.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0245.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34438 | out: pbBuffer=0x12c34438) returned 1 [0245.068] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.068] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.068] WriteFile (in: hFile=0x458, lpBuffer=0x12a93400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a93400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.074] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0245.279] CloseHandle (hObject=0x458) returned 1 [0245.279] CloseHandle (hObject=0x42c) returned 1 [0245.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cb8 | out: pbBuffer=0x12810cb8) returned 1 [0245.279] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0245.290] SetEvent (hEvent=0x19c) returned 1 [0245.291] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0245.516] SetEvent (hEvent=0x3f8) returned 1 [0245.516] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0245.791] SetEvent (hEvent=0x3f8) returned 1 [0245.791] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0245.798] SetEvent (hEvent=0x1d0) returned 1 [0245.799] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0245.810] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0245.813] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0245.814] SetEvent (hEvent=0x40c) returned 1 [0245.814] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0245.830] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0262.063] SetEvent (hEvent=0x3f4) returned 1 [0262.063] SetEvent (hEvent=0x3f8) returned 1 [0262.064] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0263.940] SetEvent (hEvent=0x3f4) returned 1 [0263.940] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0263.943] SetEvent (hEvent=0x3f4) returned 1 [0263.943] SetEvent (hEvent=0x3f8) returned 1 [0263.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.944] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12c8bd0c | out: lpMode=0x12c8bd0c) returned 0 [0263.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12c8bad0 | out: lpFileInformation=0x12c8bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0263.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0263.945] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12c8bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12c8bd1c*=0x0, lpOverlapped=0x0) returned 1 [0263.945] CloseHandle (hObject=0x42c) returned 1 [0263.945] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.946] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0263.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0263.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0263.946] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.946] CloseHandle (hObject=0x42c) returned 1 [0263.947] SwitchToThread () returned 1 [0263.959] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0264.200] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0265.082] SetEvent (hEvent=0x104) returned 1 [0265.082] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.257] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\4Ck9GPqxNq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4ck9gpqxnq.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.257] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.258] WriteFile (in: hFile=0x45c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.258] CloseHandle (hObject=0x45c) returned 1 [0267.358] CloseHandle (hObject=0x44c) returned 1 [0267.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5c8 | out: pbBuffer=0x12a9a5c8) returned 1 [0267.361] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\4Ck9GPqxNq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4ck9gpqxnq.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[7A53227B15C65284]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[7a53227b15c65284]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.434] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.455] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.469] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.513] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.559] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.579] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.597] SetEvent (hEvent=0x1b8) returned 1 [0267.597] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MQ9ouEKAZi19qY.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mq9ouekazi19qy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.598] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MQ9ouEKAZi19qY.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mq9ouekazi19qy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2fc5f00, ftCreationTime.dwHighDateTime=0x1d81dc8, ftLastAccessTime.dwLowDateTime=0x5e848820, ftLastAccessTime.dwHighDateTime=0x1d828c2, ftLastWriteTime.dwLowDateTime=0x5e848820, ftLastWriteTime.dwHighDateTime=0x1d828c2, nFileSizeHigh=0x0, nFileSizeLow=0x15ea2)) returned 1 [0267.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0267.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0267.599] ReadFile (in: hFile=0x458, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12a49d1c*=0x15ea2, lpOverlapped=0x0) returned 1 [0267.601] GetFileType (hFile=0x458) returned 0x1 [0267.601] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.601] WriteFile (in: hFile=0x458, lpBuffer=0x12d82000*, nNumberOfBytesToWrite=0x15ea2, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12d82000*, lpNumberOfBytesWritten=0x12a49d00*=0x15ea2, lpOverlapped=0x12a49d0c) returned 1 [0267.602] GetFileType (hFile=0x458) returned 0x1 [0267.602] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x15ea2, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0267.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0267.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0267.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0267.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MQ9ouEKAZi19qY.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mq9ouekazi19qy.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.605] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.605] WriteFile (in: hFile=0x44c, lpBuffer=0x128b0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0500*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.605] CloseHandle (hObject=0x44c) returned 1 [0267.618] CloseHandle (hObject=0x458) returned 1 [0267.623] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.643] SetEvent (hEvent=0x3f8) returned 1 [0267.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0267.643] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MQ9ouEKAZi19qY.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mq9ouekazi19qy.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[A4F0E4A2409500B4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[a4f0e4a2409500b4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.645] SetEvent (hEvent=0x104) returned 1 [0267.645] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.691] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.738] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.769] SetEvent (hEvent=0x40c) returned 1 [0267.769] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.774] SetEvent (hEvent=0x19c) returned 1 [0267.774] SetEvent (hEvent=0x3f8) returned 1 [0267.774] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.791] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.797] SetEvent (hEvent=0x19c) returned 1 [0267.797] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.801] SetEvent (hEvent=0x19c) returned 1 [0267.801] SetEvent (hEvent=0xf4) returned 1 [0267.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\h_hvOUv.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h_hvouv.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9521ccd0, ftCreationTime.dwHighDateTime=0x1d81deb, ftLastAccessTime.dwLowDateTime=0xa3249fe0, ftLastAccessTime.dwHighDateTime=0x1d8276b, ftLastWriteTime.dwLowDateTime=0xa3249fe0, ftLastWriteTime.dwHighDateTime=0x1d8276b, nFileSizeHigh=0x0, nFileSizeLow=0x764d)) returned 1 [0267.804] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.817] SetEvent (hEvent=0xf4) returned 1 [0267.817] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ldcNmdHB 4uiaPZ0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ldcnmdhb 4uiapz0.png"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c845d20, ftCreationTime.dwHighDateTime=0x1d8253f, ftLastAccessTime.dwLowDateTime=0x399dc150, ftLastAccessTime.dwHighDateTime=0x1d829e1, ftLastWriteTime.dwLowDateTime=0x399dc150, ftLastWriteTime.dwHighDateTime=0x1d829e1, nFileSizeHigh=0x0, nFileSizeLow=0x1dd0)) returned 1 [0267.822] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.834] SetEvent (hEvent=0xf4) returned 1 [0267.834] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mE 0BznU4CsLZ8.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\me 0bznu4cslz8.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4245690, ftCreationTime.dwHighDateTime=0x1d82898, ftLastAccessTime.dwLowDateTime=0xf7b71700, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xf7b71700, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0xa94f)) returned 1 [0267.869] SetEvent (hEvent=0x110) returned 1 [0267.869] SetEvent (hEvent=0x40c) returned 1 [0267.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\r64DJ-Ss6Z2PhehK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\r64dj-ss6z2phehk.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae8e3100, ftCreationTime.dwHighDateTime=0x1d81d90, ftLastAccessTime.dwLowDateTime=0xa24877a0, ftLastAccessTime.dwHighDateTime=0x1d82571, ftLastWriteTime.dwLowDateTime=0xa24877a0, ftLastWriteTime.dwHighDateTime=0x1d82571, nFileSizeHigh=0x0, nFileSizeLow=0x2aac)) returned 1 [0267.878] SetEvent (hEvent=0x3f8) returned 1 [0267.878] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rloQMu5c-GxC4zr3Gf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rloqmu5c-gxc4zr3gf.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ceb8e0, ftCreationTime.dwHighDateTime=0x1d823ea, ftLastAccessTime.dwLowDateTime=0xcf12c100, ftLastAccessTime.dwHighDateTime=0x1d82486, ftLastWriteTime.dwLowDateTime=0xcf12c100, ftLastWriteTime.dwHighDateTime=0x1d82486, nFileSizeHigh=0x0, nFileSizeLow=0x146ef)) returned 1 [0267.894] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0267.921] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0268.547] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0269.193] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0270.141] SetEvent (hEvent=0x1b8) returned 1 [0270.141] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0270.657] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0270.770] SetEvent (hEvent=0x1b8) returned 1 [0270.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1b2)) returned 1 [0270.770] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0270.792] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0270.818] SetEvent (hEvent=0x1b8) returned 1 [0270.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc3fee, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfccc7a51, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc7a51, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.819] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc3fee, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfccc7a51, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc7a51, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0270.819] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc3fee, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfccc7a51, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc7a51, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.819] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc7a51, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfccc7a51, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc7a51, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0270.819] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.819] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0270.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0270.821] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0270.821] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0270.823] CloseHandle (hObject=0x44c) returned 1 [0270.823] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc7a51, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf51bf, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.824] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc7a51, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf51bf, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0270.824] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc7a51, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf51bf, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.824] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfdcf51bf, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf655b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10be, dwReserved0=0x0, dwReserved1=0x0, cFileName="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", cAlternateFileName="SEARCH~1.ICO")) returned 1 [0270.824] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.824] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0270.824] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0270.826] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0270.826] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0270.863] CloseHandle (hObject=0x44c) returned 1 [0270.864] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfdcf51bf, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf655b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10be)) returned 1 [0270.864] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0272.229] SetEvent (hEvent=0xf4) returned 1 [0272.229] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0272.665] SetEvent (hEvent=0x1b8) returned 1 [0272.665] SetEvent (hEvent=0xf4) returned 1 [0272.665] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0272.674] SetEvent (hEvent=0x1b8) returned 1 [0272.675] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0272.746] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.748] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160)) returned 1 [0272.748] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0272.748] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0272.748] ReadFile (in: hFile=0x45c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282bd1c*=0x160, lpOverlapped=0x0) returned 1 [0272.750] GetFileType (hFile=0x45c) returned 0x1 [0272.750] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.750] WriteFile (in: hFile=0x45c, lpBuffer=0x12a3e000*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a3e000*, lpNumberOfBytesWritten=0x1282bd00*=0x160, lpOverlapped=0x1282bd0c) returned 1 [0272.750] GetFileType (hFile=0x45c) returned 0x1 [0272.750] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x160, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0272.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0272.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0272.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0272.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0272.751] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.752] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.774] CloseHandle (hObject=0x450) returned 1 [0272.775] CloseHandle (hObject=0x45c) returned 1 [0272.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0272.775] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[1473581A7EC6FB8B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[1473581a7ec6fb8b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.777] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0272.815] SetEvent (hEvent=0x40c) returned 1 [0272.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.816] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.817] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x53)) returned 1 [0272.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0272.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0272.817] ReadFile (in: hFile=0x45c, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12853d1c*=0x53, lpOverlapped=0x0) returned 1 [0272.819] GetFileType (hFile=0x45c) returned 0x1 [0272.819] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.819] WriteFile (in: hFile=0x45c, lpBuffer=0x12af2120*, nNumberOfBytesToWrite=0x53, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12af2120*, lpNumberOfBytesWritten=0x12853d00*=0x53, lpOverlapped=0x12853d0c) returned 1 [0272.819] GetFileType (hFile=0x45c) returned 0x1 [0272.819] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x53, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0272.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0272.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0272.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a308 | out: pbBuffer=0x12a9a308) returned 1 [0272.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0272.820] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.820] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.821] CloseHandle (hObject=0x450) returned 1 [0272.838] CloseHandle (hObject=0x45c) returned 1 [0272.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e90c0 | out: pbBuffer=0x128e90c0) returned 1 [0272.904] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\#_THIS_FILE_IS_ENCRYPTED_[D0D319AA395B39F1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\#_this_file_is_encrypted_[d0d319aa395b39f1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.119] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x562658a2, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0273.119] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.119] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x562658a2, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0273.119] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x562658a2, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x562658a2, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5626e193, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="26d4f968-a540-431b-ab1b-a50e9bbda5d1", cAlternateFileName="26D4F9~1")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9a745757, ftCreationTime.dwHighDateTime=0x1d75217, ftLastAccessTime.dwLowDateTime=0x9a745757, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0xa55ebcf3, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="b1182ce8-69d1-4194-8156-bc78cfec3a39", cAlternateFileName="B1182C~1")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xde7dde0f, ftCreationTime.dwHighDateTime=0x1d7b055, ftLastAccessTime.dwLowDateTime=0xde7dde0f, ftLastAccessTime.dwHighDateTime=0x1d7b055, ftLastWriteTime.dwLowDateTime=0xde7dde0f, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="be39cc84-e9bf-4c2d-a3a5-e953c9f3df24", cAlternateFileName="BE39CC~1")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa5626547, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cfeedb70-e610-451b-90c2-def194b5fe80", cAlternateFileName="CFEEDB~1")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5627f2fe, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0273.120] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.120] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0273.120] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.121] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.122] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0273.122] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0273.124] CloseHandle (hObject=0x44c) returned 1 [0273.124] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x562658a2, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5626e193, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.125] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\preferred"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5627f2fe, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x18)) returned 1 [0273.125] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.126] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.126] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x562658a2, ftCreationTime.dwHighDateTime=0x1d82a22, ftLastAccessTime.dwLowDateTime=0x562658a2, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5626e193, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.126] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0273.126] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e93c0 | out: pbBuffer=0x128e93c0) returned 1 [0273.126] ReadFile (in: hFile=0x44c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12853d1c*=0x1d4, lpOverlapped=0x0) returned 1 [0273.128] GetFileType (hFile=0x44c) returned 0x1 [0273.128] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.128] WriteFile (in: hFile=0x44c, lpBuffer=0x1286c3c0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x1286c3c0*, lpNumberOfBytesWritten=0x12853d00*=0x1d4, lpOverlapped=0x12853d0c) returned 1 [0273.128] GetFileType (hFile=0x44c) returned 0x1 [0273.128] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1d4, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0273.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0273.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0273.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9478 | out: pbBuffer=0x128e9478) returned 1 [0273.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.130] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.130] WriteFile (in: hFile=0x458, lpBuffer=0x12b02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.148] CloseHandle (hObject=0x458) returned 1 [0273.148] CloseHandle (hObject=0x44c) returned 1 [0273.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9490 | out: pbBuffer=0x128e9490) returned 1 [0273.149] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\26d4f968-a540-431b-ab1b-a50e9bbda5d1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\#_THIS_FILE_IS_ENCRYPTED_[60E67E07CADD1813]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\#_this_file_is_encrypted_[60e67e07cadd1813]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.150] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9a745757, ftCreationTime.dwHighDateTime=0x1d75217, ftLastAccessTime.dwLowDateTime=0x9a745757, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0xa55ebcf3, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.151] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xde7dde0f, ftCreationTime.dwHighDateTime=0x1d7b055, ftLastAccessTime.dwLowDateTime=0xde7dde0f, ftLastAccessTime.dwHighDateTime=0x1d7b055, ftLastWriteTime.dwLowDateTime=0xde7dde0f, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.152] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9a745757, ftCreationTime.dwHighDateTime=0x1d75217, ftLastAccessTime.dwLowDateTime=0x9a745757, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0xa55ebcf3, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0273.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9a30 | out: pbBuffer=0x128e9a30) returned 1 [0273.152] ReadFile (in: hFile=0x44c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12853d1c*=0x1d4, lpOverlapped=0x0) returned 1 [0273.154] GetFileType (hFile=0x44c) returned 0x1 [0273.154] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.154] WriteFile (in: hFile=0x44c, lpBuffer=0x1286c780*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x1286c780*, lpNumberOfBytesWritten=0x12853d00*=0x1d4, lpOverlapped=0x12853d0c) returned 1 [0273.154] GetFileType (hFile=0x44c) returned 0x1 [0273.155] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1d4, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0273.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0273.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0273.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9ae8 | out: pbBuffer=0x128e9ae8) returned 1 [0273.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.156] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.156] WriteFile (in: hFile=0x458, lpBuffer=0x12b02a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.162] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.187] SetEvent (hEvent=0x1b8) returned 1 [0273.187] CloseHandle (hObject=0x458) returned 1 [0273.187] CloseHandle (hObject=0x44c) returned 1 [0273.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a158 | out: pbBuffer=0x12a9a158) returned 1 [0273.188] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\b1182ce8-69d1-4194-8156-bc78cfec3a39"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\#_THIS_FILE_IS_ENCRYPTED_[C5014FABF12B61A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\#_this_file_is_encrypted_[c5014fabf12b61a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.189] SwitchToThread () returned 1 [0273.193] SetEvent (hEvent=0x1b8) returned 1 [0273.193] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.201] SetEvent (hEvent=0x1b8) returned 1 [0273.201] SetEvent (hEvent=0xf4) returned 1 [0273.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa5626547, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\synchist"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa563624b, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x4c)) returned 1 [0273.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.216] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.216] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0273.216] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.217] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0273.217] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.217] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0273.217] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.217] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.217] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.218] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0273.218] WriteFile (in: hFile=0x45c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0273.220] CloseHandle (hObject=0x45c) returned 1 [0273.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.220] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0273.221] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.221] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x567d5b26, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="default.acl", cAlternateFileName="")) returned 1 [0273.221] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5648e4eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5648e4eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5648e4eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="default.dic", cAlternateFileName="")) returned 1 [0273.221] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x566a47fe, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x566a47fe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x566a47fe, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="default.exc", cAlternateFileName="")) returned 1 [0273.221] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.221] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0273.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.223] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0273.223] WriteFile (in: hFile=0x45c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0273.225] CloseHandle (hObject=0x45c) returned 1 [0273.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.acl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x567d5b26, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.230] SetEvent (hEvent=0x104) returned 1 [0273.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.dic"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5648e4eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5648e4eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5648e4eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.exc"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x566a47fe, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x566a47fe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x566a47fe, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.231] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.231] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.231] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.231] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0273.231] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.231] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.232] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.233] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0273.233] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0273.235] CloseHandle (hObject=0x458) returned 1 [0273.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.236] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppContainerUserCertRead", cAlternateFileName="APPCON~1")) returned 1 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0273.236] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.236] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0273.236] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.261] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0273.262] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0273.291] CloseHandle (hObject=0x44c) returned 1 [0273.291] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\appcontainerusercertread"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.292] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0273.293] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.293] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.293] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0273.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.295] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0273.295] WriteFile (in: hFile=0x44c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0273.296] CloseHandle (hObject=0x44c) returned 1 [0273.297] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.297] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0273.297] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.297] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.297] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0273.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.300] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0273.300] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0273.301] CloseHandle (hObject=0x44c) returned 1 [0273.302] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.302] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0273.302] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.302] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.302] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0273.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.304] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0273.350] WriteFile (in: hFile=0x44c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0273.352] CloseHandle (hObject=0x44c) returned 1 [0273.352] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.364] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0273.368] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.369] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LiveContent", cAlternateFileName="LIVECO~1")) returned 1 [0273.369] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4614163, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4614163, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa46a67ce, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4641, dwReserved0=0x0, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0273.369] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.369] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0273.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.371] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.372] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.373] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0273.373] WriteFile (in: hFile=0x44c, lpBuffer=0x12ade000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12ade000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0273.377] CloseHandle (hObject=0x44c) returned 1 [0273.378] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.380] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.380] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.381] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.381] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0273.381] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.381] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.381] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.383] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0273.383] WriteFile (in: hFile=0x44c, lpBuffer=0x12adf300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12adf300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0273.386] CloseHandle (hObject=0x44c) returned 1 [0273.386] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.394] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.394] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.394] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.394] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Managed", cAlternateFileName="")) returned 1 [0273.395] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 1 [0273.395] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.395] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.398] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0273.398] WriteFile (in: hFile=0x44c, lpBuffer=0x12ae0600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12ae0600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0273.400] CloseHandle (hObject=0x44c) returned 1 [0273.400] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.400] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmartArt Graphics", cAlternateFileName="SMARTA~1")) returned 1 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word Document Bibliography Styles", cAlternateFileName="WORDDO~2")) returned 1 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~1")) returned 1 [0273.406] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.406] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0273.408] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.411] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0273.411] WriteFile (in: hFile=0x44c, lpBuffer=0x12ae1900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12ae1900*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0273.416] CloseHandle (hObject=0x44c) returned 1 [0273.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.417] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.417] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.417] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.417] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0273.417] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.417] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.419] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0273.419] WriteFile (in: hFile=0x44c, lpBuffer=0x12ae2c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12ae2c00*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0273.421] CloseHandle (hObject=0x44c) returned 1 [0273.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.421] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.427] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9826b304, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9826b304, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x70d51000, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x893c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03090430[[fn=Banded]].thmx", cAlternateFileName="TM0309~1.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984f5d1e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984f5d1e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa299a700, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x192bb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03090434[[fn=Wood Type]].thmx", cAlternateFileName="TM0309~2.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988e757c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x988e757c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xbdc7df00, ftLastWriteTime.dwHighDateTime=0x1d43fda, nFileSizeHigh=0x0, nFileSizeLow=0x883d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457444[[fn=Basis]].thmx", cAlternateFileName="TM2094~1.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98acf19f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98acf19f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xe42a5200, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x8b615, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457464[[fn=Dividend]].thmx", cAlternateFileName="TM5959~1.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9841a2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9841a2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf2786e00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x7fb28, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457475[[fn=Frame]].thmx", cAlternateFileName="TM7844~1.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98af6207, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98af6207, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x34091900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2ef7a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457485[[fn=Mesh]].thmx", cAlternateFileName="TM2703~1.THM")) returned 1 [0273.429] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x987adf7a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x987adf7a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xea6cfe00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xbddaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457491[[fn=Metropolitan]].thmx", cAlternateFileName="TM5623~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980694ab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980694ab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xe1c0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457496[[fn=Parallax]].thmx", cAlternateFileName="TM0345~2.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9818a945, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9818a945, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba712b00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xec122, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457503[[fn=Quotable]].thmx", cAlternateFileName="TM0345~4.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fbbf10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fbbf10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x125f51, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457510[[fn=Savon]].thmx", cAlternateFileName="TM0345~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980b633e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980b633e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x76cc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03457515[[fn=View]].thmx", cAlternateFileName="TM0345~3.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978145cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978145cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xee481, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033917[[fn=Berlin]].thmx", cAlternateFileName="TM0403~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984c4fd2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984c4fd2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xdd034400, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x165552, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033919[[fn=Circuit]].thmx", cAlternateFileName="TMFEFA~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982f049f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982f049f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5c911300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x21dbbf, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033921[[fn=Damask]].thmx", cAlternateFileName="TM0403~4.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ab2749, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ab2749, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc68a00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x1ab70b, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033925[[fn=Droplet]].thmx", cAlternateFileName="TM9F98~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981588c3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x981588c3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x2358a300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2c9ecd, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033927[[fn=Main Event]].thmx", cAlternateFileName="TM0403~3.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9852435b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9852435b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9cf09100, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x23f73b, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033929[[fn=Slate]].thmx", cAlternateFileName="TMA957~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9800b4e9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9800b4e9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4f742400, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x371abc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM04033937[[fn=Vapor Trail]].thmx", cAlternateFileName="TM0403~2.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98742454, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98742454, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x973bdf00, ftLastWriteTime.dwHighDateTime=0x1d4196d, nFileSizeHigh=0x0, nFileSizeLow=0x10a79d, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM10001114[[fn=Gallery]].thmx", cAlternateFileName="TM1000~2.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9860260f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9860260f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x235700, ftLastWriteTime.dwHighDateTime=0x1d4196e, nFileSizeHigh=0x0, nFileSizeLow=0x9477a, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM10001115[[fn=Parcel]].thmx", cAlternateFileName="TM1000~1.THM")) returned 1 [0273.430] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.430] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.432] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.435] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0273.435] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0273.437] CloseHandle (hObject=0x44c) returned 1 [0273.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9826b304, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9826b304, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x70d51000, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x893c1)) returned 1 [0273.447] SetEvent (hEvent=0x19c) returned 1 [0273.447] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984f5d1e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984f5d1e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa299a700, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x192bb1)) returned 1 [0273.454] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.496] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.501] SetEvent (hEvent=0x1b8) returned 1 [0273.501] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.509] SetEvent (hEvent=0x40c) returned 1 [0273.509] SetEvent (hEvent=0x19c) returned 1 [0273.509] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.534] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9841a2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9841a2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf2786e00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x7fb28)) returned 1 [0273.540] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.560] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.590] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0273.627] SetEvent (hEvent=0x1b8) returned 1 [0273.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.628] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980694ab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980694ab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xe1c0f)) returned 1 [0273.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0273.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0273.628] ReadFile (in: hFile=0x44c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.636] GetFileType (hFile=0x44c) returned 0x1 [0273.636] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.636] WriteFile (in: hFile=0x44c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0273.637] GetFileType (hFile=0x44c) returned 0x1 [0273.638] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0273.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0273.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0273.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a348 | out: pbBuffer=0x12a9a348) returned 1 [0273.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.639] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.639] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.644] CloseHandle (hObject=0x42c) returned 1 [0273.647] CloseHandle (hObject=0x44c) returned 1 [0273.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a360 | out: pbBuffer=0x12a9a360) returned 1 [0273.655] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[C1CB0A4440A52958]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[c1cb0a4440a52958]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.183] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0274.220] SetEvent (hEvent=0xf4) returned 1 [0274.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.221] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980b633e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980b633e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x76cc4)) returned 1 [0274.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88e00 | out: pbBuffer=0x12b88e00) returned 1 [0274.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a830 | out: pbBuffer=0x12a9a830) returned 1 [0274.223] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0274.229] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0274.229] SetEvent (hEvent=0x110) returned 1 [0274.230] SetEvent (hEvent=0xf4) returned 1 [0274.230] ReadFile (in: hFile=0x45c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.237] GetFileType (hFile=0x45c) returned 0x1 [0274.237] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.238] WriteFile (in: hFile=0x45c, lpBuffer=0x12d64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12d64000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0274.238] GetFileType (hFile=0x45c) returned 0x1 [0274.238] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0274.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0274.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0274.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340e0 | out: pbBuffer=0x12c340e0) returned 1 [0274.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.239] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.240] WriteFile (in: hFile=0x44c, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.248] CloseHandle (hObject=0x44c) returned 1 [0274.253] CloseHandle (hObject=0x45c) returned 1 [0274.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0274.257] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[E92C1A5CB8DFB368]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[e92c1a5cb8dfb368]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.414] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0274.451] SetEvent (hEvent=0x19c) returned 1 [0274.451] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.452] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.452] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ab2749, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ab2749, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc68a00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x1ab70b)) returned 1 [0274.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b893a0 | out: pbBuffer=0x12b893a0) returned 1 [0274.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa50 | out: pbBuffer=0x12a9aa50) returned 1 [0274.453] ReadFile (in: hFile=0x44c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.461] GetFileType (hFile=0x44c) returned 0x1 [0274.462] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.462] WriteFile (in: hFile=0x44c, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0274.463] GetFileType (hFile=0x44c) returned 0x1 [0274.463] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0274.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0274.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0274.464] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ab08 | out: pbBuffer=0x12a9ab08) returned 1 [0274.464] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.464] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.464] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac6000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.470] CloseHandle (hObject=0x42c) returned 1 [0274.474] CloseHandle (hObject=0x44c) returned 1 [0274.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ab20 | out: pbBuffer=0x12a9ab20) returned 1 [0274.480] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[FB71C171EED3E5A6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[fb71c171eed3e5a6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.651] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0290.260] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0290.490] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0291.072] SetEvent (hEvent=0xf4) returned 1 [0291.072] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0291.255] SetEvent (hEvent=0x3f8) returned 1 [0291.255] SetEvent (hEvent=0x19c) returned 1 [0291.255] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0291.579] SetEvent (hEvent=0x1d0) returned 1 [0291.579] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0291.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0291.912] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\HDkvkngN2it Nq n.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\hdkvkngn2it nq n.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[CB4D9541348E8741]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[cb4d9541348e8741]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0292.909] SetEvent (hEvent=0x110) returned 1 [0292.909] SetEvent (hEvent=0x454) returned 1 [0292.909] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\JwJgGeNfbdjzzfKk.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\jwjggenfbdjzzfkk.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0292.910] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0292.911] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\JwJgGeNfbdjzzfKk.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\jwjggenfbdjzzfkk.odp"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4551ca0, ftCreationTime.dwHighDateTime=0x1d828bc, ftLastAccessTime.dwLowDateTime=0x11502150, ftLastAccessTime.dwHighDateTime=0x1d82a1a, ftLastWriteTime.dwLowDateTime=0x11502150, ftLastWriteTime.dwHighDateTime=0x1d82a1a, nFileSizeHigh=0x0, nFileSizeLow=0xe856)) returned 1 [0292.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f300 | out: pbBuffer=0x1280f300) returned 1 [0292.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c08 | out: pbBuffer=0x12848c08) returned 1 [0292.911] ReadFile (in: hFile=0x464, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12851d1c*=0xe856, lpOverlapped=0x0) returned 1 [0292.914] GetFileType (hFile=0x464) returned 0x1 [0292.914] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.914] WriteFile (in: hFile=0x464, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0xe856, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x12851d00*=0xe856, lpOverlapped=0x12851d0c) returned 1 [0292.914] GetFileType (hFile=0x464) returned 0x1 [0292.914] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xe856, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0292.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0292.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0292.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848d00 | out: pbBuffer=0x12848d00) returned 1 [0292.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\JwJgGeNfbdjzzfKk.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\jwjggenfbdjzzfkk.odp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0292.916] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0292.916] WriteFile (in: hFile=0x470, lpBuffer=0x12a32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a32500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0292.916] CloseHandle (hObject=0x470) returned 1 [0293.004] CloseHandle (hObject=0x464) returned 1 [0293.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d18 | out: pbBuffer=0x12848d18) returned 1 [0293.016] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\JwJgGeNfbdjzzfKk.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\jwjggenfbdjzzfkk.odp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[AA99F3CC70577833]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[aa99f3cc70577833]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.205] SetEvent (hEvent=0x420) returned 1 [0293.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\46zHym0WJ.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\46zhym0wj.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.207] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.207] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\46zHym0WJ.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\46zhym0wj.odt"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45e22bd0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x68a691a0, ftLastAccessTime.dwHighDateTime=0x1d825d8, ftLastWriteTime.dwLowDateTime=0x68a691a0, ftLastWriteTime.dwHighDateTime=0x1d825d8, nFileSizeHigh=0x0, nFileSizeLow=0xb25b)) returned 1 [0293.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0293.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0293.207] ReadFile (in: hFile=0x45c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12851d1c*=0xb25b, lpOverlapped=0x0) returned 1 [0293.209] GetFileType (hFile=0x45c) returned 0x1 [0293.209] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.209] WriteFile (in: hFile=0x45c, lpBuffer=0x12a32000*, nNumberOfBytesToWrite=0xb25b, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a32000*, lpNumberOfBytesWritten=0x12851d00*=0xb25b, lpOverlapped=0x12851d0c) returned 1 [0293.210] GetFileType (hFile=0x45c) returned 0x1 [0293.210] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xb25b, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0293.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0293.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0293.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483d0 | out: pbBuffer=0x128483d0) returned 1 [0293.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\46zHym0WJ.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\46zhym0wj.odt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.211] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.211] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.211] CloseHandle (hObject=0x470) returned 1 [0293.234] CloseHandle (hObject=0x45c) returned 1 [0293.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0293.247] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\46zHym0WJ.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\46zhym0wj.odt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[C2AE83DE1F6A51E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[c2ae83de1f6a51e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.331] SetEvent (hEvent=0x110) returned 1 [0293.331] SetEvent (hEvent=0x420) returned 1 [0293.331] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\vbIjF6X8GPawTrv.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vbijf6x8gpawtrv.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.332] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\vbIjF6X8GPawTrv.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vbijf6x8gpawtrv.doc"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d2f2220, ftCreationTime.dwHighDateTime=0x1d82216, ftLastAccessTime.dwLowDateTime=0xc0810080, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0xc0810080, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0x1e5e)) returned 1 [0293.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844b40 | out: pbBuffer=0x12844b40) returned 1 [0293.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848698 | out: pbBuffer=0x12848698) returned 1 [0293.333] ReadFile (in: hFile=0x45c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12851d1c*=0x1e5e, lpOverlapped=0x0) returned 1 [0293.334] GetFileType (hFile=0x45c) returned 0x1 [0293.334] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.334] WriteFile (in: hFile=0x45c, lpBuffer=0x12c2a000*, nNumberOfBytesToWrite=0x1e5e, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c2a000*, lpNumberOfBytesWritten=0x12851d00*=0x1e5e, lpOverlapped=0x12851d0c) returned 1 [0293.335] GetFileType (hFile=0x45c) returned 0x1 [0293.335] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x1e5e, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0293.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0293.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0293.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128487a0 | out: pbBuffer=0x128487a0) returned 1 [0293.336] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\vbIjF6X8GPawTrv.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vbijf6x8gpawtrv.doc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.336] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.336] WriteFile (in: hFile=0x468, lpBuffer=0x12dd1900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1900*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.337] CloseHandle (hObject=0x468) returned 1 [0293.337] CloseHandle (hObject=0x45c) returned 1 [0293.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487b8 | out: pbBuffer=0x128487b8) returned 1 [0293.337] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\vbIjF6X8GPawTrv.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vbijf6x8gpawtrv.doc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[F8A34DD42E0F087D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[f8a34dd42e0f087d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\XI8Bv.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\xi8bv.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73e364d0, ftCreationTime.dwHighDateTime=0x1d828df, ftLastAccessTime.dwLowDateTime=0x3097f620, ftLastAccessTime.dwHighDateTime=0x1d829be, ftLastWriteTime.dwLowDateTime=0x3097f620, ftLastWriteTime.dwHighDateTime=0x1d829be, nFileSizeHigh=0x0, nFileSizeLow=0x14c1f)) returned 1 [0293.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\dAMDSDcR5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\damdsdcr5.xls"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3be09c0, ftCreationTime.dwHighDateTime=0x1d81c33, ftLastAccessTime.dwLowDateTime=0x12905ef0, ftLastAccessTime.dwHighDateTime=0x1d82537, ftLastWriteTime.dwLowDateTime=0x12905ef0, ftLastWriteTime.dwHighDateTime=0x1d82537, nFileSizeHigh=0x0, nFileSizeLow=0x183e3)) returned 1 [0293.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\XI8Bv.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\xi8bv.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.340] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\XI8Bv.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\xi8bv.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73e364d0, ftCreationTime.dwHighDateTime=0x1d828df, ftLastAccessTime.dwLowDateTime=0x3097f620, ftLastAccessTime.dwHighDateTime=0x1d829be, ftLastWriteTime.dwLowDateTime=0x3097f620, ftLastWriteTime.dwHighDateTime=0x1d829be, nFileSizeHigh=0x0, nFileSizeLow=0x14c1f)) returned 1 [0293.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d40 | out: pbBuffer=0x12844d40) returned 1 [0293.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849660 | out: pbBuffer=0x12849660) returned 1 [0293.340] ReadFile (in: hFile=0x45c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12851d1c*=0x14c1f, lpOverlapped=0x0) returned 1 [0293.343] GetFileType (hFile=0x45c) returned 0x1 [0293.343] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.343] WriteFile (in: hFile=0x45c, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0x14c1f, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x12851d00*=0x14c1f, lpOverlapped=0x12851d0c) returned 1 [0293.344] GetFileType (hFile=0x45c) returned 0x1 [0293.344] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x14c1f, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0293.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0293.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b201 | out: pbBuffer=0x1286b201) returned 1 [0293.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849728 | out: pbBuffer=0x12849728) returned 1 [0293.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\XI8Bv.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\xi8bv.pdf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.345] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.345] WriteFile (in: hFile=0x468, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.345] CloseHandle (hObject=0x468) returned 1 [0293.345] CloseHandle (hObject=0x45c) returned 1 [0293.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849740 | out: pbBuffer=0x12849740) returned 1 [0293.345] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\XI8Bv.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\xi8bv.pdf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\#_THIS_FILE_IS_ENCRYPTED_[B8D1DDAD0BE12E79]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\#_this_file_is_encrypted_[b8d1ddad0be12e79]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\dAMDSDcR5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\damdsdcr5.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.348] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\dAMDSDcR5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\damdsdcr5.xls"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3be09c0, ftCreationTime.dwHighDateTime=0x1d81c33, ftLastAccessTime.dwLowDateTime=0x12905ef0, ftLastAccessTime.dwHighDateTime=0x1d82537, ftLastWriteTime.dwLowDateTime=0x12905ef0, ftLastWriteTime.dwHighDateTime=0x1d82537, nFileSizeHigh=0x0, nFileSizeLow=0x183e3)) returned 1 [0293.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845020 | out: pbBuffer=0x12845020) returned 1 [0293.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849788 | out: pbBuffer=0x12849788) returned 1 [0293.348] ReadFile (in: hFile=0x45c, lpBuffer=0x12bd4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bd4000*, lpNumberOfBytesRead=0x12851d1c*=0x183e3, lpOverlapped=0x0) returned 1 [0293.351] GetFileType (hFile=0x45c) returned 0x1 [0293.351] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.351] WriteFile (in: hFile=0x45c, lpBuffer=0x12a10000*, nNumberOfBytesToWrite=0x183e3, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a10000*, lpNumberOfBytesWritten=0x12851d00*=0x183e3, lpOverlapped=0x12851d0c) returned 1 [0293.352] GetFileType (hFile=0x45c) returned 0x1 [0293.352] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x183e3, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0293.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0293.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b581 | out: pbBuffer=0x1286b581) returned 1 [0293.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849860 | out: pbBuffer=0x12849860) returned 1 [0293.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\dAMDSDcR5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\damdsdcr5.xls"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.353] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.353] WriteFile (in: hFile=0x468, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.353] CloseHandle (hObject=0x468) returned 1 [0293.353] CloseHandle (hObject=0x45c) returned 1 [0293.354] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849898 | out: pbBuffer=0x12849898) returned 1 [0293.354] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\dAMDSDcR5.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\damdsdcr5.xls"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\#_THIS_FILE_IS_ENCRYPTED_[3F12B9A466F9622D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\#_this_file_is_encrypted_[3f12b9a466f9622d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\g3s66bQHe lVQQYoyL.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\g3s66bqhe lvqqyoyl.ots"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d64c280, ftCreationTime.dwHighDateTime=0x1d81ebe, ftLastAccessTime.dwLowDateTime=0x673fe9c0, ftLastAccessTime.dwHighDateTime=0x1d82438, ftLastWriteTime.dwLowDateTime=0x673fe9c0, ftLastWriteTime.dwHighDateTime=0x1d82438, nFileSizeHigh=0x0, nFileSizeLow=0x133dd)) returned 1 [0293.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\szgoHxlT.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\szgohxlt.odt"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3aa690, ftCreationTime.dwHighDateTime=0x1d822ac, ftLastAccessTime.dwLowDateTime=0xd2fb03c0, ftLastAccessTime.dwHighDateTime=0x1d825af, ftLastWriteTime.dwLowDateTime=0xd2fb03c0, ftLastWriteTime.dwHighDateTime=0x1d825af, nFileSizeHigh=0x0, nFileSizeLow=0x3db5)) returned 1 [0293.356] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\g3s66bQHe lVQQYoyL.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\g3s66bqhe lvqqyoyl.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.356] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\g3s66bQHe lVQQYoyL.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\g3s66bqhe lvqqyoyl.ots"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d64c280, ftCreationTime.dwHighDateTime=0x1d81ebe, ftLastAccessTime.dwLowDateTime=0x673fe9c0, ftLastAccessTime.dwHighDateTime=0x1d82438, ftLastWriteTime.dwLowDateTime=0x673fe9c0, ftLastWriteTime.dwHighDateTime=0x1d82438, nFileSizeHigh=0x0, nFileSizeLow=0x133dd)) returned 1 [0293.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845bc0 | out: pbBuffer=0x12845bc0) returned 1 [0293.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e82e0 | out: pbBuffer=0x128e82e0) returned 1 [0293.357] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0293.375] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0293.375] SetEvent (hEvent=0x420) returned 1 [0293.381] ReadFile (in: hFile=0x45c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12851d1c*=0x133dd, lpOverlapped=0x0) returned 1 [0293.385] GetFileType (hFile=0x45c) returned 0x1 [0293.385] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.385] WriteFile (in: hFile=0x45c, lpBuffer=0x12e62000*, nNumberOfBytesToWrite=0x133dd, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12e62000*, lpNumberOfBytesWritten=0x12851d00*=0x133dd, lpOverlapped=0x12851d0c) returned 1 [0293.386] GetFileType (hFile=0x45c) returned 0x1 [0293.386] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x133dd, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b701 | out: pbBuffer=0x1286b701) returned 1 [0293.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b801 | out: pbBuffer=0x1286b801) returned 1 [0293.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b901 | out: pbBuffer=0x1286b901) returned 1 [0293.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8398 | out: pbBuffer=0x128e8398) returned 1 [0293.387] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\g3s66bQHe lVQQYoyL.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\g3s66bqhe lvqqyoyl.ots"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.387] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.387] WriteFile (in: hFile=0x464, lpBuffer=0x128aea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aea00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.387] CloseHandle (hObject=0x464) returned 1 [0293.387] CloseHandle (hObject=0x45c) returned 1 [0293.388] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e83b0 | out: pbBuffer=0x128e83b0) returned 1 [0293.388] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\g3s66bQHe lVQQYoyL.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\g3s66bqhe lvqqyoyl.ots"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\#_THIS_FILE_IS_ENCRYPTED_[A524D359A6AC69CE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\#_this_file_is_encrypted_[a524d359a6ac69ce]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\szgoHxlT.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\szgohxlt.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.392] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.392] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\szgoHxlT.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\szgohxlt.odt"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3aa690, ftCreationTime.dwHighDateTime=0x1d822ac, ftLastAccessTime.dwLowDateTime=0xd2fb03c0, ftLastAccessTime.dwHighDateTime=0x1d825af, ftLastWriteTime.dwLowDateTime=0xd2fb03c0, ftLastWriteTime.dwHighDateTime=0x1d825af, nFileSizeHigh=0x0, nFileSizeLow=0x3db5)) returned 1 [0293.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845e40 | out: pbBuffer=0x12845e40) returned 1 [0293.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e83f8 | out: pbBuffer=0x128e83f8) returned 1 [0293.394] ReadFile (in: hFile=0x45c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12851d1c*=0x3db5, lpOverlapped=0x0) returned 1 [0293.395] GetFileType (hFile=0x45c) returned 0x1 [0293.395] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.395] WriteFile (in: hFile=0x45c, lpBuffer=0x12ac0000*, nNumberOfBytesToWrite=0x3db5, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12ac0000*, lpNumberOfBytesWritten=0x12851d00*=0x3db5, lpOverlapped=0x12851d0c) returned 1 [0293.396] GetFileType (hFile=0x45c) returned 0x1 [0293.396] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x3db5, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bb01 | out: pbBuffer=0x1286bb01) returned 1 [0293.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bc01 | out: pbBuffer=0x1286bc01) returned 1 [0293.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bd01 | out: pbBuffer=0x1286bd01) returned 1 [0293.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e84b0 | out: pbBuffer=0x128e84b0) returned 1 [0293.397] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\szgoHxlT.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\szgohxlt.odt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.397] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0293.397] WriteFile (in: hFile=0x464, lpBuffer=0x128aef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aef00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.397] CloseHandle (hObject=0x464) returned 1 [0293.397] CloseHandle (hObject=0x45c) returned 1 [0293.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e84c8 | out: pbBuffer=0x128e84c8) returned 1 [0293.397] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\szgoHxlT.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\szgohxlt.odt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\#_THIS_FILE_IS_ENCRYPTED_[C0734E71AC5E0F3F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\#_this_file_is_encrypted_[c0734e71ac5e0f3f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.400] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0293.446] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0293.459] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0293.460] SetEvent (hEvent=0x1d0) returned 1 [0293.460] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0293.482] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a2dd1c*=0x18986, lpOverlapped=0x0) returned 1 [0293.485] GetFileType (hFile=0x44c) returned 0x1 [0293.485] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0293.485] WriteFile (in: hFile=0x44c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x18986, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12a2dd00*=0x18986, lpOverlapped=0x12a2dd0c) returned 1 [0293.486] GetFileType (hFile=0x44c) returned 0x1 [0293.486] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x18986, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0293.486] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0293.486] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0293.486] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0293.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0293.487] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\uPNvhNg_N9fx0M3PhrT.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\upnvhng_n9fx0m3phrt.pdf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.487] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0293.487] WriteFile (in: hFile=0x468, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.487] CloseHandle (hObject=0x468) returned 1 [0293.488] CloseHandle (hObject=0x44c) returned 1 [0293.488] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0293.488] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\uPNvhNg_N9fx0M3PhrT.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\upnvhng_n9fx0m3phrt.pdf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\#_THIS_FILE_IS_ENCRYPTED_[2D61D4C3B8D43B06]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\#_this_file_is_encrypted_[2d61d4c3b8d43b06]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\ohHut0PBID.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ohhut0pbid.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.490] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.491] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\ohHut0PBID.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ohhut0pbid.docx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa174a920, ftCreationTime.dwHighDateTime=0x1d824fe, ftLastAccessTime.dwLowDateTime=0xca3c850, ftLastAccessTime.dwHighDateTime=0x1d8284e, ftLastWriteTime.dwLowDateTime=0xca3c850, ftLastWriteTime.dwHighDateTime=0x1d8284e, nFileSizeHigh=0x0, nFileSizeLow=0x2452)) returned 1 [0293.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444c0 | out: pbBuffer=0x128444c0) returned 1 [0293.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0293.491] ReadFile (in: hFile=0x44c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12853d1c*=0x2452, lpOverlapped=0x0) returned 1 [0293.492] GetFileType (hFile=0x44c) returned 0x1 [0293.492] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.492] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x2452, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0x2452, lpOverlapped=0x12853d0c) returned 1 [0293.493] GetFileType (hFile=0x44c) returned 0x1 [0293.493] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2452, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0293.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0293.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0293.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0293.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\ohHut0PBID.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ohhut0pbid.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.494] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.494] WriteFile (in: hFile=0x468, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.494] CloseHandle (hObject=0x468) returned 1 [0293.494] CloseHandle (hObject=0x44c) returned 1 [0293.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0293.494] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\ohHut0PBID.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ohhut0pbid.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[65E9A87141B3E039]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[65e9a87141b3e039]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.497] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bJHrKFh47XxzRpF4.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjhrkfh47xxzrpf4.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.525] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0293.541] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.579] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0293.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yV xDCB5D.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yv xdcb5d.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.613] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yV xDCB5D.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yv xdcb5d.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cc9cd70, ftCreationTime.dwHighDateTime=0x1d7e298, ftLastAccessTime.dwLowDateTime=0x49d4bef0, ftLastAccessTime.dwHighDateTime=0x1d8081e, ftLastWriteTime.dwLowDateTime=0x49d4bef0, ftLastWriteTime.dwHighDateTime=0x1d8081e, nFileSizeHigh=0x0, nFileSizeLow=0x956)) returned 1 [0293.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0293.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0293.614] ReadFile (in: hFile=0x44c, lpBuffer=0x129fc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesRead=0x12853d1c*=0x956, lpOverlapped=0x0) returned 1 [0293.615] GetFileType (hFile=0x44c) returned 0x1 [0293.615] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.615] WriteFile (in: hFile=0x44c, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0x956, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12853d00*=0x956, lpOverlapped=0x12853d0c) returned 1 [0293.615] GetFileType (hFile=0x44c) returned 0x1 [0293.615] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x956, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.615] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0293.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0293.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0293.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0293.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yV xDCB5D.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yv xdcb5d.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.617] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.617] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.617] CloseHandle (hObject=0x470) returned 1 [0293.619] CloseHandle (hObject=0x44c) returned 1 [0293.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0293.622] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yV xDCB5D.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yv xdcb5d.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[5752B73E6FAF9434]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[5752b73e6faf9434]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.725] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0293.962] SetEvent (hEvent=0x19c) returned 1 [0293.962] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0293.965] SetEvent (hEvent=0xf4) returned 1 [0293.965] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0294.066] SetEvent (hEvent=0x1d0) returned 1 [0294.066] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0294.082] SetEvent (hEvent=0x1d0) returned 1 [0294.082] SetEvent (hEvent=0x420) returned 1 [0294.083] SetEvent (hEvent=0x454) returned 1 [0294.083] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0294.514] SwitchToThread () returned 1 [0294.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Qc4RhKRglBg__.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qc4rhkrglbg__.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.557] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Qc4RhKRglBg__.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qc4rhkrglbg__.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2150450, ftCreationTime.dwHighDateTime=0x1d82720, ftLastAccessTime.dwLowDateTime=0x13448b0, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x13448b0, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x6ef5)) returned 1 [0294.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129287e0 | out: pbBuffer=0x129287e0) returned 1 [0294.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810878 | out: pbBuffer=0x12810878) returned 1 [0294.557] ReadFile (in: hFile=0x468, lpBuffer=0x129e4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e4000*, lpNumberOfBytesRead=0x12853d1c*=0x6ef5, lpOverlapped=0x0) returned 1 [0294.559] GetFileType (hFile=0x468) returned 0x1 [0294.559] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.559] WriteFile (in: hFile=0x468, lpBuffer=0x12e66000*, nNumberOfBytesToWrite=0x6ef5, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12e66000*, lpNumberOfBytesWritten=0x12853d00*=0x6ef5, lpOverlapped=0x12853d0c) returned 1 [0294.560] GetFileType (hFile=0x468) returned 0x1 [0294.560] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x6ef5, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0294.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0294.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801981 | out: pbBuffer=0x12801981) returned 1 [0294.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810930 | out: pbBuffer=0x12810930) returned 1 [0294.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Qc4RhKRglBg__.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qc4rhkrglbg__.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.561] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.561] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.561] CloseHandle (hObject=0x464) returned 1 [0294.564] CloseHandle (hObject=0x468) returned 1 [0294.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810948 | out: pbBuffer=0x12810948) returned 1 [0294.567] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Qc4RhKRglBg__.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qc4rhkrglbg__.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[270291BB156FC032]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[270291bb156fc032]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.696] SetEvent (hEvent=0x420) returned 1 [0294.696] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\N6VxsMXcA1gYb3h x.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\n6vxsmxca1gyb3h x.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.697] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\N6VxsMXcA1gYb3h x.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\n6vxsmxca1gyb3h x.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd62630, ftCreationTime.dwHighDateTime=0x1d82795, ftLastAccessTime.dwLowDateTime=0x32f88860, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0x32f88860, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x7d7b)) returned 1 [0294.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286e0 | out: pbBuffer=0x129286e0) returned 1 [0294.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485f8 | out: pbBuffer=0x128485f8) returned 1 [0294.698] ReadFile (in: hFile=0x468, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12853d1c*=0x7d7b, lpOverlapped=0x0) returned 1 [0294.699] GetFileType (hFile=0x468) returned 0x1 [0294.699] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.699] WriteFile (in: hFile=0x468, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x7d7b, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12853d00*=0x7d7b, lpOverlapped=0x12853d0c) returned 1 [0294.700] GetFileType (hFile=0x468) returned 0x1 [0294.700] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x7d7b, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b581 | out: pbBuffer=0x1286b581) returned 1 [0294.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b681 | out: pbBuffer=0x1286b681) returned 1 [0294.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b781 | out: pbBuffer=0x1286b781) returned 1 [0294.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486e0 | out: pbBuffer=0x128486e0) returned 1 [0294.700] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\N6VxsMXcA1gYb3h x.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\n6vxsmxca1gyb3h x.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.701] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.701] WriteFile (in: hFile=0x464, lpBuffer=0x12ac3400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac3400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.740] CloseHandle (hObject=0x464) returned 1 [0294.743] CloseHandle (hObject=0x468) returned 1 [0294.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848768 | out: pbBuffer=0x12848768) returned 1 [0294.758] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\N6VxsMXcA1gYb3h x.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\n6vxsmxca1gyb3h x.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[D494B2D9F1A4F476]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[d494b2d9f1a4f476]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.842] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\XKzuW0KK3P__Rm.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\xkzuw0kk3p__rm.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58de8d70, ftCreationTime.dwHighDateTime=0x1d824f4, ftLastAccessTime.dwLowDateTime=0x582185b0, ftLastAccessTime.dwHighDateTime=0x1d8287b, ftLastWriteTime.dwLowDateTime=0x582185b0, ftLastWriteTime.dwHighDateTime=0x1d8287b, nFileSizeHigh=0x0, nFileSizeLow=0x103e8)) returned 1 [0294.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lM7esgOy36--LKPovnS.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lm7esgoy36--lkpovns.png"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b498f0, ftCreationTime.dwHighDateTime=0x1d82766, ftLastAccessTime.dwLowDateTime=0x62c08ff0, ftLastAccessTime.dwHighDateTime=0x1d82819, ftLastWriteTime.dwLowDateTime=0x62c08ff0, ftLastWriteTime.dwHighDateTime=0x1d82819, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1)) returned 1 [0294.843] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\XKzuW0KK3P__Rm.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\xkzuw0kk3p__rm.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.843] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\XKzuW0KK3P__Rm.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\xkzuw0kk3p__rm.gif"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58de8d70, ftCreationTime.dwHighDateTime=0x1d824f4, ftLastAccessTime.dwLowDateTime=0x582185b0, ftLastAccessTime.dwHighDateTime=0x1d8287b, ftLastWriteTime.dwLowDateTime=0x582185b0, ftLastWriteTime.dwHighDateTime=0x1d8287b, nFileSizeHigh=0x0, nFileSizeLow=0x103e8)) returned 1 [0294.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929240 | out: pbBuffer=0x12929240) returned 1 [0294.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d30 | out: pbBuffer=0x12848d30) returned 1 [0294.844] ReadFile (in: hFile=0x468, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0x103e8, lpOverlapped=0x0) returned 1 [0294.845] GetFileType (hFile=0x468) returned 0x1 [0294.846] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.846] WriteFile (in: hFile=0x468, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x103e8, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12853d00*=0x103e8, lpOverlapped=0x12853d0c) returned 1 [0294.846] GetFileType (hFile=0x468) returned 0x1 [0294.846] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x103e8, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0294.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0294.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0294.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e18 | out: pbBuffer=0x12848e18) returned 1 [0294.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\XKzuW0KK3P__Rm.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\xkzuw0kk3p__rm.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.847] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.847] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.847] CloseHandle (hObject=0x470) returned 1 [0294.861] CloseHandle (hObject=0x468) returned 1 [0294.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849080 | out: pbBuffer=0x12849080) returned 1 [0294.864] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\XKzuW0KK3P__Rm.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\xkzuw0kk3p__rm.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[712B4B160C8A40E4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[712b4b160c8a40e4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.947] SetEvent (hEvent=0x420) returned 1 [0294.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\XxBVq2JXPp_ZGN53uP.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\xxbvq2jxpp_zgn53up.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.948] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\XxBVq2JXPp_ZGN53uP.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\xxbvq2jxpp_zgn53up.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976377c0, ftCreationTime.dwHighDateTime=0x1d82915, ftLastAccessTime.dwLowDateTime=0xf6164610, ftLastAccessTime.dwHighDateTime=0x1d82935, ftLastWriteTime.dwLowDateTime=0xf6164610, ftLastWriteTime.dwHighDateTime=0x1d82935, nFileSizeHigh=0x0, nFileSizeLow=0xcac8)) returned 1 [0294.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929840 | out: pbBuffer=0x12929840) returned 1 [0294.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849f20 | out: pbBuffer=0x12849f20) returned 1 [0294.948] ReadFile (in: hFile=0x468, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12853d1c*=0xcac8, lpOverlapped=0x0) returned 1 [0294.950] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0294.954] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0294.954] SetEvent (hEvent=0x110) returned 1 [0294.954] SetEvent (hEvent=0x420) returned 1 [0294.954] GetFileType (hFile=0x468) returned 0x1 [0294.954] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.955] WriteFile (in: hFile=0x468, lpBuffer=0x129f6000*, nNumberOfBytesToWrite=0xcac8, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x129f6000*, lpNumberOfBytesWritten=0x12853d00*=0xcac8, lpOverlapped=0x12853d0c) returned 1 [0294.955] GetFileType (hFile=0x468) returned 0x1 [0294.955] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xcac8, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b281 | out: pbBuffer=0x1286b281) returned 1 [0294.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0294.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0294.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849fd8 | out: pbBuffer=0x12849fd8) returned 1 [0294.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\XxBVq2JXPp_ZGN53uP.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\xxbvq2jxpp_zgn53up.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.957] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.957] WriteFile (in: hFile=0x474, lpBuffer=0x1290a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290a000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.957] CloseHandle (hObject=0x474) returned 1 [0294.957] CloseHandle (hObject=0x468) returned 1 [0294.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ff0 | out: pbBuffer=0x12849ff0) returned 1 [0294.958] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\XxBVq2JXPp_ZGN53uP.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\xxbvq2jxpp_zgn53up.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[D65E74D57CE8FAE3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[d65e74d57ce8fae3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.961] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0294.963] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0294.969] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0294.974] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0294.974] SetEvent (hEvent=0x110) returned 1 [0294.974] SetEvent (hEvent=0x454) returned 1 [0294.974] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0294.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\Yc3hCY.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\yc3hcy.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf490c00, ftCreationTime.dwHighDateTime=0x1d8239e, ftLastAccessTime.dwLowDateTime=0x82af18b0, ftLastAccessTime.dwHighDateTime=0x1d82844, ftLastWriteTime.dwLowDateTime=0x82af18b0, ftLastWriteTime.dwHighDateTime=0x1d82844, nFileSizeHigh=0x0, nFileSizeLow=0x71eb)) returned 1 [0294.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\kZ6dxGYg30pcqd Y9si.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\kz6dxgyg30pcqd y9si.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28090b80, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x779b5910, ftLastAccessTime.dwHighDateTime=0x1d827f5, ftLastWriteTime.dwLowDateTime=0x779b5910, ftLastWriteTime.dwHighDateTime=0x1d827f5, nFileSizeHigh=0x0, nFileSizeLow=0x182f6)) returned 1 [0294.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\tS0NnwW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\ts0nnww.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528e8ae0, ftCreationTime.dwHighDateTime=0x1d8299c, ftLastAccessTime.dwLowDateTime=0x63fad660, ftLastAccessTime.dwHighDateTime=0x1d82a16, ftLastWriteTime.dwLowDateTime=0x63fad660, ftLastWriteTime.dwHighDateTime=0x1d82a16, nFileSizeHigh=0x0, nFileSizeLow=0x159ab)) returned 1 [0294.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\vs8-8O8lmEeelehrIQoQ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\vs8-8o8lmeeelehriqoq.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbeb5c6d0, ftCreationTime.dwHighDateTime=0x1d81f23, ftLastAccessTime.dwLowDateTime=0x276703f0, ftLastAccessTime.dwHighDateTime=0x1d825c4, ftLastWriteTime.dwLowDateTime=0x276703f0, ftLastWriteTime.dwHighDateTime=0x1d825c4, nFileSizeHigh=0x0, nFileSizeLow=0xfb4b)) returned 1 [0294.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\tS0NnwW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\ts0nnww.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.979] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\tS0NnwW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\ts0nnww.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528e8ae0, ftCreationTime.dwHighDateTime=0x1d8299c, ftLastAccessTime.dwLowDateTime=0x63fad660, ftLastAccessTime.dwHighDateTime=0x1d82a16, ftLastWriteTime.dwLowDateTime=0x63fad660, ftLastWriteTime.dwHighDateTime=0x1d82a16, nFileSizeHigh=0x0, nFileSizeLow=0x159ab)) returned 1 [0294.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128453c0 | out: pbBuffer=0x128453c0) returned 1 [0294.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496f0 | out: pbBuffer=0x128496f0) returned 1 [0294.980] ReadFile (in: hFile=0x468, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12a31d1c*=0x159ab, lpOverlapped=0x0) returned 1 [0294.982] GetFileType (hFile=0x468) returned 0x1 [0294.983] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.983] WriteFile (in: hFile=0x468, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x159ab, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a31d00*=0x159ab, lpOverlapped=0x12a31d0c) returned 1 [0294.983] GetFileType (hFile=0x468) returned 0x1 [0294.984] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x159ab, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0294.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0294.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497b8 | out: pbBuffer=0x128497b8) returned 1 [0294.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\tS0NnwW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\ts0nnww.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.985] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.985] WriteFile (in: hFile=0x474, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.985] CloseHandle (hObject=0x474) returned 1 [0294.985] CloseHandle (hObject=0x468) returned 1 [0294.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128497d0 | out: pbBuffer=0x128497d0) returned 1 [0294.985] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\tS0NnwW.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\ts0nnww.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[2DEE6903557E7FA7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[2dee6903557e7fa7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\vs8-8O8lmEeelehrIQoQ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\vs8-8o8lmeeelehriqoq.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.996] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.996] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\vs8-8O8lmEeelehrIQoQ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\vs8-8o8lmeeelehriqoq.png"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbeb5c6d0, ftCreationTime.dwHighDateTime=0x1d81f23, ftLastAccessTime.dwLowDateTime=0x276703f0, ftLastAccessTime.dwHighDateTime=0x1d825c4, ftLastWriteTime.dwLowDateTime=0x276703f0, ftLastWriteTime.dwHighDateTime=0x1d825c4, nFileSizeHigh=0x0, nFileSizeLow=0xfb4b)) returned 1 [0294.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128455c0 | out: pbBuffer=0x128455c0) returned 1 [0294.997] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849828 | out: pbBuffer=0x12849828) returned 1 [0294.997] ReadFile (in: hFile=0x468, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a31d1c*=0xfb4b, lpOverlapped=0x0) returned 1 [0294.999] GetFileType (hFile=0x468) returned 0x1 [0294.999] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.999] WriteFile (in: hFile=0x468, lpBuffer=0x12e62000*, nNumberOfBytesToWrite=0xfb4b, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12e62000*, lpNumberOfBytesWritten=0x12a31d00*=0xfb4b, lpOverlapped=0x12a31d0c) returned 1 [0295.000] GetFileType (hFile=0x468) returned 0x1 [0295.000] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfb4b, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0295.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0295.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0295.001] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849940 | out: pbBuffer=0x12849940) returned 1 [0295.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\vs8-8O8lmEeelehrIQoQ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\vs8-8o8lmeeelehriqoq.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.001] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.001] WriteFile (in: hFile=0x474, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.001] CloseHandle (hObject=0x474) returned 1 [0295.001] CloseHandle (hObject=0x468) returned 1 [0295.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849978 | out: pbBuffer=0x12849978) returned 1 [0295.002] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\vs8-8O8lmEeelehrIQoQ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\vs8-8o8lmeeelehriqoq.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[ACF5283B98279D4A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[acf5283b98279d4a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0295.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ffClS8IjO.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ffcls8ijo.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66d6fd0, ftCreationTime.dwHighDateTime=0x1d81e72, ftLastAccessTime.dwLowDateTime=0x3e781d00, ftLastAccessTime.dwHighDateTime=0x1d824fb, ftLastWriteTime.dwLowDateTime=0x3e781d00, ftLastWriteTime.dwHighDateTime=0x1d824fb, nFileSizeHigh=0x0, nFileSizeLow=0x717a)) returned 1 [0295.075] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.076] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0295.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0295.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109b0 | out: pbBuffer=0x128109b0) returned 1 [0295.076] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a31d1c*=0x1f8, lpOverlapped=0x0) returned 1 [0295.077] GetFileType (hFile=0x44c) returned 0x1 [0295.077] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.077] WriteFile (in: hFile=0x44c, lpBuffer=0x12a48400*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a48400*, lpNumberOfBytesWritten=0x12a31d00*=0x1f8, lpOverlapped=0x12a31d0c) returned 1 [0295.077] GetFileType (hFile=0x44c) returned 0x1 [0295.078] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1f8, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0295.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0295.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0295.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810aa8 | out: pbBuffer=0x12810aa8) returned 1 [0295.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.078] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.079] WriteFile (in: hFile=0x464, lpBuffer=0x1290aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290aa00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.106] CloseHandle (hObject=0x464) returned 1 [0295.118] CloseHandle (hObject=0x44c) returned 1 [0295.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ac0 | out: pbBuffer=0x12810ac0) returned 1 [0295.195] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[06C7C2590E682D03]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[06c7c2590e682d03]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.200] SetEvent (hEvent=0xf4) returned 1 [0295.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ffClS8IjO.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ffcls8ijo.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.201] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ffClS8IjO.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ffcls8ijo.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66d6fd0, ftCreationTime.dwHighDateTime=0x1d81e72, ftLastAccessTime.dwLowDateTime=0x3e781d00, ftLastAccessTime.dwHighDateTime=0x1d824fb, ftLastWriteTime.dwLowDateTime=0x3e781d00, ftLastWriteTime.dwHighDateTime=0x1d824fb, nFileSizeHigh=0x0, nFileSizeLow=0x717a)) returned 1 [0295.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0295.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b08 | out: pbBuffer=0x12810b08) returned 1 [0295.202] ReadFile (in: hFile=0x44c, lpBuffer=0x12bbe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bbe000*, lpNumberOfBytesRead=0x12a31d1c*=0x717a, lpOverlapped=0x0) returned 1 [0295.203] GetFileType (hFile=0x44c) returned 0x1 [0295.203] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.203] WriteFile (in: hFile=0x44c, lpBuffer=0x12b3c000*, nNumberOfBytesToWrite=0x717a, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12b3c000*, lpNumberOfBytesWritten=0x12a31d00*=0x717a, lpOverlapped=0x12a31d0c) returned 1 [0295.204] GetFileType (hFile=0x44c) returned 0x1 [0295.204] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x717a, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0295.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\g8aDQC0nas4R_i.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\g8adqc0nas4r_i.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b94320, ftCreationTime.dwHighDateTime=0x1d81ba0, ftLastAccessTime.dwLowDateTime=0x9bd1fd20, ftLastAccessTime.dwHighDateTime=0x1d81deb, ftLastWriteTime.dwLowDateTime=0x9bd1fd20, ftLastWriteTime.dwHighDateTime=0x1d81deb, nFileSizeHigh=0x0, nFileSizeLow=0xc113)) returned 1 [0295.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0295.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0295.235] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e68 | out: pbBuffer=0x12810e68) returned 1 [0295.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ffClS8IjO.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ffcls8ijo.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.250] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.250] WriteFile (in: hFile=0x468, lpBuffer=0x1290af00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290af00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.250] CloseHandle (hObject=0x468) returned 1 [0295.250] CloseHandle (hObject=0x44c) returned 1 [0295.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810e80 | out: pbBuffer=0x12810e80) returned 1 [0295.250] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ffClS8IjO.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ffcls8ijo.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[5765683962B34080]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[5765683962b34080]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\g8aDQC0nas4R_i.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\g8adqc0nas4r_i.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.253] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.253] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\g8aDQC0nas4R_i.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\g8adqc0nas4r_i.png"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b94320, ftCreationTime.dwHighDateTime=0x1d81ba0, ftLastAccessTime.dwLowDateTime=0x9bd1fd20, ftLastAccessTime.dwHighDateTime=0x1d81deb, ftLastWriteTime.dwLowDateTime=0x9bd1fd20, ftLastWriteTime.dwHighDateTime=0x1d81deb, nFileSizeHigh=0x0, nFileSizeLow=0xc113)) returned 1 [0295.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98c40 | out: pbBuffer=0x12a98c40) returned 1 [0295.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ec8 | out: pbBuffer=0x12810ec8) returned 1 [0295.254] ReadFile (in: hFile=0x44c, lpBuffer=0x12bfe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bfe000*, lpNumberOfBytesRead=0x12a31d1c*=0xc113, lpOverlapped=0x0) returned 1 [0295.255] GetFileType (hFile=0x44c) returned 0x1 [0295.255] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.255] WriteFile (in: hFile=0x44c, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0xc113, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a31d00*=0xc113, lpOverlapped=0x12a31d0c) returned 1 [0295.256] GetFileType (hFile=0x44c) returned 0x1 [0295.256] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xc113, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0295.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0295.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0295.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810f80 | out: pbBuffer=0x12810f80) returned 1 [0295.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\g8aDQC0nas4R_i.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\g8adqc0nas4r_i.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.256] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.256] WriteFile (in: hFile=0x468, lpBuffer=0x1290b400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290b400*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.257] CloseHandle (hObject=0x468) returned 1 [0295.257] CloseHandle (hObject=0x44c) returned 1 [0295.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f98 | out: pbBuffer=0x12810f98) returned 1 [0295.257] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\g8aDQC0nas4R_i.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\g8adqc0nas4r_i.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[2A9B68A02C86D546]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[2a9b68a02c86d546]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\trtv-7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\trtv-7.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7184870, ftCreationTime.dwHighDateTime=0x1d82399, ftLastAccessTime.dwLowDateTime=0x45f7a710, ftLastAccessTime.dwHighDateTime=0x1d82502, ftLastWriteTime.dwLowDateTime=0x45f7a710, ftLastWriteTime.dwHighDateTime=0x1d82502, nFileSizeHigh=0x0, nFileSizeLow=0x4492)) returned 1 [0295.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xdm8HuOAopSedRGTMbb.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdm8huoaopsedrgtmbb.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09d58a0, ftCreationTime.dwHighDateTime=0x1d8298f, ftLastAccessTime.dwLowDateTime=0x8eca5ef0, ftLastAccessTime.dwHighDateTime=0x1d829e0, ftLastWriteTime.dwLowDateTime=0x8eca5ef0, ftLastWriteTime.dwHighDateTime=0x1d829e0, nFileSizeHigh=0x0, nFileSizeLow=0x8bfd)) returned 1 [0295.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\trtv-7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\trtv-7.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.263] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.263] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\trtv-7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\trtv-7.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7184870, ftCreationTime.dwHighDateTime=0x1d82399, ftLastAccessTime.dwLowDateTime=0x45f7a710, ftLastAccessTime.dwHighDateTime=0x1d82502, ftLastWriteTime.dwLowDateTime=0x45f7a710, ftLastWriteTime.dwHighDateTime=0x1d82502, nFileSizeHigh=0x0, nFileSizeLow=0x4492)) returned 1 [0295.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99420 | out: pbBuffer=0x12a99420) returned 1 [0295.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811540 | out: pbBuffer=0x12811540) returned 1 [0295.263] ReadFile (in: hFile=0x44c, lpBuffer=0x129a4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a4000*, lpNumberOfBytesRead=0x12a31d1c*=0x4492, lpOverlapped=0x0) returned 1 [0295.264] GetFileType (hFile=0x44c) returned 0x1 [0295.264] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.264] WriteFile (in: hFile=0x44c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x4492, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a31d00*=0x4492, lpOverlapped=0x12a31d0c) returned 1 [0295.264] GetFileType (hFile=0x44c) returned 0x1 [0295.265] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x4492, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd181 | out: pbBuffer=0x12afd181) returned 1 [0295.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd281 | out: pbBuffer=0x12afd281) returned 1 [0295.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0295.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128115f8 | out: pbBuffer=0x128115f8) returned 1 [0295.265] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\trtv-7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\trtv-7.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.266] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.266] WriteFile (in: hFile=0x468, lpBuffer=0x1290b900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290b900*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.266] CloseHandle (hObject=0x468) returned 1 [0295.266] CloseHandle (hObject=0x44c) returned 1 [0295.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811610 | out: pbBuffer=0x12811610) returned 1 [0295.266] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\trtv-7.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\trtv-7.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[FBEF19E70A767346]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[fbef19e70a767346]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.268] SetEvent (hEvent=0xf4) returned 1 [0295.268] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xdm8HuOAopSedRGTMbb.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdm8huoaopsedrgtmbb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.269] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.269] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xdm8HuOAopSedRGTMbb.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdm8huoaopsedrgtmbb.png"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09d58a0, ftCreationTime.dwHighDateTime=0x1d8298f, ftLastAccessTime.dwLowDateTime=0x8eca5ef0, ftLastAccessTime.dwHighDateTime=0x1d829e0, ftLastWriteTime.dwLowDateTime=0x8eca5ef0, ftLastWriteTime.dwHighDateTime=0x1d829e0, nFileSizeHigh=0x0, nFileSizeLow=0x8bfd)) returned 1 [0295.269] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99640 | out: pbBuffer=0x12a99640) returned 1 [0295.269] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811658 | out: pbBuffer=0x12811658) returned 1 [0295.270] ReadFile (in: hFile=0x44c, lpBuffer=0x129e4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e4000*, lpNumberOfBytesRead=0x12a31d1c*=0x8bfd, lpOverlapped=0x0) returned 1 [0295.271] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.277] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0295.277] SetEvent (hEvent=0x110) returned 1 [0295.277] SetEvent (hEvent=0xf4) returned 1 [0295.278] GetFileType (hFile=0x44c) returned 0x1 [0295.278] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.278] WriteFile (in: hFile=0x44c, lpBuffer=0x12a34000*, nNumberOfBytesToWrite=0x8bfd, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a34000*, lpNumberOfBytesWritten=0x12a31d00*=0x8bfd, lpOverlapped=0x12a31d0c) returned 1 [0295.278] GetFileType (hFile=0x44c) returned 0x1 [0295.278] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x8bfd, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd501 | out: pbBuffer=0x12afd501) returned 1 [0295.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd601 | out: pbBuffer=0x12afd601) returned 1 [0295.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd701 | out: pbBuffer=0x12afd701) returned 1 [0295.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811710 | out: pbBuffer=0x12811710) returned 1 [0295.280] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xdm8HuOAopSedRGTMbb.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdm8huoaopsedrgtmbb.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.280] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.280] WriteFile (in: hFile=0x470, lpBuffer=0x12a6a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6a000*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.280] CloseHandle (hObject=0x470) returned 1 [0295.280] CloseHandle (hObject=0x44c) returned 1 [0295.280] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811728 | out: pbBuffer=0x12811728) returned 1 [0295.280] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xdm8HuOAopSedRGTMbb.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdm8huoaopsedrgtmbb.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[7E17092F3F8220C3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[7e17092f3f8220c3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent" (normalized: "c:\\users\\rdhj0cnfevzx\\recent"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.291] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\*", lpFindFileData=0x12a31a44 | out: lpFindFileData=0x12a31a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.291] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.291] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbef9f8 [0295.292] FindNextFileW (in: hFindFile=0xbef9f8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.292] FindNextFileW (in: hFindFile=0xbef9f8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0295.292] FindNextFileW (in: hFindFile=0xbef9f8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.292] FindClose (in: hFindFile=0xbef9f8 | out: hFindFile=0xbef9f8) returned 1 [0295.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.293] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0295.293] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0295.295] CloseHandle (hObject=0x44c) returned 1 [0295.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0295.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches" (normalized: "c:\\users\\rdhj0cnfevzx\\searches"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.295] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches" (normalized: "c:\\users\\rdhj0cnfevzx\\searches"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.295] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbeffb8 [0295.296] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.296] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0295.296] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0295.296] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0295.296] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.296] FindClose (in: hFindFile=0xbeffb8 | out: hFindFile=0xbeffb8) returned 1 [0295.296] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.315] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0295.315] WriteFile (in: hFile=0x468, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0295.317] CloseHandle (hObject=0x468) returned 1 [0295.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8)) returned 1 [0295.317] SwitchToThread () returned 1 [0295.323] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.370] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.408] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.442] SetEvent (hEvent=0x1d0) returned 1 [0295.443] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.453] SetEvent (hEvent=0x1d0) returned 1 [0295.453] SetEvent (hEvent=0x1b8) returned 1 [0295.453] SetEvent (hEvent=0xf4) returned 1 [0295.453] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.499] SwitchToThread () returned 1 [0295.502] SetEvent (hEvent=0x1d0) returned 1 [0295.502] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0295.506] SetEvent (hEvent=0x1d0) returned 1 [0295.506] SetEvent (hEvent=0xf4) returned 1 [0295.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\e_97_0vFDSHFIYI.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\e_97_0vfdshfiyi.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.507] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\e_97_0vFDSHFIYI.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\e_97_0vfdshfiyi.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64e6e160, ftCreationTime.dwHighDateTime=0x1d82663, ftLastAccessTime.dwLowDateTime=0xaa70d6a0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xaa70d6a0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0xccac)) returned 1 [0295.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0295.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0295.508] ReadFile (in: hFile=0x474, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a2fd1c*=0xccac, lpOverlapped=0x0) returned 1 [0295.510] GetFileType (hFile=0x474) returned 0x1 [0295.510] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.510] WriteFile (in: hFile=0x474, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0xccac, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a2fd00*=0xccac, lpOverlapped=0x12a2fd0c) returned 1 [0295.511] GetFileType (hFile=0x474) returned 0x1 [0295.511] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xccac, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0295.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0295.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0295.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0295.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0295.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\e_97_0vFDSHFIYI.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\e_97_0vfdshfiyi.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.512] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0295.512] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.512] CloseHandle (hObject=0x470) returned 1 [0295.512] CloseHandle (hObject=0x474) returned 1 [0295.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0295.513] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\e_97_0vFDSHFIYI.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\e_97_0vfdshfiyi.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\#_THIS_FILE_IS_ENCRYPTED_[4B275BD668780E2F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\#_this_file_is_encrypted_[4b275bd668780e2f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\hb3lLJEau DoZzoV_lZ0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\hb3lljeau dozzov_lz0.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b89a100, ftCreationTime.dwHighDateTime=0x1d82463, ftLastAccessTime.dwLowDateTime=0xba75a9b0, ftLastAccessTime.dwHighDateTime=0x1d82495, ftLastWriteTime.dwLowDateTime=0xba75a9b0, ftLastWriteTime.dwHighDateTime=0x1d82495, nFileSizeHigh=0x0, nFileSizeLow=0x9b7e)) returned 1 [0295.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6f8a900, ftCreationTime.dwHighDateTime=0x1d82783, ftLastAccessTime.dwLowDateTime=0x7566e300, ftLastAccessTime.dwHighDateTime=0x1d8294c, ftLastWriteTime.dwLowDateTime=0x7566e300, ftLastWriteTime.dwHighDateTime=0x1d8294c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0295.515] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.515] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6f8a900, ftCreationTime.dwHighDateTime=0x1d82783, ftLastAccessTime.dwLowDateTime=0x7566e300, ftLastAccessTime.dwHighDateTime=0x1d8294c, ftLastWriteTime.dwLowDateTime=0x7566e300, ftLastWriteTime.dwHighDateTime=0x1d8294c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0295.515] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6f8a900, ftCreationTime.dwHighDateTime=0x1d82783, ftLastAccessTime.dwLowDateTime=0x7566e300, ftLastAccessTime.dwHighDateTime=0x1d8294c, ftLastWriteTime.dwLowDateTime=0x7566e300, ftLastWriteTime.dwHighDateTime=0x1d8294c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.515] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af93900, ftCreationTime.dwHighDateTime=0x1d827c6, ftLastAccessTime.dwLowDateTime=0xe7ea9100, ftLastAccessTime.dwHighDateTime=0x1d829f7, ftLastWriteTime.dwLowDateTime=0xe7ea9100, ftLastWriteTime.dwHighDateTime=0x1d829f7, nFileSizeHigh=0x0, nFileSizeLow=0x13c3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="4j-0Qf7Vs7_HvpB.swf", cAlternateFileName="4J-0QF~1.SWF")) returned 1 [0295.515] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x624c8150, ftCreationTime.dwHighDateTime=0x1d81e69, ftLastAccessTime.dwLowDateTime=0x1ad0b220, ftLastAccessTime.dwHighDateTime=0x1d82719, ftLastWriteTime.dwLowDateTime=0x1ad0b220, ftLastWriteTime.dwHighDateTime=0x1d82719, nFileSizeHigh=0x0, nFileSizeLow=0xe90c, dwReserved0=0x0, dwReserved1=0x0, cFileName="kpjPYFy.swf", cAlternateFileName="")) returned 1 [0295.516] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afd19e0, ftCreationTime.dwHighDateTime=0x1d8216d, ftLastAccessTime.dwLowDateTime=0xdbee210, ftLastAccessTime.dwHighDateTime=0x1d82529, ftLastWriteTime.dwLowDateTime=0xdbee210, ftLastWriteTime.dwHighDateTime=0x1d82529, nFileSizeHigh=0x0, nFileSizeLow=0x18784, dwReserved0=0x0, dwReserved1=0x0, cFileName="qaGqU3iXlI3.mp4", cAlternateFileName="QAGQU3~1.MP4")) returned 1 [0295.516] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x684cd700, ftCreationTime.dwHighDateTime=0x1d81aa2, ftLastAccessTime.dwLowDateTime=0xb807da60, ftLastAccessTime.dwHighDateTime=0x1d82029, ftLastWriteTime.dwLowDateTime=0xb807da60, ftLastWriteTime.dwHighDateTime=0x1d82029, nFileSizeHigh=0x0, nFileSizeLow=0xe270, dwReserved0=0x0, dwReserved1=0x0, cFileName="xxE_ 3eocD_avMoys.flv", cAlternateFileName="XXE_3E~1.FLV")) returned 1 [0295.516] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8ea1a0, ftCreationTime.dwHighDateTime=0x1d819f4, ftLastAccessTime.dwLowDateTime=0x7d009ab0, ftLastAccessTime.dwHighDateTime=0x1d81f61, ftLastWriteTime.dwLowDateTime=0x7d009ab0, ftLastWriteTime.dwHighDateTime=0x1d81f61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Y_CM", cAlternateFileName="")) returned 1 [0295.516] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.516] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0295.516] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.518] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0295.518] WriteFile (in: hFile=0x474, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0295.520] CloseHandle (hObject=0x474) returned 1 [0295.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\4j-0Qf7Vs7_HvpB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\4j-0qf7vs7_hvpb.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af93900, ftCreationTime.dwHighDateTime=0x1d827c6, ftLastAccessTime.dwLowDateTime=0xe7ea9100, ftLastAccessTime.dwHighDateTime=0x1d829f7, ftLastWriteTime.dwLowDateTime=0xe7ea9100, ftLastWriteTime.dwHighDateTime=0x1d829f7, nFileSizeHigh=0x0, nFileSizeLow=0x13c3a)) returned 1 [0295.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8ea1a0, ftCreationTime.dwHighDateTime=0x1d819f4, ftLastAccessTime.dwLowDateTime=0x7d009ab0, ftLastAccessTime.dwHighDateTime=0x1d81f61, ftLastWriteTime.dwLowDateTime=0x7d009ab0, ftLastWriteTime.dwHighDateTime=0x1d81f61, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.520] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8ea1a0, ftCreationTime.dwHighDateTime=0x1d819f4, ftLastAccessTime.dwLowDateTime=0x7d009ab0, ftLastAccessTime.dwHighDateTime=0x1d81f61, ftLastWriteTime.dwLowDateTime=0x7d009ab0, ftLastWriteTime.dwHighDateTime=0x1d81f61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefab8 [0295.521] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8ea1a0, ftCreationTime.dwHighDateTime=0x1d819f4, ftLastAccessTime.dwLowDateTime=0x7d009ab0, ftLastAccessTime.dwHighDateTime=0x1d81f61, ftLastWriteTime.dwLowDateTime=0x7d009ab0, ftLastWriteTime.dwHighDateTime=0x1d81f61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.521] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd482f0, ftCreationTime.dwHighDateTime=0x1d81a98, ftLastAccessTime.dwLowDateTime=0x9d3699a0, ftLastAccessTime.dwHighDateTime=0x1d81adf, ftLastWriteTime.dwLowDateTime=0x9d3699a0, ftLastWriteTime.dwHighDateTime=0x1d81adf, nFileSizeHigh=0x0, nFileSizeLow=0x47ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="BK3xwjlr1PV.avi", cAlternateFileName="BK3XWJ~1.AVI")) returned 1 [0295.521] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f629da0, ftCreationTime.dwHighDateTime=0x1d82171, ftLastAccessTime.dwLowDateTime=0x4e09ea0, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0x4e09ea0, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="H0gqzpF7BJ2I", cAlternateFileName="H0GQZP~1")) returned 1 [0295.521] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.521] FindClose (in: hFindFile=0xbefab8 | out: hFindFile=0xbefab8) returned 1 [0295.521] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.521] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.521] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.536] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0295.536] WriteFile (in: hFile=0x470, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0295.538] CloseHandle (hObject=0x470) returned 1 [0295.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\BK3xwjlr1PV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\bk3xwjlr1pv.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd482f0, ftCreationTime.dwHighDateTime=0x1d81a98, ftLastAccessTime.dwLowDateTime=0x9d3699a0, ftLastAccessTime.dwHighDateTime=0x1d81adf, ftLastWriteTime.dwLowDateTime=0x9d3699a0, ftLastWriteTime.dwHighDateTime=0x1d81adf, nFileSizeHigh=0x0, nFileSizeLow=0x47ca)) returned 1 [0295.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f629da0, ftCreationTime.dwHighDateTime=0x1d82171, ftLastAccessTime.dwLowDateTime=0x4e09ea0, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0x4e09ea0, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0295.539] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.539] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f629da0, ftCreationTime.dwHighDateTime=0x1d82171, ftLastAccessTime.dwLowDateTime=0x4e09ea0, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0x4e09ea0, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f629da0, ftCreationTime.dwHighDateTime=0x1d82171, ftLastAccessTime.dwLowDateTime=0x4e09ea0, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0x4e09ea0, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47126440, ftCreationTime.dwHighDateTime=0x1d81e0f, ftLastAccessTime.dwLowDateTime=0x20b017f0, ftLastAccessTime.dwHighDateTime=0x1d82055, ftLastWriteTime.dwLowDateTime=0x20b017f0, ftLastWriteTime.dwHighDateTime=0x1d82055, nFileSizeHigh=0x0, nFileSizeLow=0x15800, dwReserved0=0x0, dwReserved1=0x0, cFileName="3v_K3nV_SJQYX.avi", cAlternateFileName="3V_K3N~1.AVI")) returned 1 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd21cec20, ftCreationTime.dwHighDateTime=0x1d82528, ftLastAccessTime.dwLowDateTime=0x3f437320, ftLastAccessTime.dwHighDateTime=0x1d827f7, ftLastWriteTime.dwLowDateTime=0x3f437320, ftLastWriteTime.dwHighDateTime=0x1d827f7, nFileSizeHigh=0x0, nFileSizeLow=0xaec7, dwReserved0=0x0, dwReserved1=0x0, cFileName="A5xd9tI9ZeCtymCqgP.mkv", cAlternateFileName="A5XD9T~1.MKV")) returned 1 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x785d9110, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xc32415e0, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xc32415e0, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x7fe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="yHHSos1.mkv", cAlternateFileName="")) returned 1 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427a8020, ftCreationTime.dwHighDateTime=0x1d81d60, ftLastAccessTime.dwLowDateTime=0xb16f8f20, ftLastAccessTime.dwHighDateTime=0x1d81dc9, ftLastWriteTime.dwLowDateTime=0xb16f8f20, ftLastWriteTime.dwHighDateTime=0x1d81dc9, nFileSizeHigh=0x0, nFileSizeLow=0x693c, dwReserved0=0x0, dwReserved1=0x0, cFileName="YNrRjI3FU86r44y.flv", cAlternateFileName="YNRRJI~1.FLV")) returned 1 [0295.539] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.540] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0295.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.540] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.540] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.541] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0295.541] WriteFile (in: hFile=0x470, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0295.543] CloseHandle (hObject=0x470) returned 1 [0295.543] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\3v_K3nV_SJQYX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\3v_k3nv_sjqyx.avi"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47126440, ftCreationTime.dwHighDateTime=0x1d81e0f, ftLastAccessTime.dwLowDateTime=0x20b017f0, ftLastAccessTime.dwHighDateTime=0x1d82055, ftLastWriteTime.dwLowDateTime=0x20b017f0, ftLastWriteTime.dwHighDateTime=0x1d82055, nFileSizeHigh=0x0, nFileSizeLow=0x15800)) returned 1 [0295.543] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\A5xd9tI9ZeCtymCqgP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\a5xd9ti9zectymcqgp.mkv"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd21cec20, ftCreationTime.dwHighDateTime=0x1d82528, ftLastAccessTime.dwLowDateTime=0x3f437320, ftLastAccessTime.dwHighDateTime=0x1d827f7, ftLastWriteTime.dwLowDateTime=0x3f437320, ftLastWriteTime.dwHighDateTime=0x1d827f7, nFileSizeHigh=0x0, nFileSizeLow=0xaec7)) returned 1 [0295.543] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\YNrRjI3FU86r44y.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\ynrrji3fu86r44y.flv"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427a8020, ftCreationTime.dwHighDateTime=0x1d81d60, ftLastAccessTime.dwLowDateTime=0xb16f8f20, ftLastAccessTime.dwHighDateTime=0x1d81dc9, ftLastWriteTime.dwLowDateTime=0xb16f8f20, ftLastWriteTime.dwHighDateTime=0x1d81dc9, nFileSizeHigh=0x0, nFileSizeLow=0x693c)) returned 1 [0295.543] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\A5xd9tI9ZeCtymCqgP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\a5xd9ti9zectymcqgp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.544] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.544] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\A5xd9tI9ZeCtymCqgP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\a5xd9ti9zectymcqgp.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd21cec20, ftCreationTime.dwHighDateTime=0x1d82528, ftLastAccessTime.dwLowDateTime=0x3f437320, ftLastAccessTime.dwHighDateTime=0x1d827f7, ftLastWriteTime.dwLowDateTime=0x3f437320, ftLastWriteTime.dwHighDateTime=0x1d827f7, nFileSizeHigh=0x0, nFileSizeLow=0xaec7)) returned 1 [0295.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99fe0 | out: pbBuffer=0x12a99fe0) returned 1 [0295.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811590 | out: pbBuffer=0x12811590) returned 1 [0295.545] ReadFile (in: hFile=0x470, lpBuffer=0x12e2c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12e2c000*, lpNumberOfBytesRead=0x12855d1c*=0xaec7, lpOverlapped=0x0) returned 1 [0295.547] GetFileType (hFile=0x470) returned 0x1 [0295.547] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.547] WriteFile (in: hFile=0x470, lpBuffer=0x12b9e000*, nNumberOfBytesToWrite=0xaec7, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b9e000*, lpNumberOfBytesWritten=0x12855d00*=0xaec7, lpOverlapped=0x12855d0c) returned 1 [0295.547] GetFileType (hFile=0x470) returned 0x1 [0295.547] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xaec7, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0295.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0295.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0295.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811648 | out: pbBuffer=0x12811648) returned 1 [0295.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\A5xd9tI9ZeCtymCqgP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\a5xd9ti9zectymcqgp.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.548] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.549] WriteFile (in: hFile=0x44c, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.580] CloseHandle (hObject=0x44c) returned 1 [0295.591] CloseHandle (hObject=0x470) returned 1 [0295.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0295.607] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\A5xd9tI9ZeCtymCqgP.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\a5xd9ti9zectymcqgp.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\#_THIS_FILE_IS_ENCRYPTED_[DB2871BECD623B70]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\#_this_file_is_encrypted_[db2871becd623b70]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.674] SetEvent (hEvent=0x1b8) returned 1 [0295.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\kpjPYFy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\kpjpyfy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.675] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.675] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\kpjPYFy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\kpjpyfy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x624c8150, ftCreationTime.dwHighDateTime=0x1d81e69, ftLastAccessTime.dwLowDateTime=0x1ad0b220, ftLastAccessTime.dwHighDateTime=0x1d82719, ftLastWriteTime.dwLowDateTime=0x1ad0b220, ftLastWriteTime.dwHighDateTime=0x1d82719, nFileSizeHigh=0x0, nFileSizeLow=0xe90c)) returned 1 [0295.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0295.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0295.676] ReadFile (in: hFile=0x464, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12855d1c*=0xe90c, lpOverlapped=0x0) returned 1 [0295.678] GetFileType (hFile=0x464) returned 0x1 [0295.678] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.678] WriteFile (in: hFile=0x464, lpBuffer=0x12e66000*, nNumberOfBytesToWrite=0xe90c, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e66000*, lpNumberOfBytesWritten=0x12855d00*=0xe90c, lpOverlapped=0x12855d0c) returned 1 [0295.679] GetFileType (hFile=0x464) returned 0x1 [0295.679] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xe90c, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0295.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0295.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0295.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a700 | out: pbBuffer=0x12a9a700) returned 1 [0295.680] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\kpjPYFy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\kpjpyfy.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.680] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.680] WriteFile (in: hFile=0x468, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.680] CloseHandle (hObject=0x468) returned 1 [0295.681] CloseHandle (hObject=0x464) returned 1 [0295.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a738 | out: pbBuffer=0x12a9a738) returned 1 [0295.681] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\kpjPYFy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\kpjpyfy.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\#_THIS_FILE_IS_ENCRYPTED_[C2BE6B674D2E65E4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\#_this_file_is_encrypted_[c2be6b674d2e65e4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\qaGqU3iXlI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\qagqu3ixli3.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afd19e0, ftCreationTime.dwHighDateTime=0x1d8216d, ftLastAccessTime.dwLowDateTime=0xdbee210, ftLastAccessTime.dwHighDateTime=0x1d82529, ftLastWriteTime.dwLowDateTime=0xdbee210, ftLastWriteTime.dwHighDateTime=0x1d82529, nFileSizeHigh=0x0, nFileSizeLow=0x18784)) returned 1 [0295.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\xxE_ 3eocD_avMoys.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\xxe_ 3eocd_avmoys.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x684cd700, ftCreationTime.dwHighDateTime=0x1d81aa2, ftLastAccessTime.dwLowDateTime=0xb807da60, ftLastAccessTime.dwHighDateTime=0x1d82029, ftLastWriteTime.dwLowDateTime=0xb807da60, ftLastWriteTime.dwHighDateTime=0x1d82029, nFileSizeHigh=0x0, nFileSizeLow=0xe270)) returned 1 [0295.683] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\qaGqU3iXlI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\qagqu3ixli3.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.684] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\qaGqU3iXlI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\qagqu3ixli3.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9afd19e0, ftCreationTime.dwHighDateTime=0x1d8216d, ftLastAccessTime.dwLowDateTime=0xdbee210, ftLastAccessTime.dwHighDateTime=0x1d82529, ftLastWriteTime.dwLowDateTime=0xdbee210, ftLastWriteTime.dwHighDateTime=0x1d82529, nFileSizeHigh=0x0, nFileSizeLow=0x18784)) returned 1 [0295.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ba0 | out: pbBuffer=0x12844ba0) returned 1 [0295.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b2e0 | out: pbBuffer=0x12a9b2e0) returned 1 [0295.684] ReadFile (in: hFile=0x464, lpBuffer=0x12d86000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d86000*, lpNumberOfBytesRead=0x12855d1c*=0x18784, lpOverlapped=0x0) returned 1 [0295.686] GetFileType (hFile=0x464) returned 0x1 [0295.686] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.686] WriteFile (in: hFile=0x464, lpBuffer=0x12df8000*, nNumberOfBytesToWrite=0x18784, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12df8000*, lpNumberOfBytesWritten=0x12855d00*=0x18784, lpOverlapped=0x12855d0c) returned 1 [0295.686] GetFileType (hFile=0x464) returned 0x1 [0295.686] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x18784, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0295.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0295.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0295.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b408 | out: pbBuffer=0x12a9b408) returned 1 [0295.687] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\qaGqU3iXlI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\qagqu3ixli3.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.687] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.687] WriteFile (in: hFile=0x468, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.687] CloseHandle (hObject=0x468) returned 1 [0295.688] CloseHandle (hObject=0x464) returned 1 [0295.688] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b430 | out: pbBuffer=0x12a9b430) returned 1 [0295.688] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\qaGqU3iXlI3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\qagqu3ixli3.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\#_THIS_FILE_IS_ENCRYPTED_[C8BDE3FAF59E9CBA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\#_this_file_is_encrypted_[c8bde3faf59e9cba]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\xxE_ 3eocD_avMoys.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\xxe_ 3eocd_avmoys.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.690] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\xxE_ 3eocD_avMoys.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\xxe_ 3eocd_avmoys.flv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x684cd700, ftCreationTime.dwHighDateTime=0x1d81aa2, ftLastAccessTime.dwLowDateTime=0xb807da60, ftLastAccessTime.dwHighDateTime=0x1d82029, ftLastWriteTime.dwLowDateTime=0xb807da60, ftLastWriteTime.dwHighDateTime=0x1d82029, nFileSizeHigh=0x0, nFileSizeLow=0xe270)) returned 1 [0295.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844da0 | out: pbBuffer=0x12844da0) returned 1 [0295.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b478 | out: pbBuffer=0x12a9b478) returned 1 [0295.690] ReadFile (in: hFile=0x464, lpBuffer=0x12e12000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12e12000*, lpNumberOfBytesRead=0x12855d1c*=0xe270, lpOverlapped=0x0) returned 1 [0295.692] GetFileType (hFile=0x464) returned 0x1 [0295.693] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.693] WriteFile (in: hFile=0x464, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0xe270, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12855d00*=0xe270, lpOverlapped=0x12855d0c) returned 1 [0295.693] GetFileType (hFile=0x464) returned 0x1 [0295.693] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xe270, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0295.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0295.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0295.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b540 | out: pbBuffer=0x12a9b540) returned 1 [0295.694] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\xxE_ 3eocD_avMoys.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\xxe_ 3eocd_avmoys.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.694] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.694] WriteFile (in: hFile=0x468, lpBuffer=0x12a76a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.695] CloseHandle (hObject=0x468) returned 1 [0295.695] CloseHandle (hObject=0x464) returned 1 [0295.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b558 | out: pbBuffer=0x12a9b558) returned 1 [0295.695] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\xxE_ 3eocD_avMoys.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\xxe_ 3eocd_avmoys.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\#_THIS_FILE_IS_ENCRYPTED_[D1D15A4C2FB4F61B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\#_this_file_is_encrypted_[d1d15a4c2fb4f61b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.696] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\C-Td6BoJlGSuvc9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\c-td6bojlgsuvc9.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xace5f7b0, ftCreationTime.dwHighDateTime=0x1d829a3, ftLastAccessTime.dwLowDateTime=0x57eb2100, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x57eb2100, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x17d40)) returned 1 [0295.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf446eb0, ftCreationTime.dwHighDateTime=0x1d828e7, ftLastAccessTime.dwLowDateTime=0xa7ba4480, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xa7ba4480, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.697] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.697] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf446eb0, ftCreationTime.dwHighDateTime=0x1d828e7, ftLastAccessTime.dwLowDateTime=0xa7ba4480, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xa7ba4480, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0295.697] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf446eb0, ftCreationTime.dwHighDateTime=0x1d828e7, ftLastAccessTime.dwLowDateTime=0xa7ba4480, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xa7ba4480, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.697] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d7de250, ftCreationTime.dwHighDateTime=0x1d81e41, ftLastAccessTime.dwLowDateTime=0x335f0470, ftLastAccessTime.dwHighDateTime=0x1d82905, ftLastWriteTime.dwLowDateTime=0x335f0470, ftLastWriteTime.dwHighDateTime=0x1d82905, nFileSizeHigh=0x0, nFileSizeLow=0xfb76, dwReserved0=0x0, dwReserved1=0x0, cFileName="QQ0mxM5pd9z.swf", cAlternateFileName="QQ0MXM~1.SWF")) returned 1 [0295.697] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.697] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0295.698] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.699] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0295.699] WriteFile (in: hFile=0x464, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0295.700] CloseHandle (hObject=0x464) returned 1 [0295.701] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\QQ0mxM5pd9z.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\qq0mxm5pd9z.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d7de250, ftCreationTime.dwHighDateTime=0x1d81e41, ftLastAccessTime.dwLowDateTime=0x335f0470, ftLastAccessTime.dwHighDateTime=0x1d82905, ftLastWriteTime.dwLowDateTime=0x335f0470, ftLastWriteTime.dwHighDateTime=0x1d82905, nFileSizeHigh=0x0, nFileSizeLow=0xfb76)) returned 1 [0295.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\C-Td6BoJlGSuvc9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\c-td6bojlgsuvc9.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.701] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.702] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\C-Td6BoJlGSuvc9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\c-td6bojlgsuvc9.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xace5f7b0, ftCreationTime.dwHighDateTime=0x1d829a3, ftLastAccessTime.dwLowDateTime=0x57eb2100, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x57eb2100, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x17d40)) returned 1 [0295.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845800 | out: pbBuffer=0x12845800) returned 1 [0295.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bef0 | out: pbBuffer=0x12a9bef0) returned 1 [0295.702] ReadFile (in: hFile=0x464, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12855d1c*=0x17d40, lpOverlapped=0x0) returned 1 [0295.705] GetFileType (hFile=0x464) returned 0x1 [0295.705] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.705] WriteFile (in: hFile=0x464, lpBuffer=0x12da6000*, nNumberOfBytesToWrite=0x17d40, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12da6000*, lpNumberOfBytesWritten=0x12855d00*=0x17d40, lpOverlapped=0x12855d0c) returned 1 [0295.705] GetFileType (hFile=0x464) returned 0x1 [0295.705] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x17d40, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0295.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0295.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0295.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9bfa8 | out: pbBuffer=0x12a9bfa8) returned 1 [0295.706] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\C-Td6BoJlGSuvc9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\c-td6bojlgsuvc9.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.706] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.706] WriteFile (in: hFile=0x468, lpBuffer=0x12a76f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.707] CloseHandle (hObject=0x468) returned 1 [0295.707] CloseHandle (hObject=0x464) returned 1 [0295.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bfc0 | out: pbBuffer=0x12a9bfc0) returned 1 [0295.707] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\C-Td6BoJlGSuvc9.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\c-td6bojlgsuvc9.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[7B1E7B3A373A61E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[7b1e7b3a373a61e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.708] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\QQ0mxM5pd9z.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\qq0mxm5pd9z.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.714] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.714] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\QQ0mxM5pd9z.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\qq0mxm5pd9z.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d7de250, ftCreationTime.dwHighDateTime=0x1d81e41, ftLastAccessTime.dwLowDateTime=0x335f0470, ftLastAccessTime.dwHighDateTime=0x1d82905, ftLastWriteTime.dwLowDateTime=0x335f0470, ftLastWriteTime.dwHighDateTime=0x1d82905, nFileSizeHigh=0x0, nFileSizeLow=0xfb76)) returned 1 [0295.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845a20 | out: pbBuffer=0x12845a20) returned 1 [0295.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0295.715] ReadFile (in: hFile=0x464, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12855d1c*=0xfb76, lpOverlapped=0x0) returned 1 [0295.717] GetFileType (hFile=0x464) returned 0x1 [0295.718] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.718] WriteFile (in: hFile=0x464, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0xfb76, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x12855d00*=0xfb76, lpOverlapped=0x12855d0c) returned 1 [0295.718] GetFileType (hFile=0x464) returned 0x1 [0295.718] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfb76, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0295.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0295.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835481 | out: pbBuffer=0x12835481) returned 1 [0295.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0295.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\QQ0mxM5pd9z.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\qq0mxm5pd9z.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.719] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.719] WriteFile (in: hFile=0x474, lpBuffer=0x12a77400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.720] CloseHandle (hObject=0x474) returned 1 [0295.720] CloseHandle (hObject=0x464) returned 1 [0295.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0295.720] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\QQ0mxM5pd9z.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\qq0mxm5pd9z.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\EwSKEl0EKP4l\\#_THIS_FILE_IS_ENCRYPTED_[DB1FD9F49D2A909F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ewskel0ekp4l\\#_this_file_is_encrypted_[db1fd9f49d2a909f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.729] SetEvent (hEvent=0x1b8) returned 1 [0295.729] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\FH3bzmgXz4C.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fh3bzmgxz4c.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.730] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\FH3bzmgXz4C.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fh3bzmgxz4c.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab5f3760, ftCreationTime.dwHighDateTime=0x1d81b4f, ftLastAccessTime.dwLowDateTime=0x8cc2d380, ftLastAccessTime.dwHighDateTime=0x1d8251c, ftLastWriteTime.dwLowDateTime=0x8cc2d380, ftLastWriteTime.dwHighDateTime=0x1d8251c, nFileSizeHigh=0x0, nFileSizeLow=0x4626)) returned 1 [0295.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845ca0 | out: pbBuffer=0x12845ca0) returned 1 [0295.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0295.730] ReadFile (in: hFile=0x464, lpBuffer=0x12bce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bce000*, lpNumberOfBytesRead=0x12855d1c*=0x4626, lpOverlapped=0x0) returned 1 [0295.732] GetFileType (hFile=0x464) returned 0x1 [0295.732] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.732] WriteFile (in: hFile=0x464, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x4626, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12855d00*=0x4626, lpOverlapped=0x12855d0c) returned 1 [0295.732] GetFileType (hFile=0x464) returned 0x1 [0295.733] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x4626, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835701 | out: pbBuffer=0x12835701) returned 1 [0295.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835801 | out: pbBuffer=0x12835801) returned 1 [0295.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835901 | out: pbBuffer=0x12835901) returned 1 [0295.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0295.733] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\FH3bzmgXz4C.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fh3bzmgxz4c.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.734] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.734] WriteFile (in: hFile=0x470, lpBuffer=0x12a77900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77900*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.734] CloseHandle (hObject=0x470) returned 1 [0295.734] CloseHandle (hObject=0x464) returned 1 [0295.734] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d0 | out: pbBuffer=0x128484d0) returned 1 [0295.734] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\FH3bzmgXz4C.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fh3bzmgxz4c.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[D19F5B05E31EE346]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[d19f5b05e31ee346]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.736] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HXYDrWyAqkC7.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\hxydrwyaqkc7.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbcffec0, ftCreationTime.dwHighDateTime=0x1d82581, ftLastAccessTime.dwLowDateTime=0x518ef540, ftLastAccessTime.dwHighDateTime=0x1d828d8, ftLastWriteTime.dwLowDateTime=0x518ef540, ftLastWriteTime.dwHighDateTime=0x1d828d8, nFileSizeHigh=0x0, nFileSizeLow=0x16a63)) returned 1 [0295.736] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\MLyhukKzoWAepx.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mlyhukkzowaepx.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d8e570, ftCreationTime.dwHighDateTime=0x1d81a12, ftLastAccessTime.dwLowDateTime=0x57e1f730, ftLastAccessTime.dwHighDateTime=0x1d825b3, ftLastWriteTime.dwLowDateTime=0x57e1f730, ftLastWriteTime.dwHighDateTime=0x1d825b3, nFileSizeHigh=0x0, nFileSizeLow=0x36c3)) returned 1 [0295.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HXYDrWyAqkC7.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\hxydrwyaqkc7.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.737] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HXYDrWyAqkC7.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\hxydrwyaqkc7.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbcffec0, ftCreationTime.dwHighDateTime=0x1d82581, ftLastAccessTime.dwLowDateTime=0x518ef540, ftLastAccessTime.dwHighDateTime=0x1d828d8, ftLastWriteTime.dwLowDateTime=0x518ef540, ftLastWriteTime.dwHighDateTime=0x1d828d8, nFileSizeHigh=0x0, nFileSizeLow=0x16a63)) returned 1 [0295.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e720 | out: pbBuffer=0x1280e720) returned 1 [0295.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849070 | out: pbBuffer=0x12849070) returned 1 [0295.737] ReadFile (in: hFile=0x464, lpBuffer=0x12c76000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c76000*, lpNumberOfBytesRead=0x12855d1c*=0x16a63, lpOverlapped=0x0) returned 1 [0295.739] GetFileType (hFile=0x464) returned 0x1 [0295.739] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.739] WriteFile (in: hFile=0x464, lpBuffer=0x12cb6000*, nNumberOfBytesToWrite=0x16a63, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12cb6000*, lpNumberOfBytesWritten=0x12855d00*=0x16a63, lpOverlapped=0x12855d0c) returned 1 [0295.739] GetFileType (hFile=0x464) returned 0x1 [0295.739] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x16a63, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a81 | out: pbBuffer=0x12835a81) returned 1 [0295.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835b81 | out: pbBuffer=0x12835b81) returned 1 [0295.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835c81 | out: pbBuffer=0x12835c81) returned 1 [0295.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849138 | out: pbBuffer=0x12849138) returned 1 [0295.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HXYDrWyAqkC7.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\hxydrwyaqkc7.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.741] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.741] WriteFile (in: hFile=0x470, lpBuffer=0x12e5a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12e5a000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.741] CloseHandle (hObject=0x470) returned 1 [0295.741] CloseHandle (hObject=0x464) returned 1 [0295.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849150 | out: pbBuffer=0x12849150) returned 1 [0295.741] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\HXYDrWyAqkC7.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\hxydrwyaqkc7.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[493E2F7005E889F5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[493e2f7005e889f5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.743] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\MLyhukKzoWAepx.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mlyhukkzowaepx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.743] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.743] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\MLyhukKzoWAepx.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mlyhukkzowaepx.avi"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d8e570, ftCreationTime.dwHighDateTime=0x1d81a12, ftLastAccessTime.dwLowDateTime=0x57e1f730, ftLastAccessTime.dwHighDateTime=0x1d825b3, ftLastWriteTime.dwLowDateTime=0x57e1f730, ftLastWriteTime.dwHighDateTime=0x1d825b3, nFileSizeHigh=0x0, nFileSizeLow=0x36c3)) returned 1 [0295.743] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e940 | out: pbBuffer=0x1280e940) returned 1 [0295.743] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849198 | out: pbBuffer=0x12849198) returned 1 [0295.743] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.751] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb20, ulCount=0x10, ulNumEntriesRemoved=0x328ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb20, ulNumEntriesRemoved=0x328ffb04) returned 0 [0295.751] SetEvent (hEvent=0x110) returned 1 [0295.751] SetEvent (hEvent=0x1b8) returned 1 [0295.752] ReadFile (in: hFile=0x464, lpBuffer=0x12cce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cce000*, lpNumberOfBytesRead=0x12855d1c*=0x36c3, lpOverlapped=0x0) returned 1 [0295.753] GetFileType (hFile=0x464) returned 0x1 [0295.753] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.753] WriteFile (in: hFile=0x464, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x36c3, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x12855d00*=0x36c3, lpOverlapped=0x12855d0c) returned 1 [0295.754] GetFileType (hFile=0x464) returned 0x1 [0295.754] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x36c3, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835e01 | out: pbBuffer=0x12835e01) returned 1 [0295.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835f01 | out: pbBuffer=0x12835f01) returned 1 [0295.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0295.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849260 | out: pbBuffer=0x12849260) returned 1 [0295.755] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\MLyhukKzoWAepx.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mlyhukkzowaepx.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.755] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.755] WriteFile (in: hFile=0x470, lpBuffer=0x12e5a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12e5a500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.755] CloseHandle (hObject=0x470) returned 1 [0295.756] CloseHandle (hObject=0x464) returned 1 [0295.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849278 | out: pbBuffer=0x12849278) returned 1 [0295.756] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\MLyhukKzoWAepx.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\mlyhukkzowaepx.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[EA6337826309BCD1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[ea6337826309bcd1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.758] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.762] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.778] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.781] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x328ffb28, ulCount=0x10, ulNumEntriesRemoved=0x328ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x328ffb28, ulNumEntriesRemoved=0x328ffb0c) returned 0 [0295.781] SetEvent (hEvent=0x110) returned 1 [0295.781] SetEvent (hEvent=0xf4) returned 1 [0295.781] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x1) returned 0x0 [0295.799] ReadFile (in: hFile=0x464, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0x14, lpOverlapped=0x0) returned 1 [0295.801] GetFileType (hFile=0x464) returned 0x1 [0295.801] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.802] WriteFile (in: hFile=0x464, lpBuffer=0x12844000*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12844000*, lpNumberOfBytesWritten=0x12853d00*=0x14, lpOverlapped=0x12853d0c) returned 1 [0295.802] GetFileType (hFile=0x464) returned 0x1 [0295.802] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x14, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0295.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0295.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0295.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0295.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0295.803] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.803] WriteFile (in: hFile=0x45c, lpBuffer=0x12e5a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12e5a000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.803] CloseHandle (hObject=0x45c) returned 1 [0295.803] CloseHandle (hObject=0x464) returned 1 [0295.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0295.804] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\#_THIS_FILE_IS_ENCRYPTED_[604D7B8CB5F4273E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\#_this_file_is_encrypted_[604d7b8cb5f4273e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.859] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) Thread: id = 5 os_tid = 0xc14 [0100.661] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x329fff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x329fff30*=0x100) returned 1 [0100.661] VirtualQuery (in: lpAddress=0x329fff40, lpBuffer=0x329fff40, dwLength=0x1c | out: lpBuffer=0x329fff40*(BaseAddress=0x329ff000, AllocationBase=0x32900000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.661] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x104 [0100.661] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0100.742] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0106.168] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0106.213] SetEvent (hEvent=0xf4) returned 1 [0106.213] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0106.432] SetEvent (hEvent=0xf4) returned 1 [0106.432] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0106.830] SetEvent (hEvent=0xf4) returned 1 [0106.830] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0107.095] SetEvent (hEvent=0xf4) returned 1 [0107.095] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0107.248] SetEvent (hEvent=0xf4) returned 1 [0107.260] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0107.376] SetEvent (hEvent=0xf4) returned 1 [0107.376] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0107.711] SetEvent (hEvent=0xf4) returned 1 [0107.711] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0107.938] SetEvent (hEvent=0xf4) returned 1 [0107.938] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0108.065] SetEvent (hEvent=0xf4) returned 1 [0108.065] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0108.301] SetEvent (hEvent=0xf4) returned 1 [0108.301] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0108.479] SetEvent (hEvent=0xf4) returned 1 [0108.479] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0108.714] SetEvent (hEvent=0xf4) returned 1 [0108.714] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0108.860] SetEvent (hEvent=0xf4) returned 1 [0108.860] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0109.023] SetEvent (hEvent=0xf4) returned 1 [0109.023] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0109.128] SetEvent (hEvent=0xf4) returned 1 [0109.128] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0109.231] SetEvent (hEvent=0xf4) returned 1 [0109.231] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0109.355] SetEvent (hEvent=0xf4) returned 1 [0109.355] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0109.461] SetEvent (hEvent=0xf4) returned 1 [0109.462] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0110.047] SetEvent (hEvent=0xfc) returned 1 [0110.074] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0110.246] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0113.363] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0115.678] SwitchToThread () returned 1 [0115.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0115.742] CloseHandle (hObject=0x1c0) returned 1 [0115.742] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0123.535] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0125.616] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0125.834] SwitchToThread () returned 1 [0125.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x128268c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c8 [0125.924] CloseHandle (hObject=0x3c8) returned 1 [0125.924] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0126.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826a80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0126.148] CloseHandle (hObject=0x3d8) returned 1 [0126.148] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0126.266] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.267] FindFirstFileW (in: lpFileName="C:\\BOOTSECT.BAK\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0126.267] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0126.762] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0127.618] SwitchToThread () returned 1 [0127.734] setsockopt (s=0x3e4, level=65535, optname=28688, optval="ä\x03", optlen=4) returned 0 [0127.734] SwitchToThread () returned 1 [0127.834] SetEvent (hEvent=0x10c) returned 1 [0127.834] getsockname (in: s=0x3e4, name=0x12921890, namelen=0x1292188c | out: name=0x12921890*(sa_family=2, sin_port=0xc233, sin_addr="192.168.0.15"), namelen=0x1292188c) returned 0 [0127.834] getpeername (in: s=0x3e4, name=0x12921890, namelen=0x1292188c | out: name=0x12921890*(sa_family=2, sin_port=0x50, sin_addr="37.48.65.182"), namelen=0x1292188c) returned 0 [0127.834] setsockopt (s=0x3e4, level=6, optname=1, optval="\x01", optlen=4) returned 0 [0127.847] setsockopt (s=0x3e4, level=65535, optname=8, optval="\x01", optlen=4) returned 0 [0127.848] WSAIoctl (in: s=0x3e4, dwIoControlCode=0x98000004, lpvInBuffer=0x12921b80, cbInBuffer=0xc, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x12921b78, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x12921b78, lpOverlapped=0x0) returned 0 [0128.629] WSARecv (in: s=0x3e4, lpBuffers=0x12b1c040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12b1c034, lpFlags=0x12b1c078*=0x0, lpOverlapped=0x12b1c014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12b1c040*=((len=0x1000, buf=0x12bf0000*)), lpNumberOfBytesRecvd=0x12b1c034*=0x0, lpFlags=0x12b1c078*=0x0, lpOverlapped=0x12b1c014) returned 0 [0128.630] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0128.978] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.126] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.127] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.127] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.219] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.219] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.220] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.301] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.302] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.302] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.495] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.495] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.495] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.577] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0129.812] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffacc, ulCount=0x10, ulNumEntriesRemoved=0x329ffab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffacc, ulNumEntriesRemoved=0x329ffab0) returned 0 [0129.812] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.813] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.813] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffacc, ulCount=0x10, ulNumEntriesRemoved=0x329ffab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffacc, ulNumEntriesRemoved=0x329ffab0) returned 0 [0129.813] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffacc, ulCount=0x10, ulNumEntriesRemoved=0x329ffab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x329ffacc, ulNumEntriesRemoved=0x329ffab0) returned 1 [0160.083] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x329ffaac, fWait=0, lpdwFlags=0x329ffabc | out: lpcbTransfer=0x329ffaac, lpdwFlags=0x329ffabc) returned 1 [0162.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0162.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0162.632] ReadFile (in: hFile=0x19c, lpBuffer=0x12b74000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b74000*, lpNumberOfBytesRead=0x12921d1c*=0x20000, lpOverlapped=0x0) returned 1 [0162.651] GetFileType (hFile=0x19c) returned 0x1 [0162.651] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0162.651] WriteFile (in: hFile=0x19c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12921d00*=0x20000, lpOverlapped=0x12921d0c) returned 1 [0162.653] GetFileType (hFile=0x19c) returned 0x1 [0162.653] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0162.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0162.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0162.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0162.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848db0 | out: pbBuffer=0x12848db0) returned 1 [0162.655] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0162.656] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0162.656] WriteFile (in: hFile=0x41c, lpBuffer=0x12ba4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ba4000*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0162.657] CloseHandle (hObject=0x41c) returned 1 [0162.930] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0163.166] CloseHandle (hObject=0x19c) returned 1 [0163.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bef0 | out: pbBuffer=0x12a9bef0) returned 1 [0163.167] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\#_THIS_FILE_IS_ENCRYPTED_[CA5A36EA6886BA6C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\#_this_file_is_encrypted_[ca5a36ea6886ba6c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0163.171] SetEvent (hEvent=0xfc) returned 1 [0163.171] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x15ede) returned 0x102 [0173.252] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1377d) returned 0x102 [0183.521] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x10f60) returned 0x102 [0193.651] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xe7ce) returned 0x102 [0203.846] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xbffb) returned 0x102 [0213.849] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x98e8) returned 0x102 [0224.009] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x7138) returned 0x102 [0234.063] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x49f2) returned 0x102 [0244.068] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x22dd) returned 0x102 [0254.128] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1d0a) returned 0x102 [0264.134] SetEvent (hEvent=0x110) returned 1 [0264.134] SetEvent (hEvent=0xfc) returned 1 [0265.012] SetEvent (hEvent=0x420) returned 1 [0265.012] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0265.031] SetEvent (hEvent=0x40c) returned 1 [0265.032] SetEvent (hEvent=0xfc) returned 1 [0265.033] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0265.120] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0265.169] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0265.208] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0265.209] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb28, ulCount=0x10, ulNumEntriesRemoved=0x329ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb28, ulNumEntriesRemoved=0x329ffb0c) returned 0 [0265.210] SetEvent (hEvent=0x40c) returned 1 [0265.210] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0265.248] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0265.249] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.249] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0265.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.255] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0265.255] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0265.256] CloseHandle (hObject=0x450) returned 1 [0265.256] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.258] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.258] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0265.315] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.316] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0265.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.319] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0265.319] WriteFile (in: hFile=0x450, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0265.320] CloseHandle (hObject=0x450) returned 1 [0265.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.405] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0265.405] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.405] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.405] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0265.405] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.407] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0265.407] WriteFile (in: hFile=0x450, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0265.409] CloseHandle (hObject=0x450) returned 1 [0265.409] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.410] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0265.410] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.410] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.410] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0265.410] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.411] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.411] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.412] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0265.412] WriteFile (in: hFile=0x450, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0265.414] CloseHandle (hObject=0x450) returned 1 [0265.414] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.415] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.415] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0265.415] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.415] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.415] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0265.415] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.417] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0265.417] WriteFile (in: hFile=0x450, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0265.419] CloseHandle (hObject=0x450) returned 1 [0265.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.420] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0265.420] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.420] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.420] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0265.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.422] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0265.422] WriteFile (in: hFile=0x450, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0265.424] CloseHandle (hObject=0x450) returned 1 [0265.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.485] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.485] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0265.486] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.486] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.486] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0265.486] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.486] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.486] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.488] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0265.488] WriteFile (in: hFile=0x450, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0265.491] CloseHandle (hObject=0x450) returned 1 [0265.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.492] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.492] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0265.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.493] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0265.493] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.573] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0265.573] WriteFile (in: hFile=0x450, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0265.575] CloseHandle (hObject=0x450) returned 1 [0265.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.575] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.575] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0265.576] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.576] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.576] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0265.576] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.578] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0265.578] WriteFile (in: hFile=0x450, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0265.580] CloseHandle (hObject=0x450) returned 1 [0265.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.723] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.723] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0265.724] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.724] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0265.724] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.724] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0265.840] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.914] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0265.915] WriteFile (in: hFile=0x450, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0265.916] CloseHandle (hObject=0x450) returned 1 [0265.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc95ba08, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0265.917] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0265.917] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0265.993] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.993] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcdd415e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcdd415e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0265.993] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0265.993] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0265.993] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0265.993] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0265.994] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0265.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0265.997] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0265.997] WriteFile (in: hFile=0x450, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0265.998] CloseHandle (hObject=0x450) returned 1 [0265.998] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcdd415e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcdd415e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0265.999] SetEvent (hEvent=0x40c) returned 1 [0265.999] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0265.999] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.055] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.055] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.055] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.055] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0266.057] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0266.057] WriteFile (in: hFile=0x44c, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0266.058] CloseHandle (hObject=0x44c) returned 1 [0266.058] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.059] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.059] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0266.059] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.059] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0266.059] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0266.059] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.059] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0266.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0266.061] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0266.061] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0266.062] CloseHandle (hObject=0x44c) returned 1 [0266.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.063] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0266.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0266.065] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0266.065] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929240 | out: pbBuffer=0x12929240) returned 1 [0266.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f40 | out: pbBuffer=0x12810f40) returned 1 [0266.065] ReadFile (in: hFile=0x44c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0266.065] CloseHandle (hObject=0x44c) returned 1 [0266.066] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0266.066] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0266.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0266.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929260 | out: pbBuffer=0x12929260) returned 1 [0266.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f50 | out: pbBuffer=0x12810f50) returned 1 [0266.067] ReadFile (in: hFile=0x44c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0266.178] GetFileType (hFile=0x44c) returned 0x1 [0266.179] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.179] WriteFile (in: hFile=0x44c, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0266.179] GetFileType (hFile=0x44c) returned 0x1 [0266.179] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0266.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0266.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0266.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811008 | out: pbBuffer=0x12811008) returned 1 [0266.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0266.181] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0266.181] WriteFile (in: hFile=0x458, lpBuffer=0x12db0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0266.181] CloseHandle (hObject=0x458) returned 1 [0266.182] CloseHandle (hObject=0x44c) returned 1 [0266.182] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811020 | out: pbBuffer=0x12811020) returned 1 [0266.182] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[2ADC78E8F100DECC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[2adc78e8f100decc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0266.425] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0267.064] SetEvent (hEvent=0x40c) returned 1 [0267.065] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\4Ck9GPqxNq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4ck9gpqxnq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.066] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0267.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\4Ck9GPqxNq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4ck9gpqxnq.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a7ae70, ftCreationTime.dwHighDateTime=0x1d82779, ftLastAccessTime.dwLowDateTime=0xd0a6eda0, ftLastAccessTime.dwHighDateTime=0x1d828fc, ftLastWriteTime.dwLowDateTime=0xd0a6eda0, ftLastWriteTime.dwHighDateTime=0x1d828fc, nFileSizeHigh=0x0, nFileSizeLow=0x143c4)) returned 1 [0267.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929580 | out: pbBuffer=0x12929580) returned 1 [0267.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811068 | out: pbBuffer=0x12811068) returned 1 [0267.067] ReadFile (in: hFile=0x44c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a4bd1c*=0x143c4, lpOverlapped=0x0) returned 1 [0267.071] GetFileType (hFile=0x44c) returned 0x1 [0267.071] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.071] WriteFile (in: hFile=0x44c, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x143c4, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12a4bd00*=0x143c4, lpOverlapped=0x12a4bd0c) returned 1 [0267.072] GetFileType (hFile=0x44c) returned 0x1 [0267.072] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x143c4, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0267.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0267.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0267.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811120 | out: pbBuffer=0x12811120) returned 1 [0267.180] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0267.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\3JeOyHF.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\3jeoyhf.avi"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884124f0, ftCreationTime.dwHighDateTime=0x1d81d66, ftLastAccessTime.dwLowDateTime=0x6e293b20, ftLastAccessTime.dwHighDateTime=0x1d81d98, ftLastWriteTime.dwLowDateTime=0x6e293b20, ftLastWriteTime.dwHighDateTime=0x1d81d98, nFileSizeHigh=0x0, nFileSizeLow=0xc3b7)) returned 1 [0267.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0267.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0267.252] ReadFile (in: hFile=0x450, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282bd1c*=0xc3b7, lpOverlapped=0x0) returned 1 [0267.253] GetFileType (hFile=0x450) returned 0x1 [0267.253] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.253] WriteFile (in: hFile=0x450, lpBuffer=0x129e2000*, nNumberOfBytesToWrite=0xc3b7, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x129e2000*, lpNumberOfBytesWritten=0x1282bd00*=0xc3b7, lpOverlapped=0x1282bd0c) returned 1 [0267.254] GetFileType (hFile=0x450) returned 0x1 [0267.254] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xc3b7, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0267.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0267.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0267.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0267.254] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\3JeOyHF.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\3jeoyhf.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.255] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.255] WriteFile (in: hFile=0x45c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.255] CloseHandle (hObject=0x45c) returned 1 [0267.358] CloseHandle (hObject=0x450) returned 1 [0267.360] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0267.360] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\3JeOyHF.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\3jeoyhf.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[C03BEC0224B7F101]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[c03bec0224b7f101]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.431] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0267.434] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0267.436] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb28, ulCount=0x10, ulNumEntriesRemoved=0x329ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb28, ulNumEntriesRemoved=0x329ffb0c) returned 0 [0267.436] SetEvent (hEvent=0x19c) returned 1 [0267.436] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0267.441] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HtBW3C.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\htbw3c.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.442] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.442] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HtBW3C.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\htbw3c.m4a"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa0b0060, ftCreationTime.dwHighDateTime=0x1d820a4, ftLastAccessTime.dwLowDateTime=0x9ea60670, ftLastAccessTime.dwHighDateTime=0x1d820e5, ftLastWriteTime.dwLowDateTime=0x9ea60670, ftLastWriteTime.dwHighDateTime=0x1d820e5, nFileSizeHigh=0x0, nFileSizeLow=0xa33c)) returned 1 [0267.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0267.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0267.442] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282bd1c*=0xa33c, lpOverlapped=0x0) returned 1 [0267.444] GetFileType (hFile=0x458) returned 0x1 [0267.444] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.444] WriteFile (in: hFile=0x458, lpBuffer=0x12dae000*, nNumberOfBytesToWrite=0xa33c, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12dae000*, lpNumberOfBytesWritten=0x1282bd00*=0xa33c, lpOverlapped=0x1282bd0c) returned 1 [0267.444] GetFileType (hFile=0x458) returned 0x1 [0267.444] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xa33c, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0267.445] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0267.445] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0267.445] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0267.445] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HtBW3C.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\htbw3c.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.445] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.445] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.445] CloseHandle (hObject=0x44c) returned 1 [0267.447] CloseHandle (hObject=0x458) returned 1 [0267.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0267.456] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HtBW3C.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\htbw3c.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[92DEA66FA5DA41EE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[92dea66fa5da41ee]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.526] SetEvent (hEvent=0x40c) returned 1 [0267.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KBTERo45xW pin4LQ.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kbtero45xw pin4lq.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.527] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KBTERo45xW pin4LQ.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kbtero45xw pin4lq.rtf"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c19cfa0, ftCreationTime.dwHighDateTime=0x1d8291d, ftLastAccessTime.dwLowDateTime=0x22986f90, ftLastAccessTime.dwHighDateTime=0x1d8291f, ftLastWriteTime.dwLowDateTime=0x22986f90, ftLastWriteTime.dwHighDateTime=0x1d8291f, nFileSizeHigh=0x0, nFileSizeLow=0x36bd)) returned 1 [0267.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a00 | out: pbBuffer=0x12a98a00) returned 1 [0267.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103b0 | out: pbBuffer=0x128103b0) returned 1 [0267.528] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282bd1c*=0x36bd, lpOverlapped=0x0) returned 1 [0267.529] GetFileType (hFile=0x42c) returned 0x1 [0267.529] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.529] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x36bd, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1282bd00*=0x36bd, lpOverlapped=0x1282bd0c) returned 1 [0267.529] GetFileType (hFile=0x42c) returned 0x1 [0267.530] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x36bd, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0267.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0267.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0267.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0267.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KBTERo45xW pin4LQ.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kbtero45xw pin4lq.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.555] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.555] WriteFile (in: hFile=0x44c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.555] CloseHandle (hObject=0x44c) returned 1 [0267.559] CloseHandle (hObject=0x42c) returned 1 [0267.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810480 | out: pbBuffer=0x12810480) returned 1 [0267.565] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KBTERo45xW pin4LQ.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kbtero45xw pin4lq.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[68397B1801E46500]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[68397b1801e46500]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.626] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0267.646] SetEvent (hEvent=0x3f8) returned 1 [0267.646] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0267.649] SetEvent (hEvent=0x3f8) returned 1 [0267.649] SetEvent (hEvent=0x1b8) returned 1 [0267.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\SVu-lUmZjtzZVrEivHI.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\svu-lumzjtzzvreivhi.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356b0c70, ftCreationTime.dwHighDateTime=0x1d82665, ftLastAccessTime.dwLowDateTime=0xc9ce6cf0, ftLastAccessTime.dwHighDateTime=0x1d827cc, ftLastWriteTime.dwLowDateTime=0xc9ce6cf0, ftLastWriteTime.dwHighDateTime=0x1d827cc, nFileSizeHigh=0x0, nFileSizeLow=0x13c38)) returned 1 [0267.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Tmjt46ivzmGJLB.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmjt46ivzmgjlb.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5611db0, ftCreationTime.dwHighDateTime=0x1d82491, ftLastAccessTime.dwLowDateTime=0xbe2e40e0, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xbe2e40e0, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0xf47a)) returned 1 [0267.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XarX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xarx.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bf837d0, ftCreationTime.dwHighDateTime=0x1d824cc, ftLastAccessTime.dwLowDateTime=0x145b8260, ftLastAccessTime.dwHighDateTime=0x1d82581, ftLastWriteTime.dwLowDateTime=0x145b8260, ftLastWriteTime.dwHighDateTime=0x1d82581, nFileSizeHigh=0x0, nFileSizeLow=0x10a76)) returned 1 [0267.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YssYwKH23NPbsGQUl.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yssywkh23npbsgqul.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda170a60, ftCreationTime.dwHighDateTime=0x1d8222f, ftLastAccessTime.dwLowDateTime=0xc7f1cf0, ftLastAccessTime.dwHighDateTime=0x1d82888, ftLastWriteTime.dwLowDateTime=0xc7f1cf0, ftLastWriteTime.dwHighDateTime=0x1d82888, nFileSizeHigh=0x0, nFileSizeLow=0x903a)) returned 1 [0267.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XarX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xarx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.650] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XarX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xarx.mp3"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bf837d0, ftCreationTime.dwHighDateTime=0x1d824cc, ftLastAccessTime.dwLowDateTime=0x145b8260, ftLastAccessTime.dwHighDateTime=0x1d82581, ftLastWriteTime.dwLowDateTime=0x145b8260, ftLastWriteTime.dwHighDateTime=0x1d82581, nFileSizeHigh=0x0, nFileSizeLow=0x10a76)) returned 1 [0267.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129291a0 | out: pbBuffer=0x129291a0) returned 1 [0267.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128493f0 | out: pbBuffer=0x128493f0) returned 1 [0267.651] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282bd1c*=0x10a76, lpOverlapped=0x0) returned 1 [0267.653] GetFileType (hFile=0x44c) returned 0x1 [0267.653] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.653] WriteFile (in: hFile=0x44c, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x10a76, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x1282bd00*=0x10a76, lpOverlapped=0x1282bd0c) returned 1 [0267.654] GetFileType (hFile=0x44c) returned 0x1 [0267.654] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x10a76, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0267.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0267.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0267.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849528 | out: pbBuffer=0x12849528) returned 1 [0267.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XarX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xarx.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.655] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.655] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.655] CloseHandle (hObject=0x42c) returned 1 [0267.655] CloseHandle (hObject=0x44c) returned 1 [0267.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849540 | out: pbBuffer=0x12849540) returned 1 [0267.655] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XarX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xarx.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[C07F4C8A5E9D210F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[c07f4c8a5e9d210f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.657] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YssYwKH23NPbsGQUl.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yssywkh23npbsgqul.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.658] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YssYwKH23NPbsGQUl.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yssywkh23npbsgqul.pptx"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda170a60, ftCreationTime.dwHighDateTime=0x1d8222f, ftLastAccessTime.dwLowDateTime=0xc7f1cf0, ftLastAccessTime.dwHighDateTime=0x1d82888, ftLastWriteTime.dwLowDateTime=0xc7f1cf0, ftLastWriteTime.dwHighDateTime=0x1d82888, nFileSizeHigh=0x0, nFileSizeLow=0x903a)) returned 1 [0267.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129293a0 | out: pbBuffer=0x129293a0) returned 1 [0267.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849598 | out: pbBuffer=0x12849598) returned 1 [0267.658] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282bd1c*=0x903a, lpOverlapped=0x0) returned 1 [0267.659] GetFileType (hFile=0x44c) returned 0x1 [0267.660] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.660] WriteFile (in: hFile=0x44c, lpBuffer=0x12d2e000*, nNumberOfBytesToWrite=0x903a, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12d2e000*, lpNumberOfBytesWritten=0x1282bd00*=0x903a, lpOverlapped=0x1282bd0c) returned 1 [0267.660] GetFileType (hFile=0x44c) returned 0x1 [0267.661] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x903a, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0267.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0267.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0267.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849650 | out: pbBuffer=0x12849650) returned 1 [0267.661] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YssYwKH23NPbsGQUl.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yssywkh23npbsgqul.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.661] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.661] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.662] CloseHandle (hObject=0x42c) returned 1 [0267.662] CloseHandle (hObject=0x44c) returned 1 [0267.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849678 | out: pbBuffer=0x12849678) returned 1 [0267.663] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YssYwKH23NPbsGQUl.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yssywkh23npbsgqul.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[FF50BE55C4C614CD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[ff50be55c4c614cd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aRkyjp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\arkyjp.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ae71280, ftCreationTime.dwHighDateTime=0x1d827ff, ftLastAccessTime.dwLowDateTime=0xa7ac1f0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0xa7ac1f0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x1580a)) returned 1 [0267.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\bMGPI7GDlhh-74.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bmgpi7gdlhh-74.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec1b5e30, ftCreationTime.dwHighDateTime=0x1d819f8, ftLastAccessTime.dwLowDateTime=0xd0e43c0, ftLastAccessTime.dwHighDateTime=0x1d81ea7, ftLastWriteTime.dwLowDateTime=0xd0e43c0, ftLastWriteTime.dwHighDateTime=0x1d81ea7, nFileSizeHigh=0x0, nFileSizeLow=0x1cea)) returned 1 [0267.665] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aRkyjp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\arkyjp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.665] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.665] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aRkyjp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\arkyjp.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ae71280, ftCreationTime.dwHighDateTime=0x1d827ff, ftLastAccessTime.dwLowDateTime=0xa7ac1f0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0xa7ac1f0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x1580a)) returned 1 [0267.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929b80 | out: pbBuffer=0x12929b80) returned 1 [0267.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0267.666] ReadFile (in: hFile=0x44c, lpBuffer=0x12b9c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9c000*, lpNumberOfBytesRead=0x1282bd1c*=0x1580a, lpOverlapped=0x0) returned 1 [0267.668] GetFileType (hFile=0x44c) returned 0x1 [0267.668] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.668] WriteFile (in: hFile=0x44c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x1580a, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x1282bd00*=0x1580a, lpOverlapped=0x1282bd0c) returned 1 [0267.668] GetFileType (hFile=0x44c) returned 0x1 [0267.669] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1580a, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0267.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0267.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0267.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0267.669] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aRkyjp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\arkyjp.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.669] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.669] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.669] CloseHandle (hObject=0x42c) returned 1 [0267.670] CloseHandle (hObject=0x44c) returned 1 [0267.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1e0 | out: pbBuffer=0x12a9a1e0) returned 1 [0267.670] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aRkyjp.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\arkyjp.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[0942BE402E75D237]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[0942be402e75d237]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\bMGPI7GDlhh-74.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bmgpi7gdlhh-74.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.672] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.672] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\bMGPI7GDlhh-74.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bmgpi7gdlhh-74.m4a"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec1b5e30, ftCreationTime.dwHighDateTime=0x1d819f8, ftLastAccessTime.dwLowDateTime=0xd0e43c0, ftLastAccessTime.dwHighDateTime=0x1d81ea7, ftLastWriteTime.dwLowDateTime=0xd0e43c0, ftLastWriteTime.dwHighDateTime=0x1d81ea7, nFileSizeHigh=0x0, nFileSizeLow=0x1cea)) returned 1 [0267.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929d80 | out: pbBuffer=0x12929d80) returned 1 [0267.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0267.672] ReadFile (in: hFile=0x44c, lpBuffer=0x1298c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x1298c000*, lpNumberOfBytesRead=0x1282bd1c*=0x1cea, lpOverlapped=0x0) returned 1 [0267.673] GetFileType (hFile=0x44c) returned 0x1 [0267.673] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.673] WriteFile (in: hFile=0x44c, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x1cea, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x1282bd00*=0x1cea, lpOverlapped=0x1282bd0c) returned 1 [0267.673] GetFileType (hFile=0x44c) returned 0x1 [0267.673] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1cea, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0267.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835301 | out: pbBuffer=0x12835301) returned 1 [0267.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0267.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2f0 | out: pbBuffer=0x12a9a2f0) returned 1 [0267.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\bMGPI7GDlhh-74.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bmgpi7gdlhh-74.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.674] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.674] WriteFile (in: hFile=0x42c, lpBuffer=0x12c33400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c33400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.674] CloseHandle (hObject=0x42c) returned 1 [0267.674] CloseHandle (hObject=0x44c) returned 1 [0267.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a308 | out: pbBuffer=0x12a9a308) returned 1 [0267.675] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\bMGPI7GDlhh-74.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bmgpi7gdlhh-74.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[9ABED42A20DD1879]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[9abed42a20dd1879]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.727] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0267.728] SetEvent (hEvent=0xfc) returned 1 [0267.728] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ckyL13X157_Yjd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ckyl13x157_yjd.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.729] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ckyL13X157_Yjd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ckyl13x157_yjd.avi"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf47598e0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0xdcc9d390, ftLastAccessTime.dwHighDateTime=0x1d828ac, ftLastWriteTime.dwLowDateTime=0xdcc9d390, ftLastWriteTime.dwHighDateTime=0x1d828ac, nFileSizeHigh=0x0, nFileSizeLow=0x16cca)) returned 1 [0267.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0267.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0267.730] ReadFile (in: hFile=0x458, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12853d1c*=0x16cca, lpOverlapped=0x0) returned 1 [0267.732] GetFileType (hFile=0x458) returned 0x1 [0267.732] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.732] WriteFile (in: hFile=0x458, lpBuffer=0x12a5c000*, nNumberOfBytesToWrite=0x16cca, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a5c000*, lpNumberOfBytesWritten=0x12853d00*=0x16cca, lpOverlapped=0x12853d0c) returned 1 [0267.733] GetFileType (hFile=0x458) returned 0x1 [0267.733] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x16cca, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0267.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0267.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0267.734] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0267.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ckyL13X157_Yjd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ckyl13x157_yjd.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.734] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.734] WriteFile (in: hFile=0x44c, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.734] CloseHandle (hObject=0x44c) returned 1 [0267.740] CloseHandle (hObject=0x458) returned 1 [0267.747] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101f8 | out: pbBuffer=0x128101f8) returned 1 [0267.747] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ckyL13X157_Yjd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ckyl13x157_yjd.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[9D53F8FEE44C67D2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[9d53f8fee44c67d2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.827] SetEvent (hEvent=0xfc) returned 1 [0267.828] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ldcNmdHB 4uiaPZ0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ldcnmdhb 4uiapz0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.829] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ldcNmdHB 4uiaPZ0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ldcnmdhb 4uiapz0.png"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c845d20, ftCreationTime.dwHighDateTime=0x1d8253f, ftLastAccessTime.dwLowDateTime=0x399dc150, ftLastAccessTime.dwHighDateTime=0x1d829e1, ftLastWriteTime.dwLowDateTime=0x399dc150, ftLastWriteTime.dwHighDateTime=0x1d829e1, nFileSizeHigh=0x0, nFileSizeLow=0x1dd0)) returned 1 [0267.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845140 | out: pbBuffer=0x12845140) returned 1 [0267.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a310 | out: pbBuffer=0x12a9a310) returned 1 [0267.829] ReadFile (in: hFile=0x44c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12853d1c*=0x1dd0, lpOverlapped=0x0) returned 1 [0267.830] GetFileType (hFile=0x44c) returned 0x1 [0267.830] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.830] WriteFile (in: hFile=0x44c, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0x1dd0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x12853d00*=0x1dd0, lpOverlapped=0x12853d0c) returned 1 [0267.831] GetFileType (hFile=0x44c) returned 0x1 [0267.831] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1dd0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0267.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0267.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0267.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4f8 | out: pbBuffer=0x12a9a4f8) returned 1 [0267.831] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ldcNmdHB 4uiaPZ0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ldcnmdhb 4uiapz0.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.831] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.832] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.832] CloseHandle (hObject=0x45c) returned 1 [0267.838] CloseHandle (hObject=0x44c) returned 1 [0267.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ad0 | out: pbBuffer=0x12848ad0) returned 1 [0267.870] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ldcNmdHB 4uiaPZ0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ldcnmdhb 4uiapz0.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[B5383E8D93DCE7F4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[b5383e8d93dce7f4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0268.369] SetEvent (hEvent=0x110) returned 1 [0268.383] SetEvent (hEvent=0xf4) returned 1 [0268.401] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rqFpkxvRIQQ_.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rqfpkxvriqq_.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0268.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\txpRRLn2D.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\txprrln2d.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c775940, ftCreationTime.dwHighDateTime=0x1d82a04, ftLastAccessTime.dwLowDateTime=0x2bcb35c0, ftLastAccessTime.dwHighDateTime=0x1d82a14, ftLastWriteTime.dwLowDateTime=0x2bcb35c0, ftLastWriteTime.dwHighDateTime=0x1d82a14, nFileSizeHigh=0x0, nFileSizeLow=0x10007)) returned 1 [0268.631] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0268.896] SwitchToThread () returned 1 [0269.022] SetEvent (hEvent=0xfc) returned 1 [0269.022] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ujzi_c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ujzi_c.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d0b780, ftCreationTime.dwHighDateTime=0x1d82042, ftLastAccessTime.dwLowDateTime=0x82179410, ftLastAccessTime.dwHighDateTime=0x1d82077, ftLastWriteTime.dwLowDateTime=0x82179410, ftLastWriteTime.dwHighDateTime=0x1d82077, nFileSizeHigh=0x0, nFileSizeLow=0xfc07)) returned 1 [0269.382] SetEvent (hEvent=0x3f8) returned 1 [0269.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\upibLQsn2F_Ad.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\upiblqsn2f_ad.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37b86830, ftCreationTime.dwHighDateTime=0x1d8211d, ftLastAccessTime.dwLowDateTime=0xe19c2010, ftLastAccessTime.dwHighDateTime=0x1d82944, ftLastWriteTime.dwLowDateTime=0xe19c2010, ftLastWriteTime.dwHighDateTime=0x1d82944, nFileSizeHigh=0x0, nFileSizeLow=0x1820d)) returned 1 [0269.479] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ujzi_c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ujzi_c.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0269.480] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.480] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ujzi_c.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ujzi_c.swf"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d0b780, ftCreationTime.dwHighDateTime=0x1d82042, ftLastAccessTime.dwLowDateTime=0x82179410, ftLastAccessTime.dwHighDateTime=0x1d82077, ftLastWriteTime.dwLowDateTime=0x82179410, ftLastWriteTime.dwHighDateTime=0x1d82077, nFileSizeHigh=0x0, nFileSizeLow=0xfc07)) returned 1 [0269.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89720 | out: pbBuffer=0x12b89720) returned 1 [0269.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34f00 | out: pbBuffer=0x12c34f00) returned 1 [0269.481] ReadFile (in: hFile=0x458, lpBuffer=0x129c8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129c8000*, lpNumberOfBytesRead=0x1282bd1c*=0xfc07, lpOverlapped=0x0) returned 1 [0269.483] GetFileType (hFile=0x458) returned 0x1 [0269.484] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.484] WriteFile (in: hFile=0x458, lpBuffer=0x129e8000*, nNumberOfBytesToWrite=0xfc07, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x129e8000*, lpNumberOfBytesWritten=0x1282bd00*=0xfc07, lpOverlapped=0x1282bd0c) returned 1 [0269.484] GetFileType (hFile=0x458) returned 0x1 [0269.484] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xfc07, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0269.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0269.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0269.635] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0269.962] SetEvent (hEvent=0x1b8) returned 1 [0269.962] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.109] SetEvent (hEvent=0x3f8) returned 1 [0270.109] SetEvent (hEvent=0xfc) returned 1 [0270.109] SetEvent (hEvent=0x19c) returned 1 [0270.109] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0270.180] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0270.353] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0270.513] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb28, ulCount=0x10, ulNumEntriesRemoved=0x329ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb28, ulNumEntriesRemoved=0x329ffb0c) returned 0 [0270.514] SetEvent (hEvent=0x110) returned 1 [0270.514] SetEvent (hEvent=0x40c) returned 1 [0270.514] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0270.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34010 | out: pbBuffer=0x12c34010) returned 1 [0270.526] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\#_THIS_FILE_IS_ENCRYPTED_[EB583319B7EB06CE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\#_this_file_is_encrypted_[eb583319b7eb06ce]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.538] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.579] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0270.579] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x64a9c09, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x12bb)) returned 1 [0270.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0270.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34058 | out: pbBuffer=0x12c34058) returned 1 [0270.580] ReadFile (in: hFile=0x450, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x1282bd1c*=0x12bb, lpOverlapped=0x0) returned 1 [0270.624] GetFileType (hFile=0x450) returned 0x1 [0270.624] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0270.624] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x12bb, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282bd00*=0x12bb, lpOverlapped=0x1282bd0c) returned 1 [0270.625] GetFileType (hFile=0x450) returned 0x1 [0270.625] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x12bb, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0270.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0270.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0270.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0270.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0270.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0270.625] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0270.626] WriteFile (in: hFile=0x464, lpBuffer=0x12aec000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aec000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0270.626] CloseHandle (hObject=0x464) returned 1 [0270.626] CloseHandle (hObject=0x450) returned 1 [0270.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34148 | out: pbBuffer=0x12c34148) returned 1 [0270.626] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\#_THIS_FILE_IS_ENCRYPTED_[CA6429C03465D699]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\#_this_file_is_encrypted_[ca6429c03465d699]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.628] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.629] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0270.629] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0270.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34190 | out: pbBuffer=0x12c34190) returned 1 [0270.629] ReadFile (in: hFile=0x450, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0270.630] CloseHandle (hObject=0x450) returned 1 [0270.630] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2af524cd, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1e74)) returned 1 [0270.630] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb59b3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.633] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb59b3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb59b3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5bc9fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0x0, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2a5c8f0f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", cAlternateFileName="69B5E9~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb59b3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa5afc463, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1be, dwReserved0=0x0, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", cAlternateFileName="6BADA8~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", cAlternateFileName="7423F8~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x0, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5c4b8fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0x0, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0270.641] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.641] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0270.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.644] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0270.714] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0270.714] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0270.729] CloseHandle (hObject=0x458) returned 1 [0270.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5bc9fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x154)) returned 1 [0270.735] SetEvent (hEvent=0x1b8) returned 1 [0270.735] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2a5c8f0f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1aa)) returned 1 [0270.735] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.736] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.736] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5bc9fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x154)) returned 1 [0270.736] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b887c0 | out: pbBuffer=0x12b887c0) returned 1 [0270.736] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a00 | out: pbBuffer=0x12848a00) returned 1 [0270.736] ReadFile (in: hFile=0x460, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12851d1c*=0x154, lpOverlapped=0x0) returned 1 [0270.740] GetFileType (hFile=0x460) returned 0x1 [0270.740] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.740] WriteFile (in: hFile=0x460, lpBuffer=0x12da2000*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12da2000*, lpNumberOfBytesWritten=0x12851d00*=0x154, lpOverlapped=0x12851d0c) returned 1 [0270.741] GetFileType (hFile=0x460) returned 0x1 [0270.741] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x154, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0270.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0270.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0270.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ac8 | out: pbBuffer=0x12848ac8) returned 1 [0270.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.743] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.743] WriteFile (in: hFile=0x45c, lpBuffer=0x12ada000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ada000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.747] CloseHandle (hObject=0x45c) returned 1 [0270.747] CloseHandle (hObject=0x460) returned 1 [0270.747] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ae0 | out: pbBuffer=0x12848ae0) returned 1 [0270.747] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[8E38226FA39C155A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[8e38226fa39c155a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.749] SetEvent (hEvent=0x1b8) returned 1 [0270.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.750] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2a5c8f0f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1aa)) returned 1 [0270.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88a00 | out: pbBuffer=0x12b88a00) returned 1 [0270.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b38 | out: pbBuffer=0x12848b38) returned 1 [0270.751] ReadFile (in: hFile=0x460, lpBuffer=0x12cf0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf0000*, lpNumberOfBytesRead=0x12851d1c*=0x1aa, lpOverlapped=0x0) returned 1 [0270.752] GetFileType (hFile=0x460) returned 0x1 [0270.752] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.752] WriteFile (in: hFile=0x460, lpBuffer=0x12c2ea80*, nNumberOfBytesToWrite=0x1aa, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c2ea80*, lpNumberOfBytesWritten=0x12851d00*=0x1aa, lpOverlapped=0x12851d0c) returned 1 [0270.753] GetFileType (hFile=0x460) returned 0x1 [0270.753] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1aa, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0270.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0270.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0270.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848bf0 | out: pbBuffer=0x12848bf0) returned 1 [0270.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.754] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.754] WriteFile (in: hFile=0x45c, lpBuffer=0x12ada500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ada500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.758] CloseHandle (hObject=0x45c) returned 1 [0270.758] CloseHandle (hObject=0x460) returned 1 [0270.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c28 | out: pbBuffer=0x12848c28) returned 1 [0270.759] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[46286AB71971EAC1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[46286ab71971eac1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.760] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.762] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb59b3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa5afc463, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1be)) returned 1 [0270.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88c00 | out: pbBuffer=0x12b88c00) returned 1 [0270.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848cd0 | out: pbBuffer=0x12848cd0) returned 1 [0270.762] ReadFile (in: hFile=0x460, lpBuffer=0x12d30000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d30000*, lpNumberOfBytesRead=0x12851d1c*=0x1be, lpOverlapped=0x0) returned 1 [0270.764] GetFileType (hFile=0x460) returned 0x1 [0270.764] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.764] WriteFile (in: hFile=0x460, lpBuffer=0x12c2ee00*, nNumberOfBytesToWrite=0x1be, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c2ee00*, lpNumberOfBytesWritten=0x12851d00*=0x1be, lpOverlapped=0x12851d0c) returned 1 [0270.764] GetFileType (hFile=0x460) returned 0x1 [0270.764] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1be, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0270.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0270.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0270.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e18 | out: pbBuffer=0x12848e18) returned 1 [0270.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.766] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.766] WriteFile (in: hFile=0x45c, lpBuffer=0x12adaa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12adaa00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.771] CloseHandle (hObject=0x45c) returned 1 [0270.771] CloseHandle (hObject=0x460) returned 1 [0270.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e50 | out: pbBuffer=0x12848e50) returned 1 [0270.772] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[B82BE786C4D2437C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[b82be786c4d2437c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.775] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1b2)) returned 1 [0270.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88e00 | out: pbBuffer=0x12b88e00) returned 1 [0270.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848eb8 | out: pbBuffer=0x12848eb8) returned 1 [0270.775] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0270.782] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb20, ulCount=0x10, ulNumEntriesRemoved=0x329ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb20, ulNumEntriesRemoved=0x329ffb04) returned 0 [0270.782] SetEvent (hEvent=0x110) returned 1 [0270.782] SetEvent (hEvent=0x1b8) returned 1 [0270.782] ReadFile (in: hFile=0x460, lpBuffer=0x12d70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d70000*, lpNumberOfBytesRead=0x12851d1c*=0x1b2, lpOverlapped=0x0) returned 1 [0270.785] GetFileType (hFile=0x460) returned 0x1 [0270.785] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.785] WriteFile (in: hFile=0x460, lpBuffer=0x12c2f180*, nNumberOfBytesToWrite=0x1b2, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c2f180*, lpNumberOfBytesWritten=0x12851d00*=0x1b2, lpOverlapped=0x12851d0c) returned 1 [0270.785] GetFileType (hFile=0x460) returned 0x1 [0270.785] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1b2, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0270.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0270.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0270.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849000 | out: pbBuffer=0x12849000) returned 1 [0270.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.787] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.787] WriteFile (in: hFile=0x45c, lpBuffer=0x12adaf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12adaf00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.793] CloseHandle (hObject=0x45c) returned 1 [0270.793] CloseHandle (hObject=0x460) returned 1 [0270.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849018 | out: pbBuffer=0x12849018) returned 1 [0270.794] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[90CF80B1922A2D0B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[90cf80b1922a2d0b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.796] SetEvent (hEvent=0x3f8) returned 1 [0270.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.797] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x122)) returned 1 [0270.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89020 | out: pbBuffer=0x12b89020) returned 1 [0270.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849060 | out: pbBuffer=0x12849060) returned 1 [0270.797] ReadFile (in: hFile=0x460, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12851d1c*=0x122, lpOverlapped=0x0) returned 1 [0270.800] GetFileType (hFile=0x460) returned 0x1 [0270.800] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.800] WriteFile (in: hFile=0x460, lpBuffer=0x12a4e000*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a4e000*, lpNumberOfBytesWritten=0x12851d00*=0x122, lpOverlapped=0x12851d0c) returned 1 [0270.801] GetFileType (hFile=0x460) returned 0x1 [0270.801] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x122, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0270.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0270.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0270.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849128 | out: pbBuffer=0x12849128) returned 1 [0270.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.802] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.802] WriteFile (in: hFile=0x45c, lpBuffer=0x12adb400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12adb400*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.810] CloseHandle (hObject=0x45c) returned 1 [0270.810] CloseHandle (hObject=0x460) returned 1 [0270.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9b88 | out: pbBuffer=0x128e9b88) returned 1 [0270.811] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[89E00F392EB76107]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[89e00f392eb76107]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.813] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.813] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5c4b8fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14a)) returned 1 [0270.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a997c0 | out: pbBuffer=0x12a997c0) returned 1 [0270.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9bd0 | out: pbBuffer=0x128e9bd0) returned 1 [0270.814] ReadFile (in: hFile=0x460, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12851d1c*=0x14a, lpOverlapped=0x0) returned 1 [0270.816] GetFileType (hFile=0x460) returned 0x1 [0270.816] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.816] WriteFile (in: hFile=0x460, lpBuffer=0x12884580*, nNumberOfBytesToWrite=0x14a, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12884580*, lpNumberOfBytesWritten=0x12851d00*=0x14a, lpOverlapped=0x12851d0c) returned 1 [0270.816] GetFileType (hFile=0x460) returned 0x1 [0270.816] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x14a, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0270.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0270.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0270.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9c88 | out: pbBuffer=0x128e9c88) returned 1 [0270.817] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.817] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.817] WriteFile (in: hFile=0x45c, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.868] CloseHandle (hObject=0x45c) returned 1 [0270.868] CloseHandle (hObject=0x460) returned 1 [0270.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a158 | out: pbBuffer=0x12a9a158) returned 1 [0270.868] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\#_THIS_FILE_IS_ENCRYPTED_[A82A335760BB38FC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\#_this_file_is_encrypted_[a82a335760bb38fc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.870] SetEvent (hEvent=0x1d0) returned 1 [0270.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.871] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.871] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfdcf51bf, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdcf51bf, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdcf655b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10be)) returned 1 [0270.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0270.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0270.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf58ba333, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58ba333, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0270.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.872] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf58ba333, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58ba333, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf58ba333, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58ba333, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c2ae40, ftCreationTime.dwHighDateTime=0x1d81f9d, ftLastAccessTime.dwLowDateTime=0x5d8e0480, ftLastAccessTime.dwHighDateTime=0x1d82851, ftLastWriteTime.dwLowDateTime=0x5d8e0480, ftLastWriteTime.dwHighDateTime=0x1d82851, nFileSizeHigh=0x0, nFileSizeLow=0x14945, dwReserved0=0x0, dwReserved1=0x0, cFileName="21IYDnRMwIe_qVIs.m4a", cAlternateFileName="21IYDN~1.M4A")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5f49a30, ftCreationTime.dwHighDateTime=0x1d81cc0, ftLastAccessTime.dwLowDateTime=0x5de5b5e0, ftLastAccessTime.dwHighDateTime=0x1d82108, ftLastWriteTime.dwLowDateTime=0x5de5b5e0, ftLastWriteTime.dwHighDateTime=0x1d82108, nFileSizeHigh=0x0, nFileSizeLow=0x837b, dwReserved0=0x0, dwReserved1=0x0, cFileName="3pvh7FV9PjIhmA0Ig.png", cAlternateFileName="3PVH7F~1.PNG")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c72cb20, ftCreationTime.dwHighDateTime=0x1d82187, ftLastAccessTime.dwLowDateTime=0x829a7690, ftLastAccessTime.dwHighDateTime=0x1d824d3, ftLastWriteTime.dwLowDateTime=0x829a7690, ftLastWriteTime.dwHighDateTime=0x1d824d3, nFileSizeHigh=0x0, nFileSizeLow=0xe1ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="5BAeAyZU.mp3", cAlternateFileName="")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46df5060, ftCreationTime.dwHighDateTime=0x1d826a1, ftLastAccessTime.dwLowDateTime=0x489af640, ftLastAccessTime.dwHighDateTime=0x1d82866, ftLastWriteTime.dwLowDateTime=0x489af640, ftLastWriteTime.dwHighDateTime=0x1d82866, nFileSizeHigh=0x0, nFileSizeLow=0x34aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="7J2VhS-EpUeH.avi", cAlternateFileName="7J2VHS~1.AVI")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5dd1ff0, ftCreationTime.dwHighDateTime=0x1d828ba, ftLastAccessTime.dwLowDateTime=0x95ab15f0, ftLastAccessTime.dwHighDateTime=0x1d829b0, ftLastWriteTime.dwLowDateTime=0x95ab15f0, ftLastWriteTime.dwHighDateTime=0x1d829b0, nFileSizeHigh=0x0, nFileSizeLow=0x23e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="a_j1jXljhzqhKZ2b.mkv", cAlternateFileName="A_J1JX~1.MKV")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a9a87a0, ftCreationTime.dwHighDateTime=0x1d81cb1, ftLastAccessTime.dwLowDateTime=0x9c22ae40, ftLastAccessTime.dwHighDateTime=0x1d82738, ftLastWriteTime.dwLowDateTime=0x9c22ae40, ftLastWriteTime.dwHighDateTime=0x1d82738, nFileSizeHigh=0x0, nFileSizeLow=0x5cd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="bvR3SJZBn0Eg.m4a", cAlternateFileName="BVR3SJ~1.M4A")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f32c50, ftCreationTime.dwHighDateTime=0x1d829bf, ftLastAccessTime.dwLowDateTime=0xaa935150, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xaa935150, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0x2827, dwReserved0=0x0, dwReserved1=0x0, cFileName="cLctyo9dRfh 5ZmT.wav", cAlternateFileName="CLCTYO~1.WAV")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67aa8530, ftCreationTime.dwHighDateTime=0x1d81ba2, ftLastAccessTime.dwLowDateTime=0xbe7b9e30, ftLastAccessTime.dwHighDateTime=0x1d81f8a, ftLastWriteTime.dwLowDateTime=0xbe7b9e30, ftLastWriteTime.dwHighDateTime=0x1d81f8a, nFileSizeHigh=0x0, nFileSizeLow=0xf4ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="dkhx.xlsx", cAlternateFileName="DKHX~1.XLS")) returned 1 [0270.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5aebc130, ftCreationTime.dwHighDateTime=0x1d82997, ftLastAccessTime.dwLowDateTime=0x159be520, ftLastAccessTime.dwHighDateTime=0x1d829b4, ftLastWriteTime.dwLowDateTime=0x159be520, ftLastWriteTime.dwHighDateTime=0x1d829b4, nFileSizeHigh=0x0, nFileSizeLow=0x4f16, dwReserved0=0x0, dwReserved1=0x0, cFileName="ecMxh0OUCIsrss68.rtf", cAlternateFileName="ECMXH0~1.RTF")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66681ef0, ftCreationTime.dwHighDateTime=0x1d8250a, ftLastAccessTime.dwLowDateTime=0xda111580, ftLastAccessTime.dwHighDateTime=0x1d82796, ftLastWriteTime.dwLowDateTime=0xda111580, ftLastWriteTime.dwHighDateTime=0x1d82796, nFileSizeHigh=0x0, nFileSizeLow=0x919c, dwReserved0=0x0, dwReserved1=0x0, cFileName="FLIUZbRcCx2rfhc.gif", cAlternateFileName="FLIUZB~1.GIF")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e9ea420, ftCreationTime.dwHighDateTime=0x1d82007, ftLastAccessTime.dwLowDateTime=0xdab95c40, ftLastAccessTime.dwHighDateTime=0x1d827be, ftLastWriteTime.dwLowDateTime=0xdab95c40, ftLastWriteTime.dwHighDateTime=0x1d827be, nFileSizeHigh=0x0, nFileSizeLow=0x5acc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXCEn83AIhwhF.mp3", cAlternateFileName="FXCEN8~1.MP3")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x994c0400, ftCreationTime.dwHighDateTime=0x1d8258a, ftLastAccessTime.dwLowDateTime=0x678eee90, ftLastAccessTime.dwHighDateTime=0x1d82671, ftLastWriteTime.dwLowDateTime=0x678eee90, ftLastWriteTime.dwHighDateTime=0x1d82671, nFileSizeHigh=0x0, nFileSizeLow=0x8a14, dwReserved0=0x0, dwReserved1=0x0, cFileName="hGzhgTOVuGok5gYE.wav", cAlternateFileName="HGZHGT~1.WAV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4add5d20, ftCreationTime.dwHighDateTime=0x1d829cf, ftLastAccessTime.dwLowDateTime=0x307850, ftLastAccessTime.dwHighDateTime=0x1d82a26, ftLastWriteTime.dwLowDateTime=0x307850, ftLastWriteTime.dwHighDateTime=0x1d82a26, nFileSizeHigh=0x0, nFileSizeLow=0x9947, dwReserved0=0x0, dwReserved1=0x0, cFileName="IgjPP1x0rd-DVHI.mkv", cAlternateFileName="IGJPP1~1.MKV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c61bdc0, ftCreationTime.dwHighDateTime=0x1d8205a, ftLastAccessTime.dwLowDateTime=0x68943180, ftLastAccessTime.dwHighDateTime=0x1d8246c, ftLastWriteTime.dwLowDateTime=0x68943180, ftLastWriteTime.dwHighDateTime=0x1d8246c, nFileSizeHigh=0x0, nFileSizeLow=0xff5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Jwhu1_gJHqISsw8e KXE.png", cAlternateFileName="JWHU1_~1.PNG")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa068a40, ftCreationTime.dwHighDateTime=0x1d8274c, ftLastAccessTime.dwLowDateTime=0x1724d570, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0x1724d570, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x78a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LDiB.jpg", cAlternateFileName="")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cfd5c60, ftCreationTime.dwHighDateTime=0x1d8248a, ftLastAccessTime.dwLowDateTime=0x5e404c20, ftLastAccessTime.dwHighDateTime=0x1d829d3, ftLastWriteTime.dwLowDateTime=0x5e404c20, ftLastWriteTime.dwHighDateTime=0x1d829d3, nFileSizeHigh=0x0, nFileSizeLow=0x12baa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LTG-ijW6S.ots", cAlternateFileName="LTG-IJ~1.OTS")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3625990, ftCreationTime.dwHighDateTime=0x1d823cb, ftLastAccessTime.dwLowDateTime=0xbb55f3d0, ftLastAccessTime.dwHighDateTime=0x1d82904, ftLastWriteTime.dwLowDateTime=0xbb55f3d0, ftLastWriteTime.dwHighDateTime=0x1d82904, nFileSizeHigh=0x0, nFileSizeLow=0x90d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="mhliFoX1.mkv", cAlternateFileName="")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f1c4e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3e02490, ftCreationTime.dwHighDateTime=0x1d82962, ftLastAccessTime.dwLowDateTime=0x1aa1aa50, ftLastAccessTime.dwHighDateTime=0x1d82973, ftLastWriteTime.dwLowDateTime=0x1aa1aa50, ftLastWriteTime.dwHighDateTime=0x1d82973, nFileSizeHigh=0x0, nFileSizeLow=0x38f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="n5m8aNivzz.mkv", cAlternateFileName="N5M8AN~1.MKV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74fc0e0, ftCreationTime.dwHighDateTime=0x1d82525, ftLastAccessTime.dwLowDateTime=0x81374d00, ftLastAccessTime.dwHighDateTime=0x1d82758, ftLastWriteTime.dwLowDateTime=0x81374d00, ftLastWriteTime.dwHighDateTime=0x1d82758, nFileSizeHigh=0x0, nFileSizeLow=0xc158, dwReserved0=0x0, dwReserved1=0x0, cFileName="nWxBib8foQhMc2j.flv", cAlternateFileName="NWXBIB~1.FLV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3beba0, ftCreationTime.dwHighDateTime=0x1d82026, ftLastAccessTime.dwLowDateTime=0xdcf2c8d0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xdcf2c8d0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x17aa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="oAgMN9U_p8BUTqAW1.flv", cAlternateFileName="OAGMN9~1.FLV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefbb2e20, ftCreationTime.dwHighDateTime=0x1d819e0, ftLastAccessTime.dwLowDateTime=0x1602f390, ftLastAccessTime.dwHighDateTime=0x1d8211d, ftLastWriteTime.dwLowDateTime=0x1602f390, ftLastWriteTime.dwHighDateTime=0x1d8211d, nFileSizeHigh=0x0, nFileSizeLow=0xf3c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="P30eaW83bz2S.avi", cAlternateFileName="P30EAW~1.AVI")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fb68ce0, ftCreationTime.dwHighDateTime=0x1d82745, ftLastAccessTime.dwLowDateTime=0xbb8a3b50, ftLastAccessTime.dwHighDateTime=0x1d828e5, ftLastWriteTime.dwLowDateTime=0xbb8a3b50, ftLastWriteTime.dwHighDateTime=0x1d828e5, nFileSizeHigh=0x0, nFileSizeLow=0x129de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q5eVjwVDQ-QV4U.flv", cAlternateFileName="Q5EVJW~1.FLV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa17c6f0, ftCreationTime.dwHighDateTime=0x1d8270d, ftLastAccessTime.dwLowDateTime=0x8d18b340, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x8d18b340, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x2ac1, dwReserved0=0x0, dwReserved1=0x0, cFileName="qKzW8J3AvmRUdsVCGgRU.flv", cAlternateFileName="QKZW8J~1.FLV")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdff83b90, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x889af920, ftLastAccessTime.dwHighDateTime=0x1d82587, ftLastWriteTime.dwLowDateTime=0x889af920, ftLastWriteTime.dwHighDateTime=0x1d82587, nFileSizeHigh=0x0, nFileSizeLow=0x7016, dwReserved0=0x0, dwReserved1=0x0, cFileName="rwD ndsTii9UVozcMJde.m4a", cAlternateFileName="RWDNDS~1.M4A")) returned 1 [0270.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0b74e0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x85786310, ftLastAccessTime.dwHighDateTime=0x1d8269d, ftLastWriteTime.dwLowDateTime=0x85786310, ftLastWriteTime.dwHighDateTime=0x1d8269d, nFileSizeHigh=0x0, nFileSizeLow=0x2e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sjuc5sYc0YTyforNdTl.wav", cAlternateFileName="SJUC5S~1.WAV")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a03a50, ftCreationTime.dwHighDateTime=0x1d81cd0, ftLastAccessTime.dwLowDateTime=0x2cab68f0, ftLastAccessTime.dwHighDateTime=0x1d82287, ftLastWriteTime.dwLowDateTime=0x2cab68f0, ftLastWriteTime.dwHighDateTime=0x1d82287, nFileSizeHigh=0x0, nFileSizeLow=0xa847, dwReserved0=0x0, dwReserved1=0x0, cFileName="snc6GkKAD0HvXm.ods", cAlternateFileName="SNC6GK~1.ODS")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb836fdb0, ftCreationTime.dwHighDateTime=0x1d8204a, ftLastAccessTime.dwLowDateTime=0x8eb3ec40, ftLastAccessTime.dwHighDateTime=0x1d823f7, ftLastWriteTime.dwLowDateTime=0x8eb3ec40, ftLastWriteTime.dwHighDateTime=0x1d823f7, nFileSizeHigh=0x0, nFileSizeLow=0x16153, dwReserved0=0x0, dwReserved1=0x0, cFileName="t5Wg.jpg", cAlternateFileName="")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2402d7b0, ftCreationTime.dwHighDateTime=0x1d8209d, ftLastAccessTime.dwLowDateTime=0xa73b2390, ftLastAccessTime.dwHighDateTime=0x1d8210a, ftLastWriteTime.dwLowDateTime=0xa73b2390, ftLastWriteTime.dwHighDateTime=0x1d8210a, nFileSizeHigh=0x0, nFileSizeLow=0x1751d, dwReserved0=0x0, dwReserved1=0x0, cFileName="u0lRKxoZGIPaUd7o.pdf", cAlternateFileName="U0LRKX~1.PDF")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5641f90, ftCreationTime.dwHighDateTime=0x1d81d46, ftLastAccessTime.dwLowDateTime=0xdbfe1fc0, ftLastAccessTime.dwHighDateTime=0x1d81e93, ftLastWriteTime.dwLowDateTime=0xdbfe1fc0, ftLastWriteTime.dwHighDateTime=0x1d81e93, nFileSizeHigh=0x0, nFileSizeLow=0x15555, dwReserved0=0x0, dwReserved1=0x0, cFileName="uja38dNRQ.jpg", cAlternateFileName="UJA38D~1.JPG")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d00b810, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0x2d3de490, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x2d3de490, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x5f35, dwReserved0=0x0, dwReserved1=0x0, cFileName="v1Mp.docx", cAlternateFileName="V1MP~1.DOC")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19174ec0, ftCreationTime.dwHighDateTime=0x1d819e6, ftLastAccessTime.dwLowDateTime=0x39057a30, ftLastAccessTime.dwHighDateTime=0x1d826c6, ftLastWriteTime.dwLowDateTime=0x39057a30, ftLastWriteTime.dwHighDateTime=0x1d826c6, nFileSizeHigh=0x0, nFileSizeLow=0x86b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vBuf95Nf11PMfowkk0S.gif", cAlternateFileName="VBUF95~1.GIF")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f427400, ftCreationTime.dwHighDateTime=0x1d8235d, ftLastAccessTime.dwLowDateTime=0x12deea20, ftLastAccessTime.dwHighDateTime=0x1d82816, ftLastWriteTime.dwLowDateTime=0x12deea20, ftLastWriteTime.dwHighDateTime=0x1d82816, nFileSizeHigh=0x0, nFileSizeLow=0xac5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdfs3 7GvEWFI t1ECJ.avi", cAlternateFileName="WDFS37~1.AVI")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc6939a0, ftCreationTime.dwHighDateTime=0x1d82883, ftLastAccessTime.dwLowDateTime=0x4b5289a0, ftLastAccessTime.dwHighDateTime=0x1d828bd, ftLastWriteTime.dwLowDateTime=0x4b5289a0, ftLastWriteTime.dwHighDateTime=0x1d828bd, nFileSizeHigh=0x0, nFileSizeLow=0x2440, dwReserved0=0x0, dwReserved1=0x0, cFileName="WLbrJ.gif", cAlternateFileName="")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b55e300, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0x9f180a0, ftLastAccessTime.dwHighDateTime=0x1d824cc, ftLastWriteTime.dwLowDateTime=0x9f180a0, ftLastWriteTime.dwHighDateTime=0x1d824cc, nFileSizeHigh=0x0, nFileSizeLow=0x179f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="x8AKx9IC.mp4", cAlternateFileName="")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773ec060, ftCreationTime.dwHighDateTime=0x1d82714, ftLastAccessTime.dwLowDateTime=0xb68acd90, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0xb68acd90, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x5703, dwReserved0=0x0, dwReserved1=0x0, cFileName="Xydkzt3iLwEfQ.avi", cAlternateFileName="XYDKZT~1.AVI")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1165b80, ftCreationTime.dwHighDateTime=0x1d81b93, ftLastAccessTime.dwLowDateTime=0xf54b6fc0, ftLastAccessTime.dwHighDateTime=0x1d81e23, ftLastWriteTime.dwLowDateTime=0xf54b6fc0, ftLastWriteTime.dwHighDateTime=0x1d81e23, nFileSizeHigh=0x0, nFileSizeLow=0x1169d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ywbUJcs-.mp3", cAlternateFileName="")) returned 1 [0270.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.876] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0270.876] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.877] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0270.877] WriteFile (in: hFile=0x45c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0270.879] CloseHandle (hObject=0x45c) returned 1 [0270.879] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\21IYDnRMwIe_qVIs.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\21iydnrmwie_qvis.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c2ae40, ftCreationTime.dwHighDateTime=0x1d81f9d, ftLastAccessTime.dwLowDateTime=0x5d8e0480, ftLastAccessTime.dwHighDateTime=0x1d82851, ftLastWriteTime.dwLowDateTime=0x5d8e0480, ftLastWriteTime.dwHighDateTime=0x1d82851, nFileSizeHigh=0x0, nFileSizeLow=0x14945)) returned 1 [0270.879] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.893] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.916] SetEvent (hEvent=0x1b8) returned 1 [0270.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\3pvh7FV9PjIhmA0Ig.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\3pvh7fv9pjihma0ig.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5f49a30, ftCreationTime.dwHighDateTime=0x1d81cc0, ftLastAccessTime.dwLowDateTime=0x5de5b5e0, ftLastAccessTime.dwHighDateTime=0x1d82108, ftLastWriteTime.dwLowDateTime=0x5de5b5e0, ftLastWriteTime.dwHighDateTime=0x1d82108, nFileSizeHigh=0x0, nFileSizeLow=0x837b)) returned 1 [0270.916] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0270.986] SetEvent (hEvent=0x40c) returned 1 [0270.986] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0271.231] SetEvent (hEvent=0x19c) returned 1 [0271.231] SwitchToThread () returned 1 [0271.240] SetEvent (hEvent=0x1b8) returned 1 [0271.240] SetEvent (hEvent=0x19c) returned 1 [0271.240] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0271.257] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.227] SetEvent (hEvent=0x1b8) returned 1 [0272.227] SetEvent (hEvent=0xfc) returned 1 [0272.227] SetEvent (hEvent=0x19c) returned 1 [0272.227] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.229] SetEvent (hEvent=0x1b8) returned 1 [0272.229] SetEvent (hEvent=0x1d0) returned 1 [0272.229] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.239] SetEvent (hEvent=0x1b8) returned 1 [0272.239] SetEvent (hEvent=0x19c) returned 1 [0272.239] SetEvent (hEvent=0x40c) returned 1 [0272.239] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.474] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.527] SetEvent (hEvent=0x1d0) returned 1 [0272.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8)) returned 1 [0272.549] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.578] SetEvent (hEvent=0x1d0) returned 1 [0272.578] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256)) returned 1 [0272.601] SetEvent (hEvent=0x19c) returned 1 [0272.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.602] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.602] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0272.602] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.602] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.602] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0272.602] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.602] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.602] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.605] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.605] WriteFile (in: hFile=0x460, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.607] CloseHandle (hObject=0x460) returned 1 [0272.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.611] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.634] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0272.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0272.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.635] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0272.635] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.637] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.637] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.638] CloseHandle (hObject=0x42c) returned 1 [0272.638] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.639] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.639] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.639] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0272.639] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.639] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.640] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.640] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.640] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.641] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.641] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.643] CloseHandle (hObject=0x42c) returned 1 [0272.643] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x817190ef, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.644] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.644] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x817190ef, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x817190ef, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817190ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5ca4c63b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0272.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.644] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.645] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.645] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.646] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0272.646] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0272.647] CloseHandle (hObject=0x42c) returned 1 [0272.648] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817190ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5ca4c63b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7)) returned 1 [0272.648] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x934f7bb4, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.649] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.649] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.649] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x934f7bb4, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x934f7bb4, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0272.649] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.649] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.651] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.651] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.652] CloseHandle (hObject=0x42c) returned 1 [0272.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x934f7bb4, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x934f7bb4, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.653] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.653] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x934f7bb4, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x934f7bb4, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.653] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x934f7bb4, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x934f7bb4, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x934f7bb4, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.653] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.653] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.656] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.656] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.658] CloseHandle (hObject=0x42c) returned 1 [0272.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.658] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.658] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.659] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.659] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0272.659] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0272.659] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.659] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.659] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.660] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.670] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.698] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.698] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.711] CloseHandle (hObject=0x42c) returned 1 [0272.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0272.712] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.712] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6654de95, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6657eabb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x51b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Outlook.lnk", cAlternateFileName="MICROS~1.LNK")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d02d92b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d02d92b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0272.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.722] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.723] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.723] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.725] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.726] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.727] CloseHandle (hObject=0x42c) returned 1 [0272.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\microsoft outlook.lnk"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6654de95, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6657eabb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x51b)) returned 1 [0272.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160)) returned 1 [0272.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.729] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.729] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0272.729] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.729] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0272.729] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0272.729] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.729] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0272.729] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.770] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0272.770] WriteFile (in: hFile=0x44c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0272.771] CloseHandle (hObject=0x44c) returned 1 [0272.780] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.781] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0272.781] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.781] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.781] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0272.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.785] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0272.785] WriteFile (in: hFile=0x460, lpBuffer=0x12b23300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12b23300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0272.787] CloseHandle (hObject=0x460) returned 1 [0272.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.790] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0272.790] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.790] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x53, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0272.790] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x252988fc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x0, dwReserved1=0x0, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 1 [0272.790] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.790] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0272.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.791] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.793] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0272.793] WriteFile (in: hFile=0x460, lpBuffer=0x12b24600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12b24600*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0272.795] CloseHandle (hObject=0x460) returned 1 [0272.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\file explorer.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x252988fc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x197)) returned 1 [0272.798] SetEvent (hEvent=0x1b8) returned 1 [0272.798] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x53)) returned 1 [0272.798] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d02d92b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d02d92b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e)) returned 1 [0272.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94)) returned 1 [0272.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.809] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.809] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.809] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0272.809] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.809] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.810] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.810] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.811] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.811] WriteFile (in: hFile=0x45c, lpBuffer=0x12b25900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b25900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.813] CloseHandle (hObject=0x45c) returned 1 [0272.813] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.813] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0272.813] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.814] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.814] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0272.823] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.823] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.823] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.824] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0272.824] WriteFile (in: hFile=0x42c, lpBuffer=0x12b26c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b26c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0272.825] CloseHandle (hObject=0x42c) returned 1 [0272.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.826] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0272.826] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.826] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.827] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0272.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.828] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.828] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.829] CloseHandle (hObject=0x42c) returned 1 [0272.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.842] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.843] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0272.843] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.843] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0272.843] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.843] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0272.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.843] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.845] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0272.845] WriteFile (in: hFile=0x460, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0272.846] CloseHandle (hObject=0x460) returned 1 [0272.847] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.847] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0272.847] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.848] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pbk", cAlternateFileName="")) returned 1 [0272.848] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.848] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0272.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.850] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0272.850] WriteFile (in: hFile=0x460, lpBuffer=0x12b12600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b12600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0272.851] CloseHandle (hObject=0x460) returned 1 [0272.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.852] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0272.852] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.852] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0272.853] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.853] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0272.853] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.853] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.853] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.855] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0272.855] WriteFile (in: hFile=0x460, lpBuffer=0x12b13900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b13900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0272.857] CloseHandle (hObject=0x460) returned 1 [0272.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0272.858] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0272.858] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.858] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0272.858] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0272.859] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0272.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0272.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0272.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.860] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0272.860] WriteFile (in: hFile=0x460, lpBuffer=0x12b14c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12b14c00*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0272.863] CloseHandle (hObject=0x460) returned 1 [0272.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.863] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.864] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.864] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94)) returned 1 [0272.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98700 | out: pbBuffer=0x12a98700) returned 1 [0272.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ff0 | out: pbBuffer=0x128e8ff0) returned 1 [0272.865] ReadFile (in: hFile=0x460, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a5fd1c*=0x94, lpOverlapped=0x0) returned 1 [0272.867] GetFileType (hFile=0x460) returned 0x1 [0272.867] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.867] WriteFile (in: hFile=0x460, lpBuffer=0x12afa960*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12afa960*, lpNumberOfBytesWritten=0x12a5fd00*=0x94, lpOverlapped=0x12a5fd0c) returned 1 [0272.867] GetFileType (hFile=0x460) returned 0x1 [0272.867] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x94, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0272.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0272.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0272.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e90a8 | out: pbBuffer=0x128e90a8) returned 1 [0272.868] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.869] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.869] WriteFile (in: hFile=0x45c, lpBuffer=0x12ac4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac4000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.906] CloseHandle (hObject=0x45c) returned 1 [0272.906] CloseHandle (hObject=0x460) returned 1 [0272.906] SwitchToThread () returned 1 [0272.909] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0272.980] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.023] SetEvent (hEvent=0x19c) returned 1 [0273.023] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x877953e5, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.030] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.030] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x877953e5, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0273.030] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x877953e5, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.031] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6abbe5b6, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6abbe5b6, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6acd6e90, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0273.031] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877953e5, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x87797b5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x956, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0273.031] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.031] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0273.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.031] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.031] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.033] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0273.033] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0273.035] CloseHandle (hObject=0x44c) returned 1 [0273.035] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6abbe5b6, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6abbe5b6, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6acd6e90, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0xa00)) returned 1 [0273.037] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.070] SetEvent (hEvent=0x19c) returned 1 [0273.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.071] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877953e5, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x87797b5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x956)) returned 1 [0273.071] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0273.071] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0273.072] ReadFile (in: hFile=0x45c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x956, lpOverlapped=0x0) returned 1 [0273.085] GetFileType (hFile=0x45c) returned 0x1 [0273.085] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.085] WriteFile (in: hFile=0x45c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x956, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1282fd00*=0x956, lpOverlapped=0x1282fd0c) returned 1 [0273.085] GetFileType (hFile=0x45c) returned 0x1 [0273.085] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x956, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0273.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0273.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0273.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0273.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.086] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.086] WriteFile (in: hFile=0x44c, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.087] CloseHandle (hObject=0x44c) returned 1 [0273.087] CloseHandle (hObject=0x45c) returned 1 [0273.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0273.087] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\#_THIS_FILE_IS_ENCRYPTED_[FFB9A6525E5A5D47]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\#_this_file_is_encrypted_[ffb9a6525e5a5d47]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.194] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.208] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.209] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\synchist"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa563624b, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x4c)) returned 1 [0273.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0273.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0273.210] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12853d1c*=0x4c, lpOverlapped=0x0) returned 1 [0273.211] GetFileType (hFile=0x458) returned 0x1 [0273.211] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.211] WriteFile (in: hFile=0x458, lpBuffer=0x12814140*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12814140*, lpNumberOfBytesWritten=0x12853d00*=0x4c, lpOverlapped=0x12853d0c) returned 1 [0273.212] GetFileType (hFile=0x458) returned 0x1 [0273.212] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x4c, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0273.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0273.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0273.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0273.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.213] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0273.213] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.213] CloseHandle (hObject=0x45c) returned 1 [0273.213] CloseHandle (hObject=0x458) returned 1 [0273.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0273.213] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\#_THIS_FILE_IS_ENCRYPTED_[B79C865A355CD452]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\#_this_file_is_encrypted_[b79c865a355cd452]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.228] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.249] SetEvent (hEvent=0xf4) returned 1 [0273.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.250] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.dic"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5648e4eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5648e4eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5648e4eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0273.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0273.251] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x2, lpOverlapped=0x0) returned 1 [0273.252] GetFileType (hFile=0x458) returned 0x1 [0273.252] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.252] WriteFile (in: hFile=0x458, lpBuffer=0x128e8128*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x128e8128*, lpNumberOfBytesWritten=0x1282fd00*=0x2, lpOverlapped=0x1282fd0c) returned 1 [0273.253] GetFileType (hFile=0x458) returned 0x1 [0273.253] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0273.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0273.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0273.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8370 | out: pbBuffer=0x128e8370) returned 1 [0273.257] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.dic"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.258] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.258] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.258] CloseHandle (hObject=0x44c) returned 1 [0273.366] CloseHandle (hObject=0x458) returned 1 [0273.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34128 | out: pbBuffer=0x12c34128) returned 1 [0273.403] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.dic"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\#_THIS_FILE_IS_ENCRYPTED_[BB448BBB321F6AAF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\#_this_file_is_encrypted_[bb448bbb321f6aaf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980694ab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980694ab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xe1c0f)) returned 1 [0273.622] SetEvent (hEvent=0xfc) returned 1 [0273.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9818a945, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9818a945, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba712b00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xec122)) returned 1 [0273.669] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0273.692] SetEvent (hEvent=0x1b8) returned 1 [0273.692] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fbbf10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fbbf10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x125f51)) returned 1 [0274.152] SetEvent (hEvent=0x40c) returned 1 [0274.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980b633e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980b633e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x76cc4)) returned 1 [0274.206] SetEvent (hEvent=0xfc) returned 1 [0274.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978145cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978145cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xee481)) returned 1 [0274.281] SetEvent (hEvent=0x110) returned 1 [0274.281] SetEvent (hEvent=0x1d0) returned 1 [0274.281] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984c4fd2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984c4fd2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xdd034400, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x165552)) returned 1 [0274.331] SetEvent (hEvent=0x1b8) returned 1 [0274.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982f049f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982f049f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5c911300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x21dbbf)) returned 1 [0274.395] SetEvent (hEvent=0x40c) returned 1 [0274.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ab2749, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ab2749, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc68a00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x1ab70b)) returned 1 [0274.447] SetEvent (hEvent=0xfc) returned 1 [0274.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981588c3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x981588c3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x2358a300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2c9ecd)) returned 1 [0274.542] SetEvent (hEvent=0x1d0) returned 1 [0274.542] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9852435b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9852435b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9cf09100, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x23f73b)) returned 1 [0274.589] SetEvent (hEvent=0x1b8) returned 1 [0274.589] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9800b4e9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9800b4e9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4f742400, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x371abc)) returned 1 [0274.637] SetEvent (hEvent=0x40c) returned 1 [0274.637] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98742454, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98742454, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x973bdf00, ftLastWriteTime.dwHighDateTime=0x1d4196d, nFileSizeHigh=0x0, nFileSizeLow=0x10a79d)) returned 1 [0274.667] SetEvent (hEvent=0xf4) returned 1 [0274.668] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9860260f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9860260f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x235700, ftLastWriteTime.dwHighDateTime=0x1d4196e, nFileSizeHigh=0x0, nFileSizeLow=0x9477a)) returned 1 [0274.719] SetEvent (hEvent=0x1d0) returned 1 [0274.719] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0274.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0274.726] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0274.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0274.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0274.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0274.726] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0274.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0274.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0274.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.728] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0274.728] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0274.730] CloseHandle (hObject=0x42c) returned 1 [0274.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0274.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0274.730] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0274.741] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97837aab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97837aab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97837aab, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1697, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328884[[fn=architecture]].glox", cAlternateFileName="TM0332~4.GLO")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fe91ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fe91ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97fea554, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfba, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328893[[fn=BracketList]].glox", cAlternateFileName="TME5C2~1.GLO")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9776d1cd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9776d1cd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9776d1cd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1093, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328905[[fn=Chevron Accent]].glox", cAlternateFileName="TM0332~2.GLO")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97706a49, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97706a49, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97707caf, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328908[[fn=Circle Process]].glox", cAlternateFileName="TM0332~1.GLO")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de9b8d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97de9b8d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97deae93, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c74, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328916[[fn=Converging Text]].glox", cAlternateFileName="TMF131~1.GLO")) returned 1 [0274.745] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98433dab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98433dab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98435131, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1788, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328919[[fn=Hexagon Radial]].glox", cAlternateFileName="TM6EE1~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98403091, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98403091, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98404408, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328925[[fn=Interconnected Block Process]].glox", cAlternateFileName="TM5FE4~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984400fa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984400fa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x984400fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x10e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328932[[fn=Picture Frame]].glox", cAlternateFileName="TMD322~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980f6e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980f6e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980f6e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cca, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328935[[fn=Picture Organization Chart]].glox", cAlternateFileName="TMB8BB~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9824557b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9824557b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9824557b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328940[[fn=Radial Picture List]].glox", cAlternateFileName="TMC309~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978020a2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978020a2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x978034d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328951[[fn=Tabbed Arc]].glox", cAlternateFileName="TM0332~3.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983aecac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983aecac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983affea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1318, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328972[[fn=Tab List]].glox", cAlternateFileName="TM2A4A~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983bfdac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983bfdac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983bfdac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1930, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328975[[fn=Theme Picture Accent]].glox", cAlternateFileName="TM8247~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98c45cf1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c45cf1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c47043, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328983[[fn=Theme Picture Alternating Accent]].glox", cAlternateFileName="TM8366~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9879b688, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9879b688, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9879b688, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1831, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328986[[fn=Theme Picture Grid]].glox", cAlternateFileName="TM02CE~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ad5311, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ad5311, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98ad5311, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328990[[fn=Varying Width List]].glox", cAlternateFileName="TM6E5C~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98913495, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98913495, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98913495, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x141f, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03328998[[fn=Rings]].glox", cAlternateFileName="TM5448~1.GLO")) returned 1 [0274.746] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0274.746] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0274.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0274.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0274.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.751] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0274.751] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0274.753] CloseHandle (hObject=0x42c) returned 1 [0274.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97837aab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97837aab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97837aab, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1697)) returned 1 [0274.753] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.773] SetEvent (hEvent=0x3f8) returned 1 [0274.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fe91ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fe91ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97fea554, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfba)) returned 1 [0274.774] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.794] SetEvent (hEvent=0x3f8) returned 1 [0274.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97706a49, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97706a49, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97707caf, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41a6)) returned 1 [0274.795] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.814] SetEvent (hEvent=0x3f8) returned 1 [0274.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98433dab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98433dab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98435131, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1788)) returned 1 [0274.815] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.856] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.862] SetEvent (hEvent=0x40c) returned 1 [0274.862] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.867] SetEvent (hEvent=0x40c) returned 1 [0274.867] SetEvent (hEvent=0x19c) returned 1 [0274.867] SwitchToThread () returned 1 [0274.907] SwitchToThread () returned 1 [0274.915] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0274.929] SetEvent (hEvent=0x19c) returned 1 [0274.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.931] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984400fa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984400fa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x984400fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x10e6)) returned 1 [0274.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0274.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0274.931] ReadFile (in: hFile=0x45c, lpBuffer=0x12b56000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b56000*, lpNumberOfBytesRead=0x12a5fd1c*=0x10e6, lpOverlapped=0x0) returned 1 [0274.936] GetFileType (hFile=0x45c) returned 0x1 [0274.936] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.936] WriteFile (in: hFile=0x45c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x10e6, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12a5fd00*=0x10e6, lpOverlapped=0x12a5fd0c) returned 1 [0274.936] GetFileType (hFile=0x45c) returned 0x1 [0274.936] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x10e6, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0274.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0274.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0274.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0274.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0274.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.937] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0274.937] WriteFile (in: hFile=0x44c, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.937] CloseHandle (hObject=0x44c) returned 1 [0274.962] CloseHandle (hObject=0x45c) returned 1 [0274.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0274.968] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[BF5905A789F94108]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[bf5905a789f94108]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.034] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0275.037] SetEvent (hEvent=0x19c) returned 1 [0275.037] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.038] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978020a2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978020a2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x978034d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xe63)) returned 1 [0275.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0275.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0275.038] ReadFile (in: hFile=0x45c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12853d1c*=0xe63, lpOverlapped=0x0) returned 1 [0275.045] GetFileType (hFile=0x45c) returned 0x1 [0275.045] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.045] WriteFile (in: hFile=0x45c, lpBuffer=0x12859000*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12859000*, lpNumberOfBytesWritten=0x12853d00*=0xe63, lpOverlapped=0x12853d0c) returned 1 [0275.046] GetFileType (hFile=0x45c) returned 0x1 [0275.046] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xe63, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0275.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0275.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0275.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0275.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.047] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.047] WriteFile (in: hFile=0x44c, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.047] CloseHandle (hObject=0x44c) returned 1 [0275.054] CloseHandle (hObject=0x45c) returned 1 [0275.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0275.056] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[5846C84BF54FF826]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[5846c84bf54ff826]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.201] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0275.204] SetEvent (hEvent=0x19c) returned 1 [0275.204] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.205] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98c45cf1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c45cf1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c47043, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15fe)) returned 1 [0275.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928da0 | out: pbBuffer=0x12928da0) returned 1 [0275.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35008 | out: pbBuffer=0x12c35008) returned 1 [0275.206] ReadFile (in: hFile=0x45c, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12829d1c*=0x15fe, lpOverlapped=0x0) returned 1 [0275.209] GetFileType (hFile=0x45c) returned 0x1 [0275.209] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.210] WriteFile (in: hFile=0x45c, lpBuffer=0x12a36000*, nNumberOfBytesToWrite=0x15fe, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a36000*, lpNumberOfBytesWritten=0x12829d00*=0x15fe, lpOverlapped=0x12829d0c) returned 1 [0275.210] GetFileType (hFile=0x45c) returned 0x1 [0275.210] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x15fe, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0275.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0275.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0275.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c350c0 | out: pbBuffer=0x12c350c0) returned 1 [0275.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.211] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.211] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.211] CloseHandle (hObject=0x44c) returned 1 [0275.213] CloseHandle (hObject=0x45c) returned 1 [0275.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c350d8 | out: pbBuffer=0x12c350d8) returned 1 [0275.228] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[992A05D9C6C96BC6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[992a05d9c6c96bc6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.333] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98913495, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98913495, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98913495, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x141f)) returned 1 [0275.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0275.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0275.333] ReadFile (in: hFile=0x45c, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x1282bd1c*=0x141f, lpOverlapped=0x0) returned 1 [0275.339] GetFileType (hFile=0x45c) returned 0x1 [0275.339] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.339] WriteFile (in: hFile=0x45c, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x141f, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x1282bd00*=0x141f, lpOverlapped=0x1282bd0c) returned 1 [0275.340] GetFileType (hFile=0x45c) returned 0x1 [0275.340] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x141f, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0275.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0275.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0275.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0275.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.341] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.341] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.342] CloseHandle (hObject=0x460) returned 1 [0275.371] CloseHandle (hObject=0x45c) returned 1 [0275.388] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0275.389] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[CBFD1A21974001E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[cbfd1a21974001e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851222[[fn=ieee2006officeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982fc8d7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982fc8d7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x982fc8d7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x47d22)) returned 1 [0275.494] SetEvent (hEvent=0x3f8) returned 1 [0275.494] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851223[[fn=iso690]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98050de7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98050de7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98055ce4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41f76)) returned 1 [0275.511] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851224[[fn=iso690nmerical]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977efc44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977efc44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977f0f37, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x35031)) returned 1 [0275.536] SetEvent (hEvent=0xf4) returned 1 [0275.536] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851225[[fn=mlaseventheditionofficeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9786c3ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9786c3ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9786d825, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e39b)) returned 1 [0275.546] SetEvent (hEvent=0x1d0) returned 1 [0275.546] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851226[[fn=turabian]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977a2c28, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977a2c28, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977a3fe6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x540ef)) returned 1 [0275.559] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0275.562] SetEvent (hEvent=0x19c) returned 1 [0275.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851227[[fn=sist02]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9830edbc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9830edbc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98311346, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d467)) returned 1 [0275.572] SetEvent (hEvent=0x40c) returned 1 [0275.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0275.573] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0275.573] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0275.573] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.573] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0275.573] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0275.573] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0275.573] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0275.573] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0275.573] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.574] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0275.574] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0275.576] CloseHandle (hObject=0x458) returned 1 [0275.576] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0275.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0275.576] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0275.582] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.582] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980dfb29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980dfb29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980e0ec2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xca72, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM01840907[[fn=Equations]].dotx", cAlternateFileName="TM0184~1.DOT")) returned 1 [0275.583] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980cc2bb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980cc2bb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980cc2bb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx", cAlternateFileName="TM0283~1.DOC")) returned 1 [0275.583] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98167377, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98167377, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98167377, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x866f, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03998158[[fn=Element]].dotx", cAlternateFileName="TM0399~1.DOT")) returned 1 [0275.583] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9846e6c1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9846e6c1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f3b86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34df74, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM03998159[[fn=Insight]].dotx", cAlternateFileName="TM0399~2.DOT")) returned 1 [0275.583] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0275.583] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0275.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0275.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0275.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.586] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0275.586] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0275.588] CloseHandle (hObject=0x458) returned 1 [0275.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980dfb29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980dfb29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980e0ec2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xca72)) returned 1 [0275.588] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0275.603] SetEvent (hEvent=0x19c) returned 1 [0275.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980cc2bb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980cc2bb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980cc2bb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb8c0)) returned 1 [0275.633] SetEvent (hEvent=0x19c) returned 1 [0275.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98167377, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98167377, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98167377, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x866f)) returned 1 [0275.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.769] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d34 | out: lpMode=0x12853d34) returned 0 [0275.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x1e, pbBuffer=0x12a99da0 | out: pbBuffer=0x12a99da0) returned 1 [0275.858] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb20, ulCount=0x10, ulNumEntriesRemoved=0x329ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb20, ulNumEntriesRemoved=0x329ffb04) returned 0 [0275.859] SetEvent (hEvent=0x110) returned 1 [0275.859] SetEvent (hEvent=0x19c) returned 1 [0275.898] ReadFile (in: hFile=0x45c, lpBuffer=0x12a60000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x12853d04, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesRead=0x12853d04*=0x8000, lpOverlapped=0x0) returned 1 [0275.904] ReadFile (in: hFile=0x45c, lpBuffer=0x12a60000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x12853d04, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesRead=0x12853d04*=0x38c0, lpOverlapped=0x0) returned 1 [0275.905] ReadFile (in: hFile=0x45c, lpBuffer=0x12a60000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x12853d04, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesRead=0x12853d04*=0x0, lpOverlapped=0x0) returned 1 [0275.978] CloseHandle (hObject=0x45c) returned 1 [0276.075] SetEvent (hEvent=0x19c) returned 1 [0276.118] SetEvent (hEvent=0x19c) returned 1 [0276.118] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0276.122] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9846e6c1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9846e6c1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f3b86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34df74)) returned 1 [0276.122] SetEvent (hEvent=0x1d0) returned 1 [0276.122] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0276.170] SetEvent (hEvent=0x19c) returned 1 [0276.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.171] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmartArt Graphics", cAlternateFileName="SMARTA~1")) returned 1 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word Document Bibliography Styles", cAlternateFileName="WORDDO~1")) returned 1 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~2")) returned 1 [0276.220] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.220] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0276.224] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0276.224] WriteFile (in: hFile=0x460, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0276.225] CloseHandle (hObject=0x460) returned 1 [0276.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.275] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.275] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0276.275] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.275] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0276.275] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.276] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0276.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.277] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0276.277] WriteFile (in: hFile=0x44c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0276.279] CloseHandle (hObject=0x44c) returned 1 [0276.279] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.280] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.280] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.280] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.280] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.281] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.281] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.282] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0276.282] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0276.283] CloseHandle (hObject=0x44c) returned 1 [0276.283] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.284] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0276.284] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.284] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0276.284] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.284] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0276.284] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.285] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0276.285] WriteFile (in: hFile=0x44c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0276.287] CloseHandle (hObject=0x44c) returned 1 [0276.287] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.288] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.288] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.288] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.288] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.290] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0276.290] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0276.401] CloseHandle (hObject=0x44c) returned 1 [0276.401] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.402] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.402] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.402] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.402] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.402] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.402] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.404] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0276.404] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0276.405] CloseHandle (hObject=0x44c) returned 1 [0276.406] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.406] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0276.407] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.407] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0276.407] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.407] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0276.407] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.407] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.408] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.409] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0276.409] WriteFile (in: hFile=0x44c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0276.411] CloseHandle (hObject=0x44c) returned 1 [0276.411] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.411] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.412] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.412] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.412] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.412] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.415] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0276.415] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0276.416] CloseHandle (hObject=0x44c) returned 1 [0276.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4614163, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4614163, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa46a67ce, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4641)) returned 1 [0276.417] SetEvent (hEvent=0x40c) returned 1 [0276.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.417] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.418] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0276.418] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.418] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.418] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0276.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.419] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0276.420] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac3300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12ac3300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0276.421] CloseHandle (hObject=0x44c) returned 1 [0276.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xaeb77be3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaeb77be3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0276.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.422] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xaeb77be3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaeb77be3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xaeb77be3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaeb77be3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2b1d2cc3, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1d8e71, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3ced6473, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3ced6473, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xea7482a2, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xea7482a2, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8c427141, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8c473662, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3ced6473, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeb77be3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xaebea315, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaebea315, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0276.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.423] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0276.423] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0276.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0276.423] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0276.423] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0276.424] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0276.424] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0276.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0276.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.425] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0276.425] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac4600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12ac4600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0276.427] CloseHandle (hObject=0x44c) returned 1 [0276.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\P30eaW83bz2S.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p30eaw83bz2s.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefbb2e20, ftCreationTime.dwHighDateTime=0x1d819e0, ftLastAccessTime.dwLowDateTime=0x1602f390, ftLastAccessTime.dwHighDateTime=0x1d8211d, ftLastWriteTime.dwLowDateTime=0x1602f390, ftLastWriteTime.dwHighDateTime=0x1d8211d, nFileSizeHigh=0x0, nFileSizeLow=0xf3c8)) returned 1 [0276.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Q5eVjwVDQ-QV4U.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\q5evjwvdq-qv4u.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fb68ce0, ftCreationTime.dwHighDateTime=0x1d82745, ftLastAccessTime.dwLowDateTime=0xbb8a3b50, ftLastAccessTime.dwHighDateTime=0x1d828e5, ftLastWriteTime.dwLowDateTime=0xbb8a3b50, ftLastWriteTime.dwHighDateTime=0x1d828e5, nFileSizeHigh=0x0, nFileSizeLow=0x129de)) returned 1 [0276.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Sjuc5sYc0YTyforNdTl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sjuc5syc0ytyforndtl.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0b74e0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x85786310, ftLastAccessTime.dwHighDateTime=0x1d8269d, ftLastWriteTime.dwLowDateTime=0x85786310, ftLastWriteTime.dwHighDateTime=0x1d8269d, nFileSizeHigh=0x0, nFileSizeLow=0x2e7d)) returned 1 [0276.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Q5eVjwVDQ-QV4U.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\q5evjwvdq-qv4u.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.429] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.429] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Q5eVjwVDQ-QV4U.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\q5evjwvdq-qv4u.flv"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fb68ce0, ftCreationTime.dwHighDateTime=0x1d82745, ftLastAccessTime.dwLowDateTime=0xbb8a3b50, ftLastAccessTime.dwHighDateTime=0x1d828e5, ftLastWriteTime.dwLowDateTime=0xbb8a3b50, ftLastWriteTime.dwHighDateTime=0x1d828e5, nFileSizeHigh=0x0, nFileSizeLow=0x129de)) returned 1 [0276.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f020 | out: pbBuffer=0x1280f020) returned 1 [0276.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849c50 | out: pbBuffer=0x12849c50) returned 1 [0276.429] ReadFile (in: hFile=0x44c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x129de, lpOverlapped=0x0) returned 1 [0276.432] GetFileType (hFile=0x44c) returned 0x1 [0276.432] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.432] WriteFile (in: hFile=0x44c, lpBuffer=0x12b2c000*, nNumberOfBytesToWrite=0x129de, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b2c000*, lpNumberOfBytesWritten=0x12829d00*=0x129de, lpOverlapped=0x12829d0c) returned 1 [0276.433] GetFileType (hFile=0x44c) returned 0x1 [0276.433] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x129de, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0276.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0276.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0276.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849d38 | out: pbBuffer=0x12849d38) returned 1 [0276.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Q5eVjwVDQ-QV4U.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\q5evjwvdq-qv4u.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0276.434] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.434] WriteFile (in: hFile=0x42c, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0276.434] CloseHandle (hObject=0x42c) returned 1 [0276.434] CloseHandle (hObject=0x44c) returned 1 [0276.434] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849d50 | out: pbBuffer=0x12849d50) returned 1 [0276.434] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Q5eVjwVDQ-QV4U.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\q5evjwvdq-qv4u.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[84F3E2F0B2F16F00]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[84f3e2f0b2f16f00]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.436] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Sjuc5sYc0YTyforNdTl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sjuc5syc0ytyforndtl.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.436] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.436] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Sjuc5sYc0YTyforNdTl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sjuc5syc0ytyforndtl.wav"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0b74e0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x85786310, ftLastAccessTime.dwHighDateTime=0x1d8269d, ftLastWriteTime.dwLowDateTime=0x85786310, ftLastWriteTime.dwHighDateTime=0x1d8269d, nFileSizeHigh=0x0, nFileSizeLow=0x2e7d)) returned 1 [0276.437] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f220 | out: pbBuffer=0x1280f220) returned 1 [0276.437] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849da8 | out: pbBuffer=0x12849da8) returned 1 [0276.437] ReadFile (in: hFile=0x44c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12829d1c*=0x2e7d, lpOverlapped=0x0) returned 1 [0276.547] GetFileType (hFile=0x44c) returned 0x1 [0276.547] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.547] WriteFile (in: hFile=0x44c, lpBuffer=0x12b7e000*, nNumberOfBytesToWrite=0x2e7d, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b7e000*, lpNumberOfBytesWritten=0x12829d00*=0x2e7d, lpOverlapped=0x12829d0c) returned 1 [0276.688] GetFileType (hFile=0x44c) returned 0x1 [0276.688] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2e7d, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835301 | out: pbBuffer=0x12835301) returned 1 [0276.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0276.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835501 | out: pbBuffer=0x12835501) returned 1 [0276.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849f00 | out: pbBuffer=0x12849f00) returned 1 [0276.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Sjuc5sYc0YTyforNdTl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sjuc5syc0ytyforndtl.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.690] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.690] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0276.690] CloseHandle (hObject=0x45c) returned 1 [0276.690] CloseHandle (hObject=0x44c) returned 1 [0276.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849f18 | out: pbBuffer=0x12849f18) returned 1 [0276.691] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Sjuc5sYc0YTyforNdTl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sjuc5syc0ytyforndtl.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[63406D71CCA633D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[63406d71cca633d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.693] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\WLbrJ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wlbrj.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc6939a0, ftCreationTime.dwHighDateTime=0x1d82883, ftLastAccessTime.dwLowDateTime=0x4b5289a0, ftLastAccessTime.dwHighDateTime=0x1d828bd, ftLastWriteTime.dwLowDateTime=0x4b5289a0, ftLastWriteTime.dwHighDateTime=0x1d828bd, nFileSizeHigh=0x0, nFileSizeLow=0x2440)) returned 1 [0276.693] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wdfs3 7GvEWFI t1ECJ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wdfs3 7gvewfi t1ecj.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f427400, ftCreationTime.dwHighDateTime=0x1d8235d, ftLastAccessTime.dwLowDateTime=0x12deea20, ftLastAccessTime.dwHighDateTime=0x1d82816, ftLastWriteTime.dwLowDateTime=0x12deea20, ftLastWriteTime.dwHighDateTime=0x1d82816, nFileSizeHigh=0x0, nFileSizeLow=0xac5d)) returned 1 [0276.693] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\WLbrJ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wlbrj.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0276.694] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.694] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\WLbrJ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wlbrj.gif"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc6939a0, ftCreationTime.dwHighDateTime=0x1d82883, ftLastAccessTime.dwLowDateTime=0x4b5289a0, ftLastAccessTime.dwHighDateTime=0x1d828bd, ftLastWriteTime.dwLowDateTime=0x4b5289a0, ftLastWriteTime.dwHighDateTime=0x1d828bd, nFileSizeHigh=0x0, nFileSizeLow=0x2440)) returned 1 [0276.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f9e0 | out: pbBuffer=0x1280f9e0) returned 1 [0276.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810790 | out: pbBuffer=0x12810790) returned 1 [0276.695] ReadFile (in: hFile=0x44c, lpBuffer=0x12d98000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d98000*, lpNumberOfBytesRead=0x12829d1c*=0x2440, lpOverlapped=0x0) returned 1 [0276.697] GetFileType (hFile=0x44c) returned 0x1 [0276.697] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.697] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x2440, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12829d00*=0x2440, lpOverlapped=0x12829d0c) returned 1 [0276.697] GetFileType (hFile=0x44c) returned 0x1 [0276.697] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2440, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0276.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835801 | out: pbBuffer=0x12835801) returned 1 [0276.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835901 | out: pbBuffer=0x12835901) returned 1 [0276.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a01 | out: pbBuffer=0x12835a01) returned 1 [0276.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810848 | out: pbBuffer=0x12810848) returned 1 [0276.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\WLbrJ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wlbrj.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.698] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0276.698] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0276.699] CloseHandle (hObject=0x45c) returned 1 [0276.699] CloseHandle (hObject=0x44c) returned 1 [0276.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810860 | out: pbBuffer=0x12810860) returned 1 [0276.699] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\WLbrJ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wlbrj.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[2B6F9AFBAE1CE94A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[2b6f9afbae1ce94a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.237] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.533] SetEvent (hEvent=0x1b8) returned 1 [0277.533] VirtualAlloc (lpAddress=0x12e74000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e74000 [0277.534] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\n5m8aNivzz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\n5m8anivzz.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3e02490, ftCreationTime.dwHighDateTime=0x1d82962, ftLastAccessTime.dwLowDateTime=0x1aa1aa50, ftLastAccessTime.dwHighDateTime=0x1d82973, ftLastWriteTime.dwLowDateTime=0x1aa1aa50, ftLastWriteTime.dwHighDateTime=0x1d82973, nFileSizeHigh=0x0, nFileSizeLow=0x38f2)) returned 1 [0277.534] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.600] SetEvent (hEvent=0x3f4) returned 1 [0277.600] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.625] SetEvent (hEvent=0x3f4) returned 1 [0277.625] SetEvent (hEvent=0x1d0) returned 1 [0277.625] SetEvent (hEvent=0x1b8) returned 1 [0277.625] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.629] SwitchToThread () returned 1 [0277.666] SetEvent (hEvent=0x3f4) returned 1 [0277.666] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.713] SwitchToThread () returned 1 [0277.806] SetEvent (hEvent=0x1b8) returned 1 [0277.858] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.883] SetEvent (hEvent=0x1b8) returned 1 [0277.883] SwitchToThread () returned 1 [0277.890] SetEvent (hEvent=0x1b8) returned 1 [0277.890] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0277.934] SetEvent (hEvent=0x1d0) returned 1 [0277.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0277.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x44c [0277.934] GetFileInformationByHandle (in: hFile=0x44c, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0277.934] GetFileInformationByHandleEx (in: hFile=0x44c, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0277.934] CloseHandle (hObject=0x44c) returned 1 [0277.935] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7acb0e39, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7acb0e39, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0277.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0277.935] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7acb0e39, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7acb0e39, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7acb0e39, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7acb0e39, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x977ea6f0, ftCreationTime.dwHighDateTime=0x1d81e4b, ftLastAccessTime.dwLowDateTime=0xda3c9e10, ftLastAccessTime.dwHighDateTime=0x1d82540, ftLastWriteTime.dwLowDateTime=0xda3c9e10, ftLastWriteTime.dwHighDateTime=0x1d82540, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3XptwoMUL4HB0GHi", cAlternateFileName="3XPTWO~1")) returned 1 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca45fda0, ftCreationTime.dwHighDateTime=0x1d824fd, ftLastAccessTime.dwLowDateTime=0x390e3380, ftLastAccessTime.dwHighDateTime=0x1d82989, ftLastWriteTime.dwLowDateTime=0x390e3380, ftLastWriteTime.dwHighDateTime=0x1d82989, nFileSizeHigh=0x0, nFileSizeLow=0x13a77, dwReserved0=0x0, dwReserved1=0x0, cFileName="4oMFooZPReWD1.bmp", cAlternateFileName="4OMFOO~1.BMP")) returned 1 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8501f0, ftCreationTime.dwHighDateTime=0x1d8226d, ftLastAccessTime.dwLowDateTime=0xd2e053a0, ftLastAccessTime.dwHighDateTime=0x1d822ed, ftLastWriteTime.dwLowDateTime=0xd2e053a0, ftLastWriteTime.dwHighDateTime=0x1d822ed, nFileSizeHigh=0x0, nFileSizeLow=0x7e62, dwReserved0=0x0, dwReserved1=0x0, cFileName="6etfHXV 5PagM21.mp4", cAlternateFileName="6ETFHX~1.MP4")) returned 1 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd08daae0, ftCreationTime.dwHighDateTime=0x1d8257b, ftLastAccessTime.dwLowDateTime=0xb6ec1f40, ftLastAccessTime.dwHighDateTime=0x1d829ef, ftLastWriteTime.dwLowDateTime=0xb6ec1f40, ftLastWriteTime.dwHighDateTime=0x1d829ef, nFileSizeHigh=0x0, nFileSizeLow=0x4ef5, dwReserved0=0x0, dwReserved1=0x0, cFileName="8s2al1KhTG563o.m4a", cAlternateFileName="8S2AL1~1.M4A")) returned 1 [0277.935] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2f00b0, ftCreationTime.dwHighDateTime=0x1d81ad8, ftLastAccessTime.dwLowDateTime=0xaeee07d0, ftLastAccessTime.dwHighDateTime=0x1d82a13, ftLastWriteTime.dwLowDateTime=0xaeee07d0, ftLastWriteTime.dwHighDateTime=0x1d82a13, nFileSizeHigh=0x0, nFileSizeLow=0xa04b, dwReserved0=0x0, dwReserved1=0x0, cFileName="8yIiPY3PM2qXZ.wav", cAlternateFileName="8YIIPY~1.WAV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516f4b00, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x516f4b00, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x9cca2f00, ftLastWriteTime.dwHighDateTime=0x1d856f2, nFileSizeHigh=0x0, nFileSizeLow=0x1cbc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe", cAlternateFileName="DD286A~1.EXE")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82166f0, ftCreationTime.dwHighDateTime=0x1d825d5, ftLastAccessTime.dwLowDateTime=0xa0a327c0, ftLastAccessTime.dwHighDateTime=0x1d82700, ftLastWriteTime.dwLowDateTime=0xa0a327c0, ftLastWriteTime.dwHighDateTime=0x1d82700, nFileSizeHigh=0x0, nFileSizeLow=0xc066, dwReserved0=0x0, dwReserved1=0x0, cFileName="E sqm5OszcoziTDY.mkv", cAlternateFileName="ESQM5O~1.MKV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bc5b20, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0xfa0b5f80, ftLastAccessTime.dwHighDateTime=0x1d8273c, ftLastWriteTime.dwLowDateTime=0xfa0b5f80, ftLastWriteTime.dwHighDateTime=0x1d8273c, nFileSizeHigh=0x0, nFileSizeLow=0x5a97, dwReserved0=0x0, dwReserved1=0x0, cFileName="e30J.m4a", cAlternateFileName="")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89ddbc50, ftCreationTime.dwHighDateTime=0x1d81b55, ftLastAccessTime.dwLowDateTime=0x156723e0, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x156723e0, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x36af, dwReserved0=0x0, dwReserved1=0x0, cFileName="ed3OEBOHI5YM1zXSFg m.mp3", cAlternateFileName="ED3OEB~1.MP3")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dca7a20, ftCreationTime.dwHighDateTime=0x1d82027, ftLastAccessTime.dwLowDateTime=0xb179bfb0, ftLastAccessTime.dwHighDateTime=0x1d825c9, ftLastWriteTime.dwLowDateTime=0xb179bfb0, ftLastWriteTime.dwHighDateTime=0x1d825c9, nFileSizeHigh=0x0, nFileSizeLow=0x18cbc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FObnuAwtmJC9McsJ_-Z.rtf", cAlternateFileName="FOBNUA~1.RTF")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90ec7a0, ftCreationTime.dwHighDateTime=0x1d81bff, ftLastAccessTime.dwLowDateTime=0x7574d0, ftLastAccessTime.dwHighDateTime=0x1d82208, ftLastWriteTime.dwLowDateTime=0x7574d0, ftLastWriteTime.dwHighDateTime=0x1d82208, nFileSizeHigh=0x0, nFileSizeLow=0x8bd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="iFdAmmAFYX4CdXqN.m4a", cAlternateFileName="IFDAMM~1.M4A")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed78bd00, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xf4b4b9c0, ftLastAccessTime.dwHighDateTime=0x1d82802, ftLastWriteTime.dwLowDateTime=0xf4b4b9c0, ftLastWriteTime.dwHighDateTime=0x1d82802, nFileSizeHigh=0x0, nFileSizeLow=0x1211d, dwReserved0=0x0, dwReserved1=0x0, cFileName="k M94JU5AVmadGtlfkKp.csv", cAlternateFileName="KM94JU~1.CSV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350e8f50, ftCreationTime.dwHighDateTime=0x1d829ac, ftLastAccessTime.dwLowDateTime=0xd8cc7e00, ftLastAccessTime.dwHighDateTime=0x1d829fb, ftLastWriteTime.dwLowDateTime=0xd8cc7e00, ftLastWriteTime.dwHighDateTime=0x1d829fb, nFileSizeHigh=0x0, nFileSizeLow=0xac40, dwReserved0=0x0, dwReserved1=0x0, cFileName="KudpMCK-wvfm_.flv", cAlternateFileName="KUDPMC~1.FLV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91e9a410, ftCreationTime.dwHighDateTime=0x1d82300, ftLastAccessTime.dwLowDateTime=0xc9ef44a0, ftLastAccessTime.dwHighDateTime=0x1d8293b, ftLastWriteTime.dwLowDateTime=0xc9ef44a0, ftLastWriteTime.dwHighDateTime=0x1d8293b, nFileSizeHigh=0x0, nFileSizeLow=0xeab2, dwReserved0=0x0, dwReserved1=0x0, cFileName="lhTqiGWmPjxkjNAmr.docx", cAlternateFileName="LHTQIG~1.DOC")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799a7730, ftCreationTime.dwHighDateTime=0x1d81f5f, ftLastAccessTime.dwLowDateTime=0xe0c6bcb0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0xe0c6bcb0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x7b8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="n1ENg_qPm.swf", cAlternateFileName="N1ENG_~1.SWF")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79bd2f50, ftCreationTime.dwHighDateTime=0x1d81f3c, ftLastAccessTime.dwLowDateTime=0x20a5e630, ftLastAccessTime.dwHighDateTime=0x1d82470, ftLastWriteTime.dwLowDateTime=0x20a5e630, ftLastWriteTime.dwHighDateTime=0x1d82470, nFileSizeHigh=0x0, nFileSizeLow=0xd80c, dwReserved0=0x0, dwReserved1=0x0, cFileName="NolPnYVxwc-.m4a", cAlternateFileName="NOLPNY~1.M4A")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc108da10, ftCreationTime.dwHighDateTime=0x1d81bab, ftLastAccessTime.dwLowDateTime=0x8ab3dfa0, ftLastAccessTime.dwHighDateTime=0x1d8242a, ftLastWriteTime.dwLowDateTime=0x8ab3dfa0, ftLastWriteTime.dwHighDateTime=0x1d8242a, nFileSizeHigh=0x0, nFileSizeLow=0xe623, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ptd_CEMx.png", cAlternateFileName="")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaa45410, ftCreationTime.dwHighDateTime=0x1d8294c, ftLastAccessTime.dwLowDateTime=0x152edf00, ftLastAccessTime.dwHighDateTime=0x1d82952, ftLastWriteTime.dwLowDateTime=0x152edf00, ftLastWriteTime.dwHighDateTime=0x1d82952, nFileSizeHigh=0x0, nFileSizeLow=0xabec, dwReserved0=0x0, dwReserved1=0x0, cFileName="ra GcpUdr.mkv", cAlternateFileName="RAGCPU~1.MKV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fc2f40, ftCreationTime.dwHighDateTime=0x1d8284b, ftLastAccessTime.dwLowDateTime=0xab90c70, ftLastAccessTime.dwHighDateTime=0x1d82958, ftLastWriteTime.dwLowDateTime=0xab90c70, ftLastWriteTime.dwHighDateTime=0x1d82958, nFileSizeHigh=0x0, nFileSizeLow=0x15499, dwReserved0=0x0, dwReserved1=0x0, cFileName="sLFOy4ycVM9cI.wav", cAlternateFileName="SLFOY4~1.WAV")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cd910c0, ftCreationTime.dwHighDateTime=0x1d81bc5, ftLastAccessTime.dwLowDateTime=0x1f631800, ftLastAccessTime.dwHighDateTime=0x1d822e6, ftLastWriteTime.dwLowDateTime=0x1f631800, ftLastWriteTime.dwHighDateTime=0x1d822e6, nFileSizeHigh=0x0, nFileSizeLow=0x94ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="TBp4.gif", cAlternateFileName="")) returned 1 [0277.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0f7a80, ftCreationTime.dwHighDateTime=0x1d827df, ftLastAccessTime.dwLowDateTime=0x52660710, ftLastAccessTime.dwHighDateTime=0x1d828a6, ftLastWriteTime.dwLowDateTime=0x52660710, ftLastWriteTime.dwHighDateTime=0x1d828a6, nFileSizeHigh=0x0, nFileSizeLow=0xd3ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="uDGO5JU.mp4", cAlternateFileName="")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33445370, ftCreationTime.dwHighDateTime=0x1d81b02, ftLastAccessTime.dwLowDateTime=0x53e41800, ftLastAccessTime.dwHighDateTime=0x1d82105, ftLastWriteTime.dwLowDateTime=0x53e41800, ftLastWriteTime.dwHighDateTime=0x1d82105, nFileSizeHigh=0x0, nFileSizeLow=0xe56e, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpScI-7TEgyIuDUZNpN.png", cAlternateFileName="UPSCI-~1.PNG")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85694180, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0x8a488980, ftLastAccessTime.dwHighDateTime=0x1d829a2, ftLastWriteTime.dwLowDateTime=0x8a488980, ftLastWriteTime.dwHighDateTime=0x1d829a2, nFileSizeHigh=0x0, nFileSizeLow=0xa5e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vUti7rOBpW80TdxP8cY.wav", cAlternateFileName="VUTI7R~1.WAV")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb982b0, ftCreationTime.dwHighDateTime=0x1d81be8, ftLastAccessTime.dwLowDateTime=0x45a32fb0, ftLastAccessTime.dwHighDateTime=0x1d82619, ftLastWriteTime.dwLowDateTime=0x45a32fb0, ftLastWriteTime.dwHighDateTime=0x1d82619, nFileSizeHigh=0x0, nFileSizeLow=0x5606, dwReserved0=0x0, dwReserved1=0x0, cFileName="wBOpnOckzLCjDDK.jpg", cAlternateFileName="WBOPNO~1.JPG")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62222ed0, ftCreationTime.dwHighDateTime=0x1d81c6d, ftLastAccessTime.dwLowDateTime=0xc42d3520, ftLastAccessTime.dwHighDateTime=0x1d821f9, ftLastWriteTime.dwLowDateTime=0xc42d3520, ftLastWriteTime.dwHighDateTime=0x1d821f9, nFileSizeHigh=0x0, nFileSizeLow=0x17f86, dwReserved0=0x0, dwReserved1=0x0, cFileName="We0X6gEqRDhiUH6OA.jpg", cAlternateFileName="WE0X6G~1.JPG")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0c530, ftCreationTime.dwHighDateTime=0x1d82232, ftLastAccessTime.dwLowDateTime=0xe06d7d80, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0xe06d7d80, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x14067, dwReserved0=0x0, dwReserved1=0x0, cFileName="WHnWOXyFUJT1M8QR5fnu.m4a", cAlternateFileName="WHNWOX~1.M4A")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e12f570, ftCreationTime.dwHighDateTime=0x1d81f84, ftLastAccessTime.dwLowDateTime=0xbb26ae80, ftLastAccessTime.dwHighDateTime=0x1d827e8, ftLastWriteTime.dwLowDateTime=0xbb26ae80, ftLastWriteTime.dwHighDateTime=0x1d827e8, nFileSizeHigh=0x0, nFileSizeLow=0x15308, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJa5crqa6E.wav", cAlternateFileName="YJA5CR~1.WAV")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff09880, ftCreationTime.dwHighDateTime=0x1d81f43, ftLastAccessTime.dwLowDateTime=0xa062dd90, ftLastAccessTime.dwHighDateTime=0x1d82396, ftLastWriteTime.dwLowDateTime=0xa062dd90, ftLastWriteTime.dwHighDateTime=0x1d82396, nFileSizeHigh=0x0, nFileSizeLow=0xc20f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z2qPX6.bmp", cAlternateFileName="")) returned 1 [0277.956] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5e2e70, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xaf72ba0, ftLastAccessTime.dwHighDateTime=0x1d829c0, ftLastWriteTime.dwLowDateTime=0xaf72ba0, ftLastWriteTime.dwHighDateTime=0x1d829c0, nFileSizeHigh=0x0, nFileSizeLow=0x6e6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z2SKrQAol.bmp", cAlternateFileName="Z2SKRQ~1.BMP")) returned 1 [0277.957] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb682a30, ftCreationTime.dwHighDateTime=0x1d81aaf, ftLastAccessTime.dwLowDateTime=0x8d4e5d30, ftLastAccessTime.dwHighDateTime=0x1d81d72, ftLastWriteTime.dwLowDateTime=0x8d4e5d30, ftLastWriteTime.dwHighDateTime=0x1d81d72, nFileSizeHigh=0x0, nFileSizeLow=0x73e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z_rpRFXyhj7uRUyh_aBs.docx", cAlternateFileName="Z_RPRF~1.DOC")) returned 1 [0277.957] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0277.957] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0277.957] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0277.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0277.958] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.963] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0277.963] WriteFile (in: hFile=0x45c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0277.964] CloseHandle (hObject=0x45c) returned 1 [0277.965] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x977ea6f0, ftCreationTime.dwHighDateTime=0x1d81e4b, ftLastAccessTime.dwLowDateTime=0xda3c9e10, ftLastAccessTime.dwHighDateTime=0x1d82540, ftLastWriteTime.dwLowDateTime=0xda3c9e10, ftLastWriteTime.dwHighDateTime=0x1d82540, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0277.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0277.966] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x977ea6f0, ftCreationTime.dwHighDateTime=0x1d81e4b, ftLastAccessTime.dwLowDateTime=0xda3c9e10, ftLastAccessTime.dwHighDateTime=0x1d82540, ftLastWriteTime.dwLowDateTime=0xda3c9e10, ftLastWriteTime.dwHighDateTime=0x1d82540, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x977ea6f0, ftCreationTime.dwHighDateTime=0x1d81e4b, ftLastAccessTime.dwLowDateTime=0xda3c9e10, ftLastAccessTime.dwHighDateTime=0x1d82540, ftLastWriteTime.dwLowDateTime=0xda3c9e10, ftLastWriteTime.dwHighDateTime=0x1d82540, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e2f240, ftCreationTime.dwHighDateTime=0x1d8289d, ftLastAccessTime.dwLowDateTime=0xb0eca460, ftLastAccessTime.dwHighDateTime=0x1d8290a, ftLastWriteTime.dwLowDateTime=0xb0eca460, ftLastWriteTime.dwHighDateTime=0x1d8290a, nFileSizeHigh=0x0, nFileSizeLow=0xba59, dwReserved0=0x0, dwReserved1=0x0, cFileName="-LoqqXzbvdQz.png", cAlternateFileName="-LOQQX~1.PNG")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56380190, ftCreationTime.dwHighDateTime=0x1d8240f, ftLastAccessTime.dwLowDateTime=0x6013a2a0, ftLastAccessTime.dwHighDateTime=0x1d8297d, ftLastWriteTime.dwLowDateTime=0x6013a2a0, ftLastWriteTime.dwHighDateTime=0x1d8297d, nFileSizeHigh=0x0, nFileSizeLow=0x180ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="54xbrlNLIF.rtf", cAlternateFileName="54XBRL~1.RTF")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa434860, ftCreationTime.dwHighDateTime=0x1d828fd, ftLastAccessTime.dwLowDateTime=0xea894840, ftLastAccessTime.dwHighDateTime=0x1d82969, ftLastWriteTime.dwLowDateTime=0xea894840, ftLastWriteTime.dwHighDateTime=0x1d82969, nFileSizeHigh=0x0, nFileSizeLow=0x4e7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="DkvmTwzWP0Xlqz.png", cAlternateFileName="DKVMTW~1.PNG")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3000250, ftCreationTime.dwHighDateTime=0x1d82204, ftLastAccessTime.dwLowDateTime=0x980eff80, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0x980eff80, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0xf305, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEvtC_8FCgIX-TWo8I.wav", cAlternateFileName="EEVTC_~1.WAV")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x666a92d0, ftCreationTime.dwHighDateTime=0x1d8218f, ftLastAccessTime.dwLowDateTime=0x181e4610, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x181e4610, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x5f98, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqpPz5d.gif", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62eebdf0, ftCreationTime.dwHighDateTime=0x1d8209c, ftLastAccessTime.dwLowDateTime=0xbe8588c0, ftLastAccessTime.dwHighDateTime=0x1d820c8, ftLastWriteTime.dwLowDateTime=0xbe8588c0, ftLastWriteTime.dwHighDateTime=0x1d820c8, nFileSizeHigh=0x0, nFileSizeLow=0x1749b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ggbWGBU.ppt", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a2df0, ftCreationTime.dwHighDateTime=0x1d819c0, ftLastAccessTime.dwLowDateTime=0xa946e310, ftLastAccessTime.dwHighDateTime=0x1d8204f, ftLastWriteTime.dwLowDateTime=0xa946e310, ftLastWriteTime.dwHighDateTime=0x1d8204f, nFileSizeHigh=0x0, nFileSizeLow=0xad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="m1C.wav", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb26a9d10, ftCreationTime.dwHighDateTime=0x1d82310, ftLastAccessTime.dwLowDateTime=0x208b8480, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x208b8480, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0xe7ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWWkE.wav", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe507e5d0, ftCreationTime.dwHighDateTime=0x1d81df6, ftLastAccessTime.dwLowDateTime=0x77993980, ftLastAccessTime.dwHighDateTime=0x1d81f1e, ftLastWriteTime.dwLowDateTime=0x77993980, ftLastWriteTime.dwHighDateTime=0x1d81f1e, nFileSizeHigh=0x0, nFileSizeLow=0x14b99, dwReserved0=0x0, dwReserved1=0x0, cFileName="s3ncmMpPmS0muoyMLo.gif", cAlternateFileName="S3NCMM~1.GIF")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe002b270, ftCreationTime.dwHighDateTime=0x1d81f1f, ftLastAccessTime.dwLowDateTime=0xfc6fcd70, ftLastAccessTime.dwHighDateTime=0x1d8298e, ftLastWriteTime.dwLowDateTime=0xfc6fcd70, ftLastWriteTime.dwHighDateTime=0x1d8298e, nFileSizeHigh=0x0, nFileSizeLow=0xc169, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPY-r5V.jpg", cAlternateFileName="")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x949c6c60, ftCreationTime.dwHighDateTime=0x1d8258f, ftLastAccessTime.dwLowDateTime=0x48c5e190, ftLastAccessTime.dwHighDateTime=0x1d8288c, ftLastWriteTime.dwLowDateTime=0x48c5e190, ftLastWriteTime.dwHighDateTime=0x1d8288c, nFileSizeHigh=0x0, nFileSizeLow=0x17f1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="uF2rHEH2XRc.wav", cAlternateFileName="UF2RHE~1.WAV")) returned 1 [0277.966] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0277.967] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0277.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0277.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0277.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.969] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0277.969] WriteFile (in: hFile=0x45c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0277.971] CloseHandle (hObject=0x45c) returned 1 [0277.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\-LoqqXzbvdQz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\-loqqxzbvdqz.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e2f240, ftCreationTime.dwHighDateTime=0x1d8289d, ftLastAccessTime.dwLowDateTime=0xb0eca460, ftLastAccessTime.dwHighDateTime=0x1d8290a, ftLastWriteTime.dwLowDateTime=0xb0eca460, ftLastWriteTime.dwHighDateTime=0x1d8290a, nFileSizeHigh=0x0, nFileSizeLow=0xba59)) returned 1 [0277.975] SetEvent (hEvent=0x1d0) returned 1 [0277.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\54xbrlNLIF.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\54xbrlnlif.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56380190, ftCreationTime.dwHighDateTime=0x1d8240f, ftLastAccessTime.dwLowDateTime=0x6013a2a0, ftLastAccessTime.dwHighDateTime=0x1d8297d, ftLastWriteTime.dwLowDateTime=0x6013a2a0, ftLastWriteTime.dwHighDateTime=0x1d8297d, nFileSizeHigh=0x0, nFileSizeLow=0x180ed)) returned 1 [0277.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\DkvmTwzWP0Xlqz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\dkvmtwzwp0xlqz.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa434860, ftCreationTime.dwHighDateTime=0x1d828fd, ftLastAccessTime.dwLowDateTime=0xea894840, ftLastAccessTime.dwHighDateTime=0x1d82969, ftLastWriteTime.dwLowDateTime=0xea894840, ftLastWriteTime.dwHighDateTime=0x1d82969, nFileSizeHigh=0x0, nFileSizeLow=0x4e7a)) returned 1 [0277.976] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\EEvtC_8FCgIX-TWo8I.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eevtc_8fcgix-two8i.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3000250, ftCreationTime.dwHighDateTime=0x1d82204, ftLastAccessTime.dwLowDateTime=0x980eff80, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0x980eff80, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0xf305)) returned 1 [0277.976] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\DkvmTwzWP0Xlqz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\dkvmtwzwp0xlqz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.976] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\DkvmTwzWP0Xlqz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\dkvmtwzwp0xlqz.png"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa434860, ftCreationTime.dwHighDateTime=0x1d828fd, ftLastAccessTime.dwLowDateTime=0xea894840, ftLastAccessTime.dwHighDateTime=0x1d82969, ftLastWriteTime.dwLowDateTime=0xea894840, ftLastWriteTime.dwHighDateTime=0x1d82969, nFileSizeHigh=0x0, nFileSizeLow=0x4e7a)) returned 1 [0277.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98fc0 | out: pbBuffer=0x12a98fc0) returned 1 [0277.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849a20 | out: pbBuffer=0x12849a20) returned 1 [0277.977] ReadFile (in: hFile=0x45c, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x1282fd1c*=0x4e7a, lpOverlapped=0x0) returned 1 [0277.978] GetFileType (hFile=0x45c) returned 0x1 [0277.978] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.978] WriteFile (in: hFile=0x45c, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x4e7a, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x1282fd00*=0x4e7a, lpOverlapped=0x1282fd0c) returned 1 [0277.979] GetFileType (hFile=0x45c) returned 0x1 [0277.979] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x4e7a, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0277.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0277.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0277.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849ad8 | out: pbBuffer=0x12849ad8) returned 1 [0277.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\DkvmTwzWP0Xlqz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\dkvmtwzwp0xlqz.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.980] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.980] WriteFile (in: hFile=0x44c, lpBuffer=0x12e72000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.981] CloseHandle (hObject=0x44c) returned 1 [0277.989] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.004] CloseHandle (hObject=0x45c) returned 1 [0278.007] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0278.011] SetEvent (hEvent=0x19c) returned 1 [0278.011] SetEvent (hEvent=0xf4) returned 1 [0278.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0278.011] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\DkvmTwzWP0Xlqz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\dkvmtwzwp0xlqz.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[006BBEBB45174EDB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[006bbebb45174edb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.075] SetEvent (hEvent=0xf4) returned 1 [0278.075] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\SPY-r5V.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\spy-r5v.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.076] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\SPY-r5V.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\spy-r5v.jpg"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe002b270, ftCreationTime.dwHighDateTime=0x1d81f1f, ftLastAccessTime.dwLowDateTime=0xfc6fcd70, ftLastAccessTime.dwHighDateTime=0x1d8298e, ftLastWriteTime.dwLowDateTime=0xfc6fcd70, ftLastWriteTime.dwHighDateTime=0x1d8298e, nFileSizeHigh=0x0, nFileSizeLow=0xc169)) returned 1 [0278.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e420 | out: pbBuffer=0x1280e420) returned 1 [0278.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101a0 | out: pbBuffer=0x128101a0) returned 1 [0278.076] ReadFile (in: hFile=0x45c, lpBuffer=0x12bae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bae000*, lpNumberOfBytesRead=0x1282fd1c*=0xc169, lpOverlapped=0x0) returned 1 [0278.078] GetFileType (hFile=0x45c) returned 0x1 [0278.078] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.078] WriteFile (in: hFile=0x45c, lpBuffer=0x12e50000*, nNumberOfBytesToWrite=0xc169, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12e50000*, lpNumberOfBytesWritten=0x1282fd00*=0xc169, lpOverlapped=0x1282fd0c) returned 1 [0278.078] GetFileType (hFile=0x45c) returned 0x1 [0278.079] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xc169, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0278.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0278.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0278.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810268 | out: pbBuffer=0x12810268) returned 1 [0278.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\SPY-r5V.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\spy-r5v.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0278.079] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.079] WriteFile (in: hFile=0x458, lpBuffer=0x12dc6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.079] CloseHandle (hObject=0x458) returned 1 [0278.084] CloseHandle (hObject=0x45c) returned 1 [0278.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810280 | out: pbBuffer=0x12810280) returned 1 [0278.088] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\SPY-r5V.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\spy-r5v.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[A4B1A9249D2D4E31]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[a4b1a9249d2d4e31]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.460] SetEvent (hEvent=0xf4) returned 1 [0278.460] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\s3ncmMpPmS0muoyMLo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\s3ncmmppms0muoymlo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.462] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.462] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\s3ncmMpPmS0muoyMLo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\s3ncmmppms0muoymlo.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe507e5d0, ftCreationTime.dwHighDateTime=0x1d81df6, ftLastAccessTime.dwLowDateTime=0x77993980, ftLastAccessTime.dwHighDateTime=0x1d81f1e, ftLastWriteTime.dwLowDateTime=0x77993980, ftLastWriteTime.dwHighDateTime=0x1d81f1e, nFileSizeHigh=0x0, nFileSizeLow=0x14b99)) returned 1 [0278.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928560 | out: pbBuffer=0x12928560) returned 1 [0278.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b70 | out: pbBuffer=0x12848b70) returned 1 [0278.462] ReadFile (in: hFile=0x45c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x14b99, lpOverlapped=0x0) returned 1 [0278.464] GetFileType (hFile=0x45c) returned 0x1 [0278.464] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.464] WriteFile (in: hFile=0x45c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x14b99, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x1282fd00*=0x14b99, lpOverlapped=0x1282fd0c) returned 1 [0278.465] GetFileType (hFile=0x45c) returned 0x1 [0278.465] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x14b99, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0278.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0278.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0278.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848c28 | out: pbBuffer=0x12848c28) returned 1 [0278.465] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\s3ncmMpPmS0muoyMLo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\s3ncmmppms0muoymlo.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.465] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.466] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdef00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.466] CloseHandle (hObject=0x42c) returned 1 [0278.498] CloseHandle (hObject=0x45c) returned 1 [0278.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c40 | out: pbBuffer=0x12848c40) returned 1 [0278.505] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\s3ncmMpPmS0muoyMLo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\s3ncmmppms0muoymlo.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[28B08C5DAB2E5E80]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[28b08c5dab2e5e80]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.633] SetEvent (hEvent=0x3f8) returned 1 [0278.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8yIiPY3PM2qXZ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8yiipy3pm2qxz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.634] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.634] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8yIiPY3PM2qXZ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8yiipy3pm2qxz.wav"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2f00b0, ftCreationTime.dwHighDateTime=0x1d81ad8, ftLastAccessTime.dwLowDateTime=0xaeee07d0, ftLastAccessTime.dwHighDateTime=0x1d82a13, ftLastWriteTime.dwLowDateTime=0xaeee07d0, ftLastWriteTime.dwHighDateTime=0x1d82a13, nFileSizeHigh=0x0, nFileSizeLow=0xa04b)) returned 1 [0278.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a990e0 | out: pbBuffer=0x12a990e0) returned 1 [0278.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a6d8 | out: pbBuffer=0x12a9a6d8) returned 1 [0278.635] ReadFile (in: hFile=0x45c, lpBuffer=0x12be8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12be8000*, lpNumberOfBytesRead=0x1282fd1c*=0xa04b, lpOverlapped=0x0) returned 1 [0278.636] GetFileType (hFile=0x45c) returned 0x1 [0278.636] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.636] WriteFile (in: hFile=0x45c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0xa04b, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x1282fd00*=0xa04b, lpOverlapped=0x1282fd0c) returned 1 [0278.637] GetFileType (hFile=0x45c) returned 0x1 [0278.637] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xa04b, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0278.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0278.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0278.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a790 | out: pbBuffer=0x12a9a790) returned 1 [0278.638] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8yIiPY3PM2qXZ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8yiipy3pm2qxz.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.638] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.638] WriteFile (in: hFile=0x42c, lpBuffer=0x12e72500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.638] CloseHandle (hObject=0x42c) returned 1 [0278.649] CloseHandle (hObject=0x45c) returned 1 [0278.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ade0 | out: pbBuffer=0x12a9ade0) returned 1 [0278.656] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8yIiPY3PM2qXZ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8yiipy3pm2qxz.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[D7D54E375C9BFD11]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[d7d54e375c9bfd11]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.758] SetEvent (hEvent=0x110) returned 1 [0278.758] SetEvent (hEvent=0x3f8) returned 1 [0278.759] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\NolPnYVxwc-.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nolpnyvxwc-.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.760] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\NolPnYVxwc-.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nolpnyvxwc-.m4a"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79bd2f50, ftCreationTime.dwHighDateTime=0x1d81f3c, ftLastAccessTime.dwLowDateTime=0x20a5e630, ftLastAccessTime.dwHighDateTime=0x1d82470, ftLastWriteTime.dwLowDateTime=0x20a5e630, ftLastWriteTime.dwHighDateTime=0x1d82470, nFileSizeHigh=0x0, nFileSizeLow=0xd80c)) returned 1 [0278.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e780 | out: pbBuffer=0x1280e780) returned 1 [0278.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b090 | out: pbBuffer=0x12a9b090) returned 1 [0278.760] ReadFile (in: hFile=0x1a4, lpBuffer=0x12c70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c70000*, lpNumberOfBytesRead=0x1282fd1c*=0xd80c, lpOverlapped=0x0) returned 1 [0278.763] GetFileType (hFile=0x1a4) returned 0x1 [0278.763] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.763] WriteFile (in: hFile=0x1a4, lpBuffer=0x12cb0000*, nNumberOfBytesToWrite=0xd80c, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12cb0000*, lpNumberOfBytesWritten=0x1282fd00*=0xd80c, lpOverlapped=0x1282fd0c) returned 1 [0278.763] GetFileType (hFile=0x1a4) returned 0x1 [0278.763] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xd80c, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0278.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801881 | out: pbBuffer=0x12801881) returned 1 [0278.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801981 | out: pbBuffer=0x12801981) returned 1 [0278.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b148 | out: pbBuffer=0x12a9b148) returned 1 [0278.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\NolPnYVxwc-.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nolpnyvxwc-.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.765] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.765] WriteFile (in: hFile=0x42c, lpBuffer=0x12e73900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e73900*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.765] CloseHandle (hObject=0x42c) returned 1 [0278.770] CloseHandle (hObject=0x1a4) returned 1 [0278.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b160 | out: pbBuffer=0x12a9b160) returned 1 [0278.779] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\NolPnYVxwc-.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nolpnyvxwc-.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[5CDE1D1A175235AF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[5cde1d1a175235af]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.865] SetEvent (hEvent=0x110) returned 1 [0278.865] SetEvent (hEvent=0x3f8) returned 1 [0278.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WHnWOXyFUJT1M8QR5fnu.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\whnwoxyfujt1m8qr5fnu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.866] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.866] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WHnWOXyFUJT1M8QR5fnu.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\whnwoxyfujt1m8qr5fnu.m4a"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a0c530, ftCreationTime.dwHighDateTime=0x1d82232, ftLastAccessTime.dwLowDateTime=0xe06d7d80, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0xe06d7d80, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x14067)) returned 1 [0278.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0278.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34048 | out: pbBuffer=0x12c34048) returned 1 [0278.867] ReadFile (in: hFile=0x45c, lpBuffer=0x12e1a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e1a000*, lpNumberOfBytesRead=0x1282fd1c*=0x14067, lpOverlapped=0x0) returned 1 [0278.870] GetFileType (hFile=0x45c) returned 0x1 [0278.870] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.870] WriteFile (in: hFile=0x45c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x14067, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x1282fd00*=0x14067, lpOverlapped=0x1282fd0c) returned 1 [0278.870] GetFileType (hFile=0x45c) returned 0x1 [0278.870] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x14067, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0278.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0278.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0278.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0278.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34100 | out: pbBuffer=0x12c34100) returned 1 [0278.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WHnWOXyFUJT1M8QR5fnu.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\whnwoxyfujt1m8qr5fnu.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.871] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0278.871] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.871] CloseHandle (hObject=0x42c) returned 1 [0278.876] CloseHandle (hObject=0x45c) returned 1 [0278.879] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34118 | out: pbBuffer=0x12c34118) returned 1 [0278.880] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WHnWOXyFUJT1M8QR5fnu.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\whnwoxyfujt1m8qr5fnu.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[A7ECC6B5C0870D42]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[a7ecc6b5c0870d42]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0279.137] SetEvent (hEvent=0x3f8) returned 1 [0279.137] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2qPX6.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2qpx6.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0279.138] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0279.139] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2qPX6.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2qpx6.bmp"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff09880, ftCreationTime.dwHighDateTime=0x1d81f43, ftLastAccessTime.dwLowDateTime=0xa062dd90, ftLastAccessTime.dwHighDateTime=0x1d82396, ftLastWriteTime.dwLowDateTime=0xa062dd90, ftLastWriteTime.dwHighDateTime=0x1d82396, nFileSizeHigh=0x0, nFileSizeLow=0xc20f)) returned 1 [0279.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb60 | out: pbBuffer=0x1280eb60) returned 1 [0279.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344a8 | out: pbBuffer=0x12c344a8) returned 1 [0279.139] ReadFile (in: hFile=0x45c, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x1282fd1c*=0xc20f, lpOverlapped=0x0) returned 1 [0279.141] GetFileType (hFile=0x45c) returned 0x1 [0279.141] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0279.142] WriteFile (in: hFile=0x45c, lpBuffer=0x12bf6000*, nNumberOfBytesToWrite=0xc20f, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bf6000*, lpNumberOfBytesWritten=0x1282fd00*=0xc20f, lpOverlapped=0x1282fd0c) returned 1 [0279.142] GetFileType (hFile=0x45c) returned 0x1 [0279.142] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xc20f, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0279.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd301 | out: pbBuffer=0x12afd301) returned 1 [0279.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd401 | out: pbBuffer=0x12afd401) returned 1 [0279.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd501 | out: pbBuffer=0x12afd501) returned 1 [0279.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34560 | out: pbBuffer=0x12c34560) returned 1 [0279.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2qPX6.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2qpx6.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0279.143] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0279.143] WriteFile (in: hFile=0x42c, lpBuffer=0x128e5900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e5900*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0279.143] CloseHandle (hObject=0x42c) returned 1 [0279.151] CloseHandle (hObject=0x45c) returned 1 [0279.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34578 | out: pbBuffer=0x12c34578) returned 1 [0279.172] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2qPX6.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2qpx6.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[D0B40F4938340D9F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[d0b40f4938340d9f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iFdAmmAFYX4CdXqN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ifdammafyx4cdxqn.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90ec7a0, ftCreationTime.dwHighDateTime=0x1d81bff, ftLastAccessTime.dwLowDateTime=0x7574d0, ftLastAccessTime.dwHighDateTime=0x1d82208, ftLastWriteTime.dwLowDateTime=0x7574d0, ftLastWriteTime.dwHighDateTime=0x1d82208, nFileSizeHigh=0x0, nFileSizeLow=0x8bd4)) returned 1 [0280.172] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0280.205] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb20, ulCount=0x10, ulNumEntriesRemoved=0x329ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb20, ulNumEntriesRemoved=0x329ffb04) returned 0 [0280.205] SwitchToThread () returned 1 [0280.210] SetEvent (hEvent=0x110) returned 1 [0280.210] SetEvent (hEvent=0x19c) returned 1 [0280.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\k M94JU5AVmadGtlfkKp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\k m94ju5avmadgtlfkkp.csv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed78bd00, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xf4b4b9c0, ftLastAccessTime.dwHighDateTime=0x1d82802, ftLastWriteTime.dwLowDateTime=0xf4b4b9c0, ftLastWriteTime.dwHighDateTime=0x1d82802, nFileSizeHigh=0x0, nFileSizeLow=0x1211d)) returned 1 [0280.212] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0280.354] SetEvent (hEvent=0x19c) returned 1 [0280.355] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0280.449] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0280.558] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffb28, ulCount=0x10, ulNumEntriesRemoved=0x329ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffb28, ulNumEntriesRemoved=0x329ffb0c) returned 0 [0280.559] SetEvent (hEvent=0x110) returned 1 [0280.559] SetEvent (hEvent=0x3f4) returned 1 [0280.559] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1) returned 0x0 [0280.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0280.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\e30J.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e30j.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0280.712] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0280.712] WriteFile (in: hFile=0x45c, lpBuffer=0x12b0c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0c000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0280.712] CloseHandle (hObject=0x45c) returned 1 [0280.712] CloseHandle (hObject=0x460) returned 1 [0280.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a020 | out: pbBuffer=0x12a9a020) returned 1 [0280.712] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\e30J.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e30j.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[47ACB9134EE2D1F5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[47acb9134ee2d1f5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.715] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sLFOy4ycVM9cI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\slfoy4ycvm9ci.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0280.715] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0280.715] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sLFOy4ycVM9cI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\slfoy4ycvm9ci.wav"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fc2f40, ftCreationTime.dwHighDateTime=0x1d8284b, ftLastAccessTime.dwLowDateTime=0xab90c70, ftLastAccessTime.dwHighDateTime=0x1d82958, ftLastWriteTime.dwLowDateTime=0xab90c70, ftLastWriteTime.dwHighDateTime=0x1d82958, nFileSizeHigh=0x0, nFileSizeLow=0x15499)) returned 1 [0280.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98340 | out: pbBuffer=0x12a98340) returned 1 [0280.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a068 | out: pbBuffer=0x12a9a068) returned 1 [0280.716] ReadFile (in: hFile=0x460, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x1282bd1c*=0x15499, lpOverlapped=0x0) returned 1 [0280.718] GetFileType (hFile=0x460) returned 0x1 [0280.718] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0280.719] WriteFile (in: hFile=0x460, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15499, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x1282bd00*=0x15499, lpOverlapped=0x1282bd0c) returned 1 [0280.719] GetFileType (hFile=0x460) returned 0x1 [0280.719] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x15499, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0280.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0280.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0280.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0280.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0280.720] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sLFOy4ycVM9cI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\slfoy4ycvm9ci.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0280.720] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0280.720] WriteFile (in: hFile=0x45c, lpBuffer=0x12b0c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0c500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0280.720] CloseHandle (hObject=0x45c) returned 1 [0280.720] CloseHandle (hObject=0x460) returned 1 [0280.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a148 | out: pbBuffer=0x12a9a148) returned 1 [0280.720] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sLFOy4ycVM9cI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\slfoy4ycvm9ci.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[C170092AF940DC57]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[c170092af940dc57]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.505] SetEvent (hEvent=0x3f4) returned 1 [0283.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vUti7rOBpW80TdxP8cY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vuti7robpw80tdxp8cy.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.507] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0283.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vUti7rOBpW80TdxP8cY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vuti7robpw80tdxp8cy.wav"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85694180, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0x8a488980, ftLastAccessTime.dwHighDateTime=0x1d829a2, ftLastWriteTime.dwLowDateTime=0x8a488980, ftLastWriteTime.dwHighDateTime=0x1d829a2, nFileSizeHigh=0x0, nFileSizeLow=0xa5e8)) returned 1 [0283.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0283.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914768 | out: pbBuffer=0x12914768) returned 1 [0283.508] ReadFile (in: hFile=0x460, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x1282bd1c*=0xa5e8, lpOverlapped=0x0) returned 1 [0283.510] GetFileType (hFile=0x460) returned 0x1 [0283.510] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0283.510] WriteFile (in: hFile=0x460, lpBuffer=0x128a8000*, nNumberOfBytesToWrite=0xa5e8, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x128a8000*, lpNumberOfBytesWritten=0x1282bd00*=0xa5e8, lpOverlapped=0x1282bd0c) returned 1 [0283.511] GetFileType (hFile=0x460) returned 0x1 [0283.511] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa5e8, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0283.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0283.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0283.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0283.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914820 | out: pbBuffer=0x12914820) returned 1 [0283.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vUti7rOBpW80TdxP8cY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vuti7robpw80tdxp8cy.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0283.512] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0283.512] WriteFile (in: hFile=0x45c, lpBuffer=0x128e4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0283.512] CloseHandle (hObject=0x45c) returned 1 [0283.512] CloseHandle (hObject=0x460) returned 1 [0283.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914838 | out: pbBuffer=0x12914838) returned 1 [0283.513] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vUti7rOBpW80TdxP8cY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vuti7robpw80tdxp8cy.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[B573BD48D81B8258]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[b573bd48d81b8258]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wBOpnOckzLCjDDK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wbopnockzlcjddk.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb982b0, ftCreationTime.dwHighDateTime=0x1d81be8, ftLastAccessTime.dwLowDateTime=0x45a32fb0, ftLastAccessTime.dwHighDateTime=0x1d82619, ftLastWriteTime.dwLowDateTime=0x45a32fb0, ftLastWriteTime.dwHighDateTime=0x1d82619, nFileSizeHigh=0x0, nFileSizeLow=0x5606)) returned 1 [0283.707] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\documents"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf56cf76f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf56cf76f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0283.707] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0283.707] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf56cf76f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf56cf76f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0283.724] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf56cf76f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf56cf76f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d8a5680, ftCreationTime.dwHighDateTime=0x1d7dc37, ftLastAccessTime.dwLowDateTime=0x4bf540, ftLastAccessTime.dwHighDateTime=0x1d801c6, ftLastWriteTime.dwLowDateTime=0x4bf540, ftLastWriteTime.dwHighDateTime=0x1d801c6, nFileSizeHigh=0x0, nFileSizeLow=0xa472, dwReserved0=0x0, dwReserved1=0x0, cFileName="-iNHujDwVSFtWaHT.pptx", cAlternateFileName="-INHUJ~1.PPT")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e0facc0, ftCreationTime.dwHighDateTime=0x1d82769, ftLastAccessTime.dwLowDateTime=0x9e1e2af0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x9e1e2af0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0xb1b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="1m3AdHRfakiQWrz520K.docx", cAlternateFileName="1M3ADH~1.DOC")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e11e8e0, ftCreationTime.dwHighDateTime=0x1d81b30, ftLastAccessTime.dwLowDateTime=0xd6132b90, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0xd6132b90, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x16318, dwReserved0=0x0, dwReserved1=0x0, cFileName="3KlVispw4PwdDalH1e5.ots", cAlternateFileName="3KLVIS~1.OTS")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40ec680, ftCreationTime.dwHighDateTime=0x1d8119f, ftLastAccessTime.dwLowDateTime=0x478a4e70, ftLastAccessTime.dwHighDateTime=0x1d81ff3, ftLastWriteTime.dwLowDateTime=0x478a4e70, ftLastWriteTime.dwHighDateTime=0x1d81ff3, nFileSizeHigh=0x0, nFileSizeLow=0x17c82, dwReserved0=0x0, dwReserved1=0x0, cFileName="7b-tUwDy4MhvYA.docx", cAlternateFileName="7B-TUW~1.DOC")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ccaff0, ftCreationTime.dwHighDateTime=0x1d7a224, ftLastAccessTime.dwLowDateTime=0x36cd7db0, ftLastAccessTime.dwHighDateTime=0x1d7e8cf, ftLastWriteTime.dwLowDateTime=0x36cd7db0, ftLastWriteTime.dwHighDateTime=0x1d7e8cf, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="bJHrKFh47XxzRpF4.docx", cAlternateFileName="BJHRKF~1.DOC")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bd037b0, ftCreationTime.dwHighDateTime=0x1d8006c, ftLastAccessTime.dwLowDateTime=0x754a60e0, ftLastAccessTime.dwHighDateTime=0x1d82979, ftLastWriteTime.dwLowDateTime=0x754a60e0, ftLastWriteTime.dwHighDateTime=0x1d82979, nFileSizeHigh=0x0, nFileSizeLow=0xc4fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="BJWSz.xlsx", cAlternateFileName="BJWSZ~1.XLS")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bb0450, ftCreationTime.dwHighDateTime=0x1d817e8, ftLastAccessTime.dwLowDateTime=0x6a574b90, ftLastAccessTime.dwHighDateTime=0x1d824eb, ftLastWriteTime.dwLowDateTime=0x6a574b90, ftLastWriteTime.dwHighDateTime=0x1d824eb, nFileSizeHigh=0x0, nFileSizeLow=0x8631, dwReserved0=0x0, dwReserved1=0x0, cFileName="fxKjYnPBbwwwVQ.pptx", cAlternateFileName="FXKJYN~1.PPT")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1c3d650, ftCreationTime.dwHighDateTime=0x1d828af, ftLastAccessTime.dwLowDateTime=0x2cc07500, ftLastAccessTime.dwHighDateTime=0x1d82981, ftLastWriteTime.dwLowDateTime=0x2cc07500, ftLastWriteTime.dwHighDateTime=0x1d82981, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="H0wX0.doc", cAlternateFileName="")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7117d00, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0x2822eca0, ftLastAccessTime.dwHighDateTime=0x1d82592, ftLastWriteTime.dwLowDateTime=0x2822eca0, ftLastWriteTime.dwHighDateTime=0x1d82592, nFileSizeHigh=0x0, nFileSizeLow=0x12293, dwReserved0=0x0, dwReserved1=0x0, cFileName="jLJRUuMccxBs.xls", cAlternateFileName="JLJRUU~1.XLS")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0283.725] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x739f1480, ftCreationTime.dwHighDateTime=0x1d81d89, ftLastAccessTime.dwLowDateTime=0x357dc3f0, ftLastAccessTime.dwHighDateTime=0x1d821ed, ftLastWriteTime.dwLowDateTime=0x357dc3f0, ftLastWriteTime.dwHighDateTime=0x1d821ed, nFileSizeHigh=0x0, nFileSizeLow=0xb2ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oy1La6ngv.pptx", cAlternateFileName="OY1LA6~1.PPT")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e6d6db0, ftCreationTime.dwHighDateTime=0x1d7f172, ftLastAccessTime.dwLowDateTime=0x87605420, ftLastAccessTime.dwHighDateTime=0x1d81af0, ftLastWriteTime.dwLowDateTime=0x87605420, ftLastWriteTime.dwHighDateTime=0x1d81af0, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SBXGxY5lR7LJ4DebJNW.docx", cAlternateFileName="SBXGXY~1.DOC")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1cb00a0, ftCreationTime.dwHighDateTime=0x1d7daef, ftLastAccessTime.dwLowDateTime=0x48939730, ftLastAccessTime.dwHighDateTime=0x1d8002d, ftLastWriteTime.dwLowDateTime=0x48939730, ftLastWriteTime.dwHighDateTime=0x1d8002d, nFileSizeHigh=0x0, nFileSizeLow=0x18540, dwReserved0=0x0, dwReserved1=0x0, cFileName="SEi KnrwjhMD.xlsx", cAlternateFileName="SEIKNR~1.XLS")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f02fb00, ftCreationTime.dwHighDateTime=0x1d7cc31, ftLastAccessTime.dwLowDateTime=0x37179300, ftLastAccessTime.dwHighDateTime=0x1d7e311, ftLastWriteTime.dwLowDateTime=0x37179300, ftLastWriteTime.dwHighDateTime=0x1d7e311, nFileSizeHigh=0x0, nFileSizeLow=0x1b3d, dwReserved0=0x0, dwReserved1=0x0, cFileName="tLhwJhSyQ.pptx", cAlternateFileName="TLHWJH~1.PPT")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d0cdb50, ftCreationTime.dwHighDateTime=0x1d81bad, ftLastAccessTime.dwLowDateTime=0x2abc4050, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0x2abc4050, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x10cec, dwReserved0=0x0, dwReserved1=0x0, cFileName="vaWpAP.ods", cAlternateFileName="")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfbeae10, ftCreationTime.dwHighDateTime=0x1d7a0d4, ftLastAccessTime.dwLowDateTime=0xeba003c0, ftLastAccessTime.dwHighDateTime=0x1d7e42e, ftLastWriteTime.dwLowDateTime=0xeba003c0, ftLastWriteTime.dwHighDateTime=0x1d7e42e, nFileSizeHigh=0x0, nFileSizeLow=0x5018, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yak2nzyz8-XQrO0Xk7Kp.docx", cAlternateFileName="YAK2NZ~1.DOC")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45801620, ftCreationTime.dwHighDateTime=0x1d79fb8, ftLastAccessTime.dwLowDateTime=0xceeb0890, ftLastAccessTime.dwHighDateTime=0x1d7e089, ftLastWriteTime.dwLowDateTime=0xceeb0890, ftLastWriteTime.dwHighDateTime=0x1d7e089, nFileSizeHigh=0x0, nFileSizeLow=0x758d, dwReserved0=0x0, dwReserved1=0x0, cFileName="yFisAPT.xlsx", cAlternateFileName="YFISAP~1.XLS")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cc9cd70, ftCreationTime.dwHighDateTime=0x1d7e298, ftLastAccessTime.dwLowDateTime=0x49d4bef0, ftLastAccessTime.dwHighDateTime=0x1d8081e, ftLastWriteTime.dwLowDateTime=0x49d4bef0, ftLastWriteTime.dwHighDateTime=0x1d8081e, nFileSizeHigh=0x0, nFileSizeLow=0x956, dwReserved0=0x0, dwReserved1=0x0, cFileName="yV xDCB5D.xlsx", cAlternateFileName="YVXDCB~1.XLS")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757659f0, ftCreationTime.dwHighDateTime=0x1d7f523, ftLastAccessTime.dwLowDateTime=0x4b847e0, ftLastAccessTime.dwHighDateTime=0x1d7faa6, ftLastWriteTime.dwLowDateTime=0x4b847e0, ftLastWriteTime.dwHighDateTime=0x1d7faa6, nFileSizeHigh=0x0, nFileSizeLow=0x205f, dwReserved0=0x0, dwReserved1=0x0, cFileName="yWM-.xlsx", cAlternateFileName="YWM-~1.XLS")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63829830, ftCreationTime.dwHighDateTime=0x1d7f618, ftLastAccessTime.dwLowDateTime=0x62c620e0, ftLastAccessTime.dwHighDateTime=0x1d808ee, ftLastWriteTime.dwLowDateTime=0x62c620e0, ftLastWriteTime.dwHighDateTime=0x1d808ee, nFileSizeHigh=0x0, nFileSizeLow=0x6e92, dwReserved0=0x0, dwReserved1=0x0, cFileName="zfK8pBoO-F9HXS4.pptx", cAlternateFileName="ZFK8PB~1.PPT")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa711560, ftCreationTime.dwHighDateTime=0x1d8233a, ftLastAccessTime.dwLowDateTime=0xb06b2300, ftLastAccessTime.dwHighDateTime=0x1d82512, ftLastWriteTime.dwLowDateTime=0xb06b2300, ftLastWriteTime.dwHighDateTime=0x1d82512, nFileSizeHigh=0x0, nFileSizeLow=0xb33d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZTOm-.pps", cAlternateFileName="")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3958c00, ftCreationTime.dwHighDateTime=0x1d821d8, ftLastAccessTime.dwLowDateTime=0x3af9a3e0, ftLastAccessTime.dwHighDateTime=0x1d821f6, ftLastWriteTime.dwLowDateTime=0x3af9a3e0, ftLastWriteTime.dwHighDateTime=0x1d821f6, nFileSizeHigh=0x0, nFileSizeLow=0xc70c, dwReserved0=0x0, dwReserved1=0x0, cFileName="_oMXb5UvMe.rtf", cAlternateFileName="_OMXB5~1.RTF")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81698b10, ftCreationTime.dwHighDateTime=0x1d820ca, ftLastAccessTime.dwLowDateTime=0xe5de5640, ftLastAccessTime.dwHighDateTime=0x1d826d6, ftLastWriteTime.dwLowDateTime=0xe5de5640, ftLastWriteTime.dwHighDateTime=0x1d826d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_oP0pbauaqCGB3", cAlternateFileName="_OP0PB~1")) returned 1 [0283.726] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0283.726] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0283.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0283.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0283.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.729] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0283.729] WriteFile (in: hFile=0x460, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0283.731] CloseHandle (hObject=0x460) returned 1 [0283.731] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\-iNHujDwVSFtWaHT.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-inhujdwvsftwaht.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d8a5680, ftCreationTime.dwHighDateTime=0x1d7dc37, ftLastAccessTime.dwLowDateTime=0x4bf540, ftLastAccessTime.dwHighDateTime=0x1d801c6, ftLastWriteTime.dwLowDateTime=0x4bf540, ftLastWriteTime.dwHighDateTime=0x1d801c6, nFileSizeHigh=0x0, nFileSizeLow=0xa472)) returned 1 [0283.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wBOpnOckzLCjDDK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wbopnockzlcjddk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.732] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0283.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wBOpnOckzLCjDDK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wbopnockzlcjddk.jpg"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb982b0, ftCreationTime.dwHighDateTime=0x1d81be8, ftLastAccessTime.dwLowDateTime=0x45a32fb0, ftLastAccessTime.dwHighDateTime=0x1d82619, ftLastWriteTime.dwLowDateTime=0x45a32fb0, ftLastWriteTime.dwHighDateTime=0x1d82619, nFileSizeHigh=0x0, nFileSizeLow=0x5606)) returned 1 [0283.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845bc0 | out: pbBuffer=0x12845bc0) returned 1 [0283.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914ec0 | out: pbBuffer=0x12914ec0) returned 1 [0283.734] ReadFile (in: hFile=0x460, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x1282bd1c*=0x5606, lpOverlapped=0x0) returned 1 [0283.735] GetFileType (hFile=0x460) returned 0x1 [0283.735] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0283.735] WriteFile (in: hFile=0x460, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x5606, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x1282bd00*=0x5606, lpOverlapped=0x1282bd0c) returned 1 [0283.737] GetFileType (hFile=0x460) returned 0x1 [0283.737] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5606, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0283.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0283.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801801 | out: pbBuffer=0x12801801) returned 1 [0283.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0283.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914f78 | out: pbBuffer=0x12914f78) returned 1 [0283.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wBOpnOckzLCjDDK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wbopnockzlcjddk.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0283.738] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0283.739] WriteFile (in: hFile=0x45c, lpBuffer=0x128e4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0283.739] CloseHandle (hObject=0x45c) returned 1 [0283.792] CloseHandle (hObject=0x460) returned 1 [0283.814] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0283.816] SetEvent (hEvent=0x1b8) returned 1 [0283.816] SetEvent (hEvent=0x3f4) returned 1 [0283.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34048 | out: pbBuffer=0x12c34048) returned 1 [0283.816] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iFdAmmAFYX4CdXqN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ifdammafyx4cdxqn.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[B1D03CC9AC9C5383]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[b1d03cc9ac9c5383]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\7b-tUwDy4MhvYA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7b-tuwdy4mhvya.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.947] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0283.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\7b-tUwDy4MhvYA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7b-tuwdy4mhvya.docx"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40ec680, ftCreationTime.dwHighDateTime=0x1d8119f, ftLastAccessTime.dwLowDateTime=0x478a4e70, ftLastAccessTime.dwHighDateTime=0x1d81ff3, ftLastWriteTime.dwLowDateTime=0x478a4e70, ftLastWriteTime.dwHighDateTime=0x1d81ff3, nFileSizeHigh=0x0, nFileSizeLow=0x17c82)) returned 1 [0283.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845e20 | out: pbBuffer=0x12845e20) returned 1 [0283.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914fa8 | out: pbBuffer=0x12914fa8) returned 1 [0283.948] ReadFile (in: hFile=0x460, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12851d1c*=0x17c82, lpOverlapped=0x0) returned 1 [0283.961] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0284.263] SetEvent (hEvent=0x1d0) returned 1 [0284.276] SwitchToThread () returned 1 [0284.396] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0284.491] SetEvent (hEvent=0x1d0) returned 1 [0284.517] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\wBOpnOckzLCjDDK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wbopnockzlcjddk.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[84DCA5DB115ED77E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[84dca5db115ed77e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0284.521] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.521] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0284.521] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a4 [0284.521] GetFileInformationByHandle (in: hFile=0x1a4, lpFileInformation=0x12857ae8 | out: lpFileInformation=0x12857ae8) returned 1 [0284.521] GetFileInformationByHandleEx (in: hFile=0x1a4, FileInformationClass=0x9, lpFileInformation=0x12857ae0, dwBufferSize=0x8 | out: lpFileInformation=0x12857ae0) returned 1 [0284.521] CloseHandle (hObject=0x1a4) returned 1 [0284.522] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0284.524] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a4 [0284.525] GetFileInformationByHandle (in: hFile=0x1a4, lpFileInformation=0x12857ae8 | out: lpFileInformation=0x12857ae8) returned 1 [0284.525] GetFileInformationByHandleEx (in: hFile=0x1a4, FileInformationClass=0x9, lpFileInformation=0x12857ae0, dwBufferSize=0x8 | out: lpFileInformation=0x12857ae0) returned 1 [0284.525] CloseHandle (hObject=0x1a4) returned 1 [0284.525] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my pictures"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0284.525] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my videos"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0284.526] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.526] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x878c65f2, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0284.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0284.526] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0284.527] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.527] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1 [0284.527] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0284.627] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0284.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0284.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0284.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0284.629] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0284.629] WriteFile (in: hFile=0x1a4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0289.123] CloseHandle (hObject=0x1a4) returned 1 [0289.132] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400)) returned 1 [0289.133] SetEvent (hEvent=0x1b8) returned 1 [0289.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Oy1La6ngv.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oy1la6ngv.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x739f1480, ftCreationTime.dwHighDateTime=0x1d81d89, ftLastAccessTime.dwLowDateTime=0x357dc3f0, ftLastAccessTime.dwHighDateTime=0x1d821ed, ftLastWriteTime.dwLowDateTime=0x357dc3f0, ftLastWriteTime.dwHighDateTime=0x1d821ed, nFileSizeHigh=0x0, nFileSizeLow=0xb2ce)) returned 1 [0289.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SBXGxY5lR7LJ4DebJNW.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sbxgxy5lr7lj4debjnw.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e6d6db0, ftCreationTime.dwHighDateTime=0x1d7f172, ftLastAccessTime.dwLowDateTime=0x87605420, ftLastAccessTime.dwHighDateTime=0x1d81af0, ftLastWriteTime.dwLowDateTime=0x87605420, ftLastWriteTime.dwHighDateTime=0x1d81af0, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0289.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SEi KnrwjhMD.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sei knrwjhmd.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1cb00a0, ftCreationTime.dwHighDateTime=0x1d7daef, ftLastAccessTime.dwLowDateTime=0x48939730, ftLastAccessTime.dwHighDateTime=0x1d8002d, ftLastWriteTime.dwLowDateTime=0x48939730, ftLastWriteTime.dwHighDateTime=0x1d8002d, nFileSizeHigh=0x0, nFileSizeLow=0x18540)) returned 1 [0289.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Yak2nzyz8-XQrO0Xk7Kp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yak2nzyz8-xqro0xk7kp.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfbeae10, ftCreationTime.dwHighDateTime=0x1d7a0d4, ftLastAccessTime.dwLowDateTime=0xeba003c0, ftLastAccessTime.dwHighDateTime=0x1d7e42e, ftLastWriteTime.dwLowDateTime=0xeba003c0, ftLastWriteTime.dwHighDateTime=0x1d7e42e, nFileSizeHigh=0x0, nFileSizeLow=0x5018)) returned 1 [0289.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SEi KnrwjhMD.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sei knrwjhmd.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0289.136] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0289.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SEi KnrwjhMD.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sei knrwjhmd.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1cb00a0, ftCreationTime.dwHighDateTime=0x1d7daef, ftLastAccessTime.dwLowDateTime=0x48939730, ftLastAccessTime.dwHighDateTime=0x1d8002d, ftLastWriteTime.dwLowDateTime=0x48939730, ftLastWriteTime.dwHighDateTime=0x1d8002d, nFileSizeHigh=0x0, nFileSizeLow=0x18540)) returned 1 [0289.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7c80 | out: pbBuffer=0x12ac7c80) returned 1 [0289.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ed0 | out: pbBuffer=0x12849ed0) returned 1 [0289.137] ReadFile (in: hFile=0x1a4, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12853d1c*=0x18540, lpOverlapped=0x0) returned 1 [0289.206] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0289.328] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0289.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81698b10, ftCreationTime.dwHighDateTime=0x1d820ca, ftLastAccessTime.dwLowDateTime=0xe5de5640, ftLastAccessTime.dwHighDateTime=0x1d826d6, ftLastWriteTime.dwLowDateTime=0xe5de5640, ftLastWriteTime.dwHighDateTime=0x1d826d6, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0289.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0289.584] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81698b10, ftCreationTime.dwHighDateTime=0x1d820ca, ftLastAccessTime.dwLowDateTime=0xe5de5640, ftLastAccessTime.dwHighDateTime=0x1d826d6, ftLastWriteTime.dwLowDateTime=0xe5de5640, ftLastWriteTime.dwHighDateTime=0x1d826d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81698b10, ftCreationTime.dwHighDateTime=0x1d820ca, ftLastAccessTime.dwLowDateTime=0xe5de5640, ftLastAccessTime.dwHighDateTime=0x1d826d6, ftLastWriteTime.dwLowDateTime=0xe5de5640, ftLastWriteTime.dwHighDateTime=0x1d826d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dcc8e40, ftCreationTime.dwHighDateTime=0x1d824e8, ftLastAccessTime.dwLowDateTime=0x6d7dd090, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0x6d7dd090, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x3382, dwReserved0=0x0, dwReserved1=0x0, cFileName="1F4nJWJ0P5y.docx", cAlternateFileName="1F4NJW~1.DOC")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c106f0, ftCreationTime.dwHighDateTime=0x1d81dd6, ftLastAccessTime.dwLowDateTime=0x884da520, ftLastAccessTime.dwHighDateTime=0x1d828f8, ftLastWriteTime.dwLowDateTime=0x884da520, ftLastWriteTime.dwHighDateTime=0x1d828f8, nFileSizeHigh=0x0, nFileSizeLow=0x705e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DT6iMyJba.xlsx", cAlternateFileName="DT6IMY~1.XLS")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38605f50, ftCreationTime.dwHighDateTime=0x1d824ff, ftLastAccessTime.dwLowDateTime=0xb1412210, ftLastAccessTime.dwHighDateTime=0x1d8264e, ftLastWriteTime.dwLowDateTime=0xb1412210, ftLastWriteTime.dwHighDateTime=0x1d8264e, nFileSizeHigh=0x0, nFileSizeLow=0x21e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="HDkvkngN2it Nq n.rtf", cAlternateFileName="HDKVKN~1.RTF")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3decfc0, ftCreationTime.dwHighDateTime=0x1d82061, ftLastAccessTime.dwLowDateTime=0x2cd1dbe0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0x2cd1dbe0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jZ-2JQCeXoLk", cAlternateFileName="JZ-2JQ~1")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa174a920, ftCreationTime.dwHighDateTime=0x1d824fe, ftLastAccessTime.dwLowDateTime=0xca3c850, ftLastAccessTime.dwHighDateTime=0x1d8284e, ftLastWriteTime.dwLowDateTime=0xca3c850, ftLastWriteTime.dwHighDateTime=0x1d8284e, nFileSizeHigh=0x0, nFileSizeLow=0x2452, dwReserved0=0x0, dwReserved1=0x0, cFileName="ohHut0PBID.docx", cAlternateFileName="OHHUT0~1.DOC")) returned 1 [0289.601] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf51736d0, ftCreationTime.dwHighDateTime=0x1d822f9, ftLastAccessTime.dwLowDateTime=0x814332a0, ftLastAccessTime.dwHighDateTime=0x1d82591, ftLastWriteTime.dwLowDateTime=0x814332a0, ftLastWriteTime.dwHighDateTime=0x1d82591, nFileSizeHigh=0x0, nFileSizeLow=0x12740, dwReserved0=0x0, dwReserved1=0x0, cFileName="Q1UFERaVErIPdJf.doc", cAlternateFileName="Q1UFER~1.DOC")) returned 1 [0289.602] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c138e40, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0x9c949710, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x9c949710, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x17013, dwReserved0=0x0, dwReserved1=0x0, cFileName="RnsshiYYS.xlsx", cAlternateFileName="RNSSHI~1.XLS")) returned 1 [0289.602] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe778d310, ftCreationTime.dwHighDateTime=0x1d81e28, ftLastAccessTime.dwLowDateTime=0x3a6cfbb0, ftLastAccessTime.dwHighDateTime=0x1d82611, ftLastWriteTime.dwLowDateTime=0x3a6cfbb0, ftLastWriteTime.dwHighDateTime=0x1d82611, nFileSizeHigh=0x0, nFileSizeLow=0x4e78, dwReserved0=0x0, dwReserved1=0x0, cFileName="rO-xa.pps", cAlternateFileName="")) returned 1 [0289.602] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0289.602] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0289.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0289.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0289.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0289.822] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0289.822] WriteFile (in: hFile=0x1a4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0289.823] CloseHandle (hObject=0x1a4) returned 1 [0289.824] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\1F4nJWJ0P5y.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\1f4njwj0p5y.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dcc8e40, ftCreationTime.dwHighDateTime=0x1d824e8, ftLastAccessTime.dwLowDateTime=0x6d7dd090, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0x6d7dd090, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x3382)) returned 1 [0289.824] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0289.919] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0289.992] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffacc, ulCount=0x10, ulNumEntriesRemoved=0x329ffab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffacc, ulNumEntriesRemoved=0x329ffab0) returned 0 [0289.992] SetEvent (hEvent=0x1d0) returned 1 [0289.992] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x329ffab4, ulCount=0x10, ulNumEntriesRemoved=0x329ffa98, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x329ffab4, ulNumEntriesRemoved=0x329ffa98) returned 0 [0289.992] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x26d9) returned 0x102 [0300.058] SetEvent (hEvent=0x110) returned 1 [0300.204] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0xffffffff) returned 0x0 [0302.785] SetEvent (hEvent=0x420) returned 1 [0302.786] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1377b) returned 0x102 [0312.786] WaitForSingleObject (hHandle=0x104, dwMilliseconds=0x1106b) Thread: id = 6 os_tid = 0xe0c [0100.664] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32afff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32afff30*=0x108) returned 1 [0100.665] VirtualQuery (in: lpAddress=0x32afff40, lpBuffer=0x32afff40, dwLength=0x1c | out: lpBuffer=0x32afff40*(BaseAddress=0x32aff000, AllocationBase=0x32a00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.665] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x10c [0100.665] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0100.697] SwitchToThread () returned 1 [0100.742] SetEvent (hEvent=0xfc) returned 1 [0100.742] SetEvent (hEvent=0xf4) returned 1 [0100.742] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0110.247] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0110.407] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0111.670] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0113.096] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0113.334] SwitchToThread () returned 1 [0113.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x128321c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0113.339] CloseHandle (hObject=0x1ac) returned 1 [0113.339] GetProcAddress (hModule=0x75310000, lpProcName="bind") returned 0x75323230 [0113.340] bind (s=0x1a4, addr=0x1280e248*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0113.359] GetProcAddress (hModule=0x75310000, lpProcName="socket") returned 0x7531e6b0 [0113.359] socket (af=2, type=1, protocol=6) returned 0x1b4 [0113.359] GetProcAddress (hModule=0x75310000, lpProcName="WSAIoctl") returned 0x75322f70 [0113.359] WSAIoctl (in: s=0x1b4, dwIoControlCode=0xc8000006, lpvInBuffer=0x88b760, cbInBuffer=0x10, lpvOutBuffer=0x8bbbac, cbOutBuffer=0x4, lpcbBytesReturned=0x1282978c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x8bbbac, lpcbBytesReturned=0x1282978c, lpOverlapped=0x0) returned 0 [0113.360] GetProcAddress (hModule=0x75600000, lpProcName="CloseHandle") returned 0x75626630 [0113.360] CloseHandle (hObject=0x1b4) returned 1 [0113.360] ConnectEx (in: s=0x1a4, name=0x1280e228*(sa_family=2, sin_port=0x1bb, sin_addr="149.154.167.220"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x0, lpOverlapped=0x128e6088 | out: lpdwBytesSent=0x0) returned 0 [0113.362] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affacc, ulCount=0x10, ulNumEntriesRemoved=0x32affab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affacc, ulNumEntriesRemoved=0x32affab0) returned 0 [0113.362] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affacc, ulCount=0x10, ulNumEntriesRemoved=0x32affab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x32affacc, ulNumEntriesRemoved=0x32affab0) returned 1 [0113.616] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6088, lpcbTransfer=0x32affaac, fWait=0, lpdwFlags=0x32affabc | out: lpcbTransfer=0x32affaac, lpdwFlags=0x32affabc) returned 1 [0113.785] SetEvent (hEvent=0x110) returned 1 [0113.786] setsockopt (s=0x1a4, level=65535, optname=28688, optval="¤\x01", optlen=4) returned 0 [0113.823] SetEvent (hEvent=0x1b8) returned 1 [0113.880] GetProcAddress (hModule=0x75310000, lpProcName="getsockname") returned 0x75323830 [0113.889] getsockname (in: s=0x1a4, name=0x12829890, namelen=0x1282988c | out: name=0x12829890*(sa_family=2, sin_port=0xc231, sin_addr="192.168.0.15"), namelen=0x1282988c) returned 0 [0113.889] GetProcAddress (hModule=0x75310000, lpProcName="getpeername") returned 0x753248b0 [0113.889] getpeername (in: s=0x1a4, name=0x12829890, namelen=0x1282988c | out: name=0x12829890*(sa_family=2, sin_port=0x1bb, sin_addr="149.154.167.220"), namelen=0x1282988c) returned 0 [0114.182] setsockopt (s=0x1a4, level=6, optname=1, optval="\x01", optlen=4) returned 0 [0114.218] setsockopt (s=0x1a4, level=65535, optname=8, optval="\x01", optlen=4) returned 0 [0114.218] WSAIoctl (in: s=0x1a4, dwIoControlCode=0x98000004, lpvInBuffer=0x12829b80, cbInBuffer=0xc, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x12829b78, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x12829b78, lpOverlapped=0x0) returned 0 [0114.670] LoadLibraryExW (lpLibFileName="advapi32.dll", hFile=0x0, dwFlags=0x800) returned 0x74650000 [0114.682] GetProcAddress (hModule=0x74650000, lpProcName="CryptAcquireContextW") returned 0x74670590 [0114.682] CryptAcquireContextW (in: phProv=0x12848284, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x12848284*=0xb40170) returned 1 [0115.584] GetProcAddress (hModule=0x74650000, lpProcName="CryptGenRandom") returned 0x746710a0 [0115.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1286421e | out: pbBuffer=0x1286421e) returned 1 [0115.638] SetEvent (hEvent=0xf4) returned 1 [0115.650] SetEvent (hEvent=0x104) returned 1 [0115.751] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0x1288ab60, nSize=0x64 | out: lpBuffer="") returned 0x0 [0115.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844520 | out: pbBuffer=0x12844520) returned 1 [0115.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0116.207] GetProcAddress (hModule=0x75310000, lpProcName="WSASend") returned 0x75322de0 [0116.207] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0xee, buf=0x128f4000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0xee, lpOverlapped=0x128e6088) returned 0 [0116.312] GetProcAddress (hModule=0x75310000, lpProcName="WSARecv") returned 0x75322c50 [0116.312] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x205, buf=0x128f6000*)), lpNumberOfBytesRecvd=0x128e6034*=0x205, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0 [0116.414] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x1709, buf=0x128f819a*)), lpNumberOfBytesRecvd=0x128e6034*=0x13d3, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0 [0117.240] LoadLibraryExW (lpLibFileName="crypt32.dll", hFile=0x0, dwFlags=0x800) returned 0x775a0000 [0118.889] GetProcAddress (hModule=0x775a0000, lpProcName="CertCreateCertificateContext") returned 0x775c9aa0 [0118.889] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x1290150a, cbCertEncoded=0x6c2) returned 0xb403f8 [0118.896] GetProcAddress (hModule=0x775a0000, lpProcName="CertOpenStore") returned 0x775ddc50 [0118.896] CertOpenStore (lpszStoreProvider=0x2, dwEncodingType=0x0, hCryptProv=0x0, dwFlags=0x4, pvPara=0x0) returned 0xb40418 [0118.896] GetProcAddress (hModule=0x775a0000, lpProcName="CertAddCertificateContextToStore") returned 0x775b9cb0 [0118.896] CertAddCertificateContextToStore (in: hCertStore=0xb40418, pCertContext=0xb403f8, dwAddDisposition=0x4, ppStoreContext=0x12857a08 | out: ppStoreContext=0x12857a08) returned 1 [0118.897] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x12901bcf, cbCertEncoded=0x4d4) returned 0xb3fe48 [0118.897] CertAddCertificateContextToStore (in: hCertStore=0xb40418, pCertContext=0xb3fe48, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0118.897] GetProcAddress (hModule=0x775a0000, lpProcName="CertFreeCertificateContext") returned 0x775d03a0 [0118.897] CertFreeCertificateContext (pCertContext=0xb3fe48) returned 1 [0118.897] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x129020a6, cbCertEncoded=0x481) returned 0xb44220 [0118.897] CertAddCertificateContextToStore (in: hCertStore=0xb40418, pCertContext=0xb44220, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0118.897] CertFreeCertificateContext (pCertContext=0xb44220) returned 1 [0118.897] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x1290252a, cbCertEncoded=0x404) returned 0xb445e0 [0118.898] CertAddCertificateContextToStore (in: hCertStore=0xb40418, pCertContext=0xb445e0, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0118.898] CertFreeCertificateContext (pCertContext=0xb445e0) returned 1 [0118.898] GetProcAddress (hModule=0x775a0000, lpProcName="CertCloseStore") returned 0x775e1d20 [0118.898] CertCloseStore (hCertStore=0xb40418, dwFlags=0x0) returned 1 [0118.898] CertFreeCertificateContext (pCertContext=0xb403f8) returned 1 [0118.908] GetProcAddress (hModule=0x775a0000, lpProcName="CertGetCertificateChain") returned 0x775ecfc0 [0118.909] CertGetCertificateChain (in: hChainEngine=0x0, pCertContext=0xb3fc98, pTime=0x12857a54, hAdditionalStore=0xb40418, pChainPara=0x12857ab4, dwFlags=0x0, pvReserved=0x0, ppChainContext=0x12857a60 | out: ppChainContext=0x12857a60) returned 1 [0120.416] SetEvent (hEvent=0x110) returned 1 [0120.689] GetProcAddress (hModule=0x775a0000, lpProcName="CertVerifyCertificateChainPolicy") returned 0x775d9030 [0120.698] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x4, pChainContext=0x336aa950, pPolicyPara=0x128579c0, pPolicyStatus=0x12857a08 | out: pPolicyStatus=0x12857a08) returned 1 [0121.705] GetProcAddress (hModule=0x775a0000, lpProcName="CertFreeCertificateChain") returned 0x775d2fe0 [0121.705] CertFreeCertificateChain (pChainContext=0x336aa950) [0121.705] CertFreeCertificateContext (pCertContext=0xb3fc98) returned 1 [0122.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1283c400 | out: pbBuffer=0x1283c400) returned 1 [0122.752] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x5d, buf=0x128ce1e0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x5d, lpOverlapped=0x128e6088) returned 0 [0122.779] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x13d3, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0122.935] SetEvent (hEvent=0x1d0) returned 1 [0123.107] SetEvent (hEvent=0x1d0) returned 1 [0123.249] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x5d, buf=0x128f4000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x5d, lpOverlapped=0x128e6088) returned 0 [0123.250] SetEvent (hEvent=0x1d0) returned 1 [0123.981] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x77, buf=0x128f4000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x77, lpOverlapped=0x128e6088) returned 0 [0123.997] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0124.085] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affacc, ulCount=0x10, ulNumEntriesRemoved=0x32affab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affacc, ulNumEntriesRemoved=0x32affab0) returned 0 [0124.085] SetEvent (hEvent=0x1d0) returned 1 [0124.085] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affab4, ulCount=0x10, ulNumEntriesRemoved=0x32affa98, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affab4, ulNumEntriesRemoved=0x32affa98) returned 0 [0124.085] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affab4, ulCount=0x10, ulNumEntriesRemoved=0x32affa98, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x32affab4, ulNumEntriesRemoved=0x32affa98) returned 1 [0124.343] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x32affa94, fWait=0, lpdwFlags=0x32affaa4 | out: lpcbTransfer=0x32affa94, lpdwFlags=0x32affaa4) returned 1 [0124.343] SetEvent (hEvent=0x1b8) returned 1 [0124.343] SetEvent (hEvent=0x110) returned 1 [0124.344] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0124.443] GetEnvironmentVariableW (in: lpName="WINDIR", lpBuffer=0x1288ac30, nSize=0x64 | out: lpBuffer="") returned 0xa [0124.478] GetProcAddress (hModule=0x75600000, lpProcName="GetFileAttributesExW") returned 0x75626a40 [0124.478] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Temp\\satan\\" (normalized: "c:\\windows\\temp\\satan"), fInfoLevelId=0x0, lpFileInformation=0x1285fb88 | out: lpFileInformation=0x1285fb88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0124.492] GetProcAddress (hModule=0x75600000, lpProcName="CreateFileW") returned 0x75626890 [0124.493] CreateFileW (lpFileName="C:\\Windows\\Temp\\satan\\" (normalized: "c:\\windows\\temp\\satan"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0124.535] GetProcAddress (hModule=0x75600000, lpProcName="CreateDirectoryW") returned 0x75626860 [0124.535] CreateDirectoryW (lpPathName="C:\\Windows\\Temp\\satan\\" (normalized: "c:\\windows\\temp\\satan"), lpSecurityAttributes=0x0) returned 1 [0124.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.615] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.696] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.703] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.708] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.716] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.716] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.717] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.722] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.723] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.774] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.818] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0124.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283c9c0 | out: pbBuffer=0x1283c9c0) returned 1 [0125.013] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.014] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.017] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.019] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.020] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.025] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.030] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.032] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.045] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.058] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.069] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.071] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.074] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.075] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.092] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.102] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.107] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x40, pbBuffer=0x1283dfc0 | out: pbBuffer=0x1283dfc0) returned 1 [0125.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129155d0 | out: pbBuffer=0x129155d0) returned 1 [0125.406] CreateFileW (lpFileName="C:\\Windows\\Temp\\satan\\satan0" (normalized: "c:\\windows\\temp\\satan\\satan0"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0125.412] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1285fd98 | out: lpMode=0x1285fd98) returned 0 [0125.412] GetProcAddress (hModule=0x75600000, lpProcName="WriteFile") returned 0x75626ca0 [0125.412] WriteFile (in: hFile=0x3c4, lpBuffer=0x128f2480*, nNumberOfBytesToWrite=0xb8, lpNumberOfBytesWritten=0x1285fd98, lpOverlapped=0x0 | out: lpBuffer=0x128f2480*, lpNumberOfBytesWritten=0x1285fd98*=0xb8, lpOverlapped=0x0) returned 1 [0125.413] CloseHandle (hObject=0x3c4) returned 1 [0125.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845900 | out: pbBuffer=0x12845900) returned 1 [0125.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x18, pbBuffer=0x12845940 | out: pbBuffer=0x12845940) returned 1 [0125.483] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x128ba401 | out: pbBuffer=0x128ba401) returned 1 [0125.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915678 | out: pbBuffer=0x12915678) returned 1 [0125.484] CreateFileW (lpFileName="C:\\Windows\\Temp\\satan\\satan1" (normalized: "c:\\windows\\temp\\satan\\satan1"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0125.485] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1285fd98 | out: lpMode=0x1285fd98) returned 0 [0125.485] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x4b1, lpNumberOfBytesWritten=0x1285fd98, lpOverlapped=0x0 | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x1285fd98*=0x4b1, lpOverlapped=0x0) returned 1 [0125.486] CloseHandle (hObject=0x3c4) returned 1 [0125.488] CreateFileW (lpFileName="C:\\Windows\\Temp\\satan\\satan0" (normalized: "c:\\windows\\temp\\satan\\satan0"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0125.488] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1285fd98 | out: lpMode=0x1285fd98) returned 0 [0125.488] GetProcAddress (hModule=0x75600000, lpProcName="ReadFile") returned 0x75626bb0 [0125.488] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a6c400, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1285fd38, lpOverlapped=0x0 | out: lpBuffer=0x12a6c400*, lpNumberOfBytesRead=0x1285fd38*=0xb8, lpOverlapped=0x0) returned 1 [0125.488] ReadFile (in: hFile=0x3c4, lpBuffer=0x12938cb8, nNumberOfBytesToRead=0x548, lpNumberOfBytesRead=0x1285fd38, lpOverlapped=0x0 | out: lpBuffer=0x12938cb8*, lpNumberOfBytesRead=0x1285fd38*=0x0, lpOverlapped=0x0) returned 1 [0125.489] CloseHandle (hObject=0x3c4) returned 1 [0125.489] CreateFileW (lpFileName="C:\\Windows\\Temp\\satan\\satan1" (normalized: "c:\\windows\\temp\\satan\\satan1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0125.489] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1285fd98 | out: lpMode=0x1285fd98) returned 0 [0125.489] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a6c600, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1285fd38, lpOverlapped=0x0 | out: lpBuffer=0x12a6c600*, lpNumberOfBytesRead=0x1285fd38*=0x200, lpOverlapped=0x0) returned 1 [0125.489] ReadFile (in: hFile=0x3c4, lpBuffer=0x12939400, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x1285fd38, lpOverlapped=0x0 | out: lpBuffer=0x12939400*, lpNumberOfBytesRead=0x1285fd38*=0x2b1, lpOverlapped=0x0) returned 1 [0125.489] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a704b1, nNumberOfBytesToRead=0x94f, lpNumberOfBytesRead=0x1285fd38, lpOverlapped=0x0 | out: lpBuffer=0x12a704b1*, lpNumberOfBytesRead=0x1285fd38*=0x0, lpOverlapped=0x0) returned 1 [0125.489] CloseHandle (hObject=0x3c4) returned 1 [0125.516] SetEvent (hEvent=0x1d0) returned 1 [0125.516] GetFileAttributesExW (in: lpFileName="share.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\share.txt"), fInfoLevelId=0x0, lpFileInformation=0x1285fb88 | out: lpFileInformation=0x1285fb88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0125.517] CreateFileW (lpFileName="share.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\share.txt"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0125.539] CreateFileW (lpFileName="A:\\" (normalized: "a:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.582] GetProcAddress (hModule=0x75600000, lpProcName="FindFirstFileW") returned 0x75626960 [0125.582] FindFirstFileW (in: lpFileName="A:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.588] CreateFileW (lpFileName="B:\\" (normalized: "b:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.589] FindFirstFileW (in: lpFileName="B:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.589] CreateFileW (lpFileName="C:\\" (normalized: "c:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.590] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x336666c0 [0125.596] CreateFileW (lpFileName="D:\\" (normalized: "d:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.596] FindFirstFileW (in: lpFileName="D:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.602] CreateFileW (lpFileName="E:\\" (normalized: "e:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.604] FindFirstFileW (in: lpFileName="E:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.609] CreateFileW (lpFileName="F:\\" (normalized: "f:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.609] FindFirstFileW (in: lpFileName="F:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.614] CreateFileW (lpFileName="G:\\" (normalized: "g:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.702] FindFirstFileW (in: lpFileName="G:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.709] CreateFileW (lpFileName="H:\\" (normalized: "h:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.710] FindFirstFileW (in: lpFileName="H:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.717] CreateFileW (lpFileName="I:\\" (normalized: "i:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.726] FindFirstFileW (in: lpFileName="I:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.732] CreateFileW (lpFileName="J:\\" (normalized: "j:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.733] FindFirstFileW (in: lpFileName="J:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.738] CreateFileW (lpFileName="K:\\" (normalized: "k:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.749] FindFirstFileW (in: lpFileName="K:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.754] CreateFileW (lpFileName="L:\\" (normalized: "l:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.878] FindFirstFileW (in: lpFileName="L:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.883] CreateFileW (lpFileName="M:\\" (normalized: "m:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.884] FindFirstFileW (in: lpFileName="M:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.889] CreateFileW (lpFileName="N:\\" (normalized: "n:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.889] FindFirstFileW (in: lpFileName="N:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.893] CreateFileW (lpFileName="O:\\" (normalized: "o:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.894] FindFirstFileW (in: lpFileName="O:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.898] CreateFileW (lpFileName="P:\\" (normalized: "p:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.899] FindFirstFileW (in: lpFileName="P:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.903] CreateFileW (lpFileName="Q:\\" (normalized: "q:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.904] FindFirstFileW (in: lpFileName="Q:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.909] CreateFileW (lpFileName="R:\\" (normalized: "r:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.910] FindFirstFileW (in: lpFileName="R:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.914] CreateFileW (lpFileName="S:\\" (normalized: "s:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.961] FindFirstFileW (in: lpFileName="S:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.965] CreateFileW (lpFileName="T:\\" (normalized: "t:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.966] FindFirstFileW (in: lpFileName="T:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.971] CreateFileW (lpFileName="U:\\" (normalized: "u:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.971] FindFirstFileW (in: lpFileName="U:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.976] CreateFileW (lpFileName="V:\\" (normalized: "v:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.977] FindFirstFileW (in: lpFileName="V:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.982] CreateFileW (lpFileName="W:\\" (normalized: "w:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.982] FindFirstFileW (in: lpFileName="W:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.988] CreateFileW (lpFileName="X:\\" (normalized: "x:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0125.989] FindFirstFileW (in: lpFileName="X:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0125.995] CreateFileW (lpFileName="Y:\\" (normalized: "y:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.041] FindFirstFileW (in: lpFileName="Y:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0126.049] CreateFileW (lpFileName="Z:\\" (normalized: "z:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.049] FindFirstFileW (in: lpFileName="Z:\\*", lpFindFileData=0x1285faa4 | out: lpFindFileData=0x1285faa4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0126.107] GetFileAttributesExW (in: lpFileName="C\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\c\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285fb88 | out: lpFileInformation=0x1285fb88*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0126.107] CreateFileW (lpFileName="C\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\c\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0126.126] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x128d2ce8 | out: lpFileInformation=0x128d2ce8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x31b3b9e4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe5d39a84, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xe5d39a84, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0126.128] CreateFileW (lpFileName="C:\\" (normalized: "c:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.128] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x12829bc0 | out: lpFindFileData=0x12829bc0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x33666600 [0126.129] GetProcAddress (hModule=0x75600000, lpProcName="FindNextFileW") returned 0x756269a0 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xa8d4eb26, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x9829bce, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x9829bce, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0126.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829c04 | out: lpFindFileData=0x12829c04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0126.129] GetProcAddress (hModule=0x75600000, lpProcName="FindClose") returned 0x756268e0 [0126.129] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0126.149] GetFileAttributesExW (in: lpFileName="C:\\\\# SATAN CRYPTOR #.hta" (normalized: "c:\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829888 | out: lpFileInformation=0x12829888*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0126.150] CreateFileW (lpFileName="C:\\\\# SATAN CRYPTOR #.hta" (normalized: "c:\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0126.150] CreateFileW (lpFileName="C:\\\\# SATAN CRYPTOR #.hta" (normalized: "c:\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0126.166] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x12829a98 | out: lpMode=0x12829a98) returned 0 [0126.166] WriteFile (in: hFile=0x3d8, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12829a98, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12829a98*=0x118a, lpOverlapped=0x0) returned 1 [0126.168] CloseHandle (hObject=0x3d8) returned 1 [0126.169] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0126.169] CreateFileW (lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.170] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0126.170] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0126.170] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0126.170] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0126.170] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0126.170] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0126.170] GetFileAttributesExW (in: lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0126.180] GetProcAddress (hModule=0x75600000, lpProcName="GetTimeZoneInformation") returned 0x7561acc0 [0126.181] GetTimeZoneInformation (in: lpTimeZoneInformation=0x128299b4 | out: lpTimeZoneInformation=0x128299b4) returned 0x2 [0126.181] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0126.182] GetFileAttributesExW (in: lpFileName="C:\\Boot" (normalized: "c:\\boot"), fInfoLevelId=0x0, lpFileInformation=0x12829c84 | out: lpFileInformation=0x12829c84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0126.182] CreateFileW (lpFileName="C:\\Boot" (normalized: "c:\\boot"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0126.182] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x12829b5c | out: lpFindFileData=0x12829b5c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0126.183] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0126.261] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x6cefb557, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6cefb557, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0126.262] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0126.263] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0126.264] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829ba0 | out: lpFindFileData=0x12829ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0126.264] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0126.264] GetFileAttributesExW (in: lpFileName="C:\\Boot\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12829824 | out: lpFileInformation=0x12829824*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0126.264] CreateFileW (lpFileName="C:\\Boot\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0126.264] CreateFileW (lpFileName="C:\\Boot\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0126.676] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x12829a34 | out: lpMode=0x12829a34) returned 0 [0126.979] WriteFile (in: hFile=0x3d8, lpBuffer=0x12b14000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12829a34, lpOverlapped=0x0 | out: lpBuffer=0x12b14000*, lpNumberOfBytesWritten=0x12829a34*=0x118a, lpOverlapped=0x0) returned 1 [0126.980] CloseHandle (hObject=0x3d8) returned 1 [0127.409] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x6cefb557, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6cefb557, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0127.664] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0127.664] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0127.665] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0127.675] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0127.675] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0127.675] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0127.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b10360 | out: pbBuffer=0x12b10360) returned 1 [0127.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a8d540 | out: pbBuffer=0x12a8d540) returned 1 [0127.763] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.763] FindFirstFileW (in: lpFileName="C:\\Boot\\BCD.LOG\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0127.764] ReadFile (in: hFile=0x3d8, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0127.765] CloseHandle (hObject=0x3d8) returned 1 [0127.766] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0127.936] SwitchToThread () returned 1 [0128.037] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0128.037] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0128.037] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0128.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b103a0 | out: pbBuffer=0x12b103a0) returned 1 [0128.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a8d558 | out: pbBuffer=0x12a8d558) returned 1 [0128.038] ReadFile (in: hFile=0x3d8, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12923d1c*=0x10000, lpOverlapped=0x0) returned 1 [0128.237] VirtualAlloc (lpAddress=0x12c00000, dwSize=0x400000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c00000 [0128.252] VirtualAlloc (lpAddress=0x25c1000, dwSize=0x41000, flAllocationType=0x1000, flProtect=0x4) returned 0x25c1000 [0128.253] VirtualFree (lpAddress=0x12bf4000, dwSize=0xc000, dwFreeType=0x4000) returned 1 [0128.435] GetFileType (hFile=0x3d8) returned 0x1 [0128.435] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0128.435] WriteFile (in: hFile=0x3d8, lpBuffer=0x12c00000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12c00000*, lpNumberOfBytesWritten=0x12923d00*=0x10000, lpOverlapped=0x12923d0c) returned 1 [0128.569] GetFileType (hFile=0x3d8) returned 0x1 [0128.570] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0128.738] VirtualAlloc (lpAddress=0x12bf8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bf8000 [0129.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0129.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0129.919] VirtualAlloc (lpAddress=0x12c1a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c1a000 [0129.920] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0129.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a8d610 | out: pbBuffer=0x12a8d610) returned 1 [0129.929] VirtualAlloc (lpAddress=0x12c1c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c1c000 [0129.929] VirtualAlloc (lpAddress=0x12c1e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c1e000 [0129.929] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f8 [0129.930] GetConsoleMode (in: hConsoleHandle=0x3f8, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0129.930] WriteFile (in: hFile=0x3f8, lpBuffer=0x12c1e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c1e000*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0129.930] CloseHandle (hObject=0x3f8) returned 1 [0130.165] CloseHandle (hObject=0x3d8) returned 1 [0130.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a8d628 | out: pbBuffer=0x12a8d628) returned 1 [0130.166] MoveFileExW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\#_THIS_FILE_IS_ENCRYPTED_[99283AD8A3FE1DD2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\boot\\#_this_file_is_encrypted_[99283ad8a3fe1dd2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0130.167] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.269] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.430] SetEvent (hEvent=0x3f4) returned 1 [0130.430] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.430] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.431] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.723] SetEvent (hEvent=0x3f4) returned 1 [0130.723] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.724] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.724] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.870] SetEvent (hEvent=0x3f4) returned 1 [0130.870] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.870] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.870] CreateFileW (lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.870] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\bootres.dll\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.870] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.870] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.871] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.871] VirtualAlloc (lpAddress=0x12c3c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c3c000 [0130.871] FindFirstFileW (in: lpFileName="C:\\Boot\\bootvhd.dll\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.871] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.937] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0130.952] SetEvent (hEvent=0x3f4) returned 1 [0130.952] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.952] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.953] SetEvent (hEvent=0x1b8) returned 1 [0130.953] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0131.936] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.937] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.937] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.937] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.937] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0131.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826c40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x414 [0131.994] CloseHandle (hObject=0x414) returned 1 [0131.994] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.994] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.994] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0132.022] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0132.064] SetEvent (hEvent=0x40c) returned 1 [0132.064] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.065] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.065] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.065] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.065] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0132.129] SetEvent (hEvent=0x40c) returned 1 [0132.129] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.129] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.129] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0132.286] SetEvent (hEvent=0x40c) returned 1 [0132.286] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.286] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.286] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.286] FindFirstFileW (in: lpFileName="C:\\Boot\\memtest.exe\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.286] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0132.322] SetEvent (hEvent=0x40c) returned 1 [0132.322] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.322] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.322] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0134.540] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0151.609] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0163.593] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0164.366] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.428] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.429] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0164.429] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.429] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0164.429] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.429] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0164.429] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.430] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.430] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0164.430] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0164.430] WriteFile (in: hFile=0x408, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0164.432] CloseHandle (hObject=0x408) returned 1 [0164.432] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.433] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.433] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0164.433] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.433] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.433] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0164.433] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.434] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.434] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0164.434] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0164.434] WriteFile (in: hFile=0x408, lpBuffer=0x12917300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12917300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0164.436] CloseHandle (hObject=0x408) returned 1 [0164.437] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.438] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.438] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0164.438] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.438] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.448] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0164.448] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.449] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.449] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0164.450] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0164.450] WriteFile (in: hFile=0x408, lpBuffer=0x12918600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12918600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0164.451] CloseHandle (hObject=0x408) returned 1 [0164.452] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50ae9ce0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.452] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.452] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50ae9ce0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0164.642] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50ae9ce0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ae9ce0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa11790db, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x0, dwReserved1=0x0, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x844141f3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x844141f3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6448e57d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9786, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8436b436, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8436b436, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65211dfd, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xe048, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x654c802f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x644b4868, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x410e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C210C4~1.XML")) returned 1 [0164.896] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83460030, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83460030, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x653fa2bf, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2656, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0164.897] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83201564, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83201564, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d6189f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3a132, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C21578~1.XML")) returned 1 [0164.897] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65565d76, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x88d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0164.897] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x643e5724, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8f06, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C233DB~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6553a708, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x17f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64441c43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C25956~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8303f160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8303f160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6556f8c0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5b20, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fcc6db, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82fcc6db, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656085a0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x55c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.office64mui.msi.16.en-us.xml", cAlternateFileName="C26643~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f706a3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82f706a3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65595fb2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.office64muiset.msi.16.en-us.xml", cAlternateFileName="C2755E~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e76fbe, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82e76fbe, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x650f791d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x414c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.office64ww.msi.16.x-none.xml", cAlternateFileName="C2A036~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d85586, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d85586, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6598f087, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1a182, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d73041, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d73041, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x657cb5e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0164.899] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d6ced4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d6ced4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64629b0d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x176c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0164.900] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d5e483, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d5e483, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6577f134, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0164.900] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d56dc4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d56dc4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645f4b7c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0164.900] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d54840, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d54840, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656d7217, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2b14, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0164.900] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4f8c1, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4f8c1, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645ce8f3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0164.900] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4d28a, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4d28a, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6593d93a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2698, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0165.558] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d47160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d47160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65ec8648, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0165.559] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d39ab3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d39ab3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65a5d95d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x178c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0165.559] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cc820c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82cc820c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6452e5d6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xadce8, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf5a6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82bf5a6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64811bd3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x19170, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6584ce48, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x684e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d08901, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x636e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b23f2e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b78136, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65aa9e3b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x646e8b6c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b2cf46, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b2cf46, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65acff84, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3708, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82adb9f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82adb9f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6469c575, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xaac34, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a0dba7, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82a0dba7, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64ca2e69, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15286, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0165.823] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8297548b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8297548b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6608ac43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1301e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb55735, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e727d9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4e727d9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4e727d9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcb2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5088032e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5088032e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9a627e13, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0165.824] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0165.824] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0166.002] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0166.004] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0166.028] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0166.056] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0166.065] WriteFile (in: hFile=0x408, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0166.066] CloseHandle (hObject=0x408) returned 1 [0166.076] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ae9ce0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa11790db, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x44e23)) returned 1 [0166.123] SetEvent (hEvent=0x3f8) returned 1 [0166.123] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x844141f3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x844141f3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6448e57d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9786)) returned 1 [0166.123] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x644b4868, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x410e)) returned 1 [0166.131] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83201564, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83201564, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d6189f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3a132)) returned 1 [0166.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x643e5724, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8f06)) returned 1 [0166.254] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0166.254] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0166.254] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83201564, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83201564, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d6189f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3a132)) returned 1 [0166.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4c0 | out: pbBuffer=0x1280e4c0) returned 1 [0166.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128111c0 | out: pbBuffer=0x128111c0) returned 1 [0166.255] VirtualAlloc (lpAddress=0x12cee000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12cee000 [0166.330] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb20, ulCount=0x10, ulNumEntriesRemoved=0x32affb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb20, ulNumEntriesRemoved=0x32affb04) returned 0 [0166.330] SetEvent (hEvent=0x40c) returned 1 [0166.346] VirtualAlloc (lpAddress=0x12d2e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12d2e000 [0166.348] ReadFile (in: hFile=0x424, lpBuffer=0x12cee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesRead=0x12a67d1c*=0x20000, lpOverlapped=0x0) returned 1 [0166.408] VirtualAlloc (lpAddress=0x12d4e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12d4e000 [0166.416] GetFileType (hFile=0x424) returned 0x1 [0166.416] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.424] WriteFile (in: hFile=0x424, lpBuffer=0x12d4e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12d4e000*, lpNumberOfBytesWritten=0x12a67d00*=0x20000, lpOverlapped=0x12a67d0c) returned 1 [0166.425] GetFileType (hFile=0x424) returned 0x1 [0166.425] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.501] SwitchToThread () returned 1 [0166.576] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0166.715] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0166.715] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0166.873] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0166.887] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0167.023] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0167.023] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0167.041] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0167.073] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0167.084] SetEvent (hEvent=0x110) returned 1 [0167.098] SetEvent (hEvent=0x3f8) returned 1 [0167.098] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0167.165] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0167.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0167.287] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0167.287] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0167.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0167.417] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0167.419] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0167.429] WriteFile (in: hFile=0x41c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.430] CloseHandle (hObject=0x41c) returned 1 [0167.433] CloseHandle (hObject=0x1a0) returned 1 [0167.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914568 | out: pbBuffer=0x12914568) returned 1 [0167.491] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[A3ED5AD951C89907]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[a3ed5ad951c89907]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.665] SetEvent (hEvent=0x110) returned 1 [0167.665] SetEvent (hEvent=0x3f8) returned 1 [0167.665] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0167.666] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0167.666] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d56dc4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d56dc4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645f4b7c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5ee)) returned 1 [0167.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a984e0 | out: pbBuffer=0x12a984e0) returned 1 [0167.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146f8 | out: pbBuffer=0x129146f8) returned 1 [0167.669] ReadFile (in: hFile=0x424, lpBuffer=0x12ab8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ab8000*, lpNumberOfBytesRead=0x12923d1c*=0x5ee, lpOverlapped=0x0) returned 1 [0167.675] GetFileType (hFile=0x424) returned 0x1 [0167.675] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.675] WriteFile (in: hFile=0x424, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x5ee, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12923d00*=0x5ee, lpOverlapped=0x12923d0c) returned 1 [0167.675] GetFileType (hFile=0x424) returned 0x1 [0167.675] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x5ee, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0167.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0167.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0167.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914870 | out: pbBuffer=0x12914870) returned 1 [0167.676] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0167.677] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0167.677] WriteFile (in: hFile=0x41c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.677] CloseHandle (hObject=0x41c) returned 1 [0167.683] CloseHandle (hObject=0x424) returned 1 [0167.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914898 | out: pbBuffer=0x12914898) returned 1 [0167.687] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[6FD7747A2B3C4D67]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[6fd7747a2b3c4d67]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.795] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0167.798] SetEvent (hEvent=0x40c) returned 1 [0167.799] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0167.799] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0167.799] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d47160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d47160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65ec8648, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a)) returned 1 [0167.799] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e820 | out: pbBuffer=0x1280e820) returned 1 [0167.799] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810310 | out: pbBuffer=0x12810310) returned 1 [0167.799] ReadFile (in: hFile=0x408, lpBuffer=0x1298e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1298e000*, lpNumberOfBytesRead=0x1282fd1c*=0x16c9a, lpOverlapped=0x0) returned 1 [0167.807] GetFileType (hFile=0x408) returned 0x1 [0167.807] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0167.807] WriteFile (in: hFile=0x408, lpBuffer=0x129ce000*, nNumberOfBytesToWrite=0x16c9a, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x129ce000*, lpNumberOfBytesWritten=0x1282fd00*=0x16c9a, lpOverlapped=0x1282fd0c) returned 1 [0167.808] GetFileType (hFile=0x408) returned 0x1 [0167.808] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x16c9a, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0167.808] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0167.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0167.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b581 | out: pbBuffer=0x1286b581) returned 1 [0167.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c8 | out: pbBuffer=0x128103c8) returned 1 [0167.809] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0167.810] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0167.810] WriteFile (in: hFile=0x424, lpBuffer=0x12916f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12916f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0167.810] CloseHandle (hObject=0x424) returned 1 [0167.821] CloseHandle (hObject=0x408) returned 1 [0167.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0167.824] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[7999C75C2CD80B84]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[7999c75c2cd80b84]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.215] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0168.223] SetEvent (hEvent=0x1d0) returned 1 [0168.223] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0168.224] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.224] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b23f2e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6)) returned 1 [0168.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4e0 | out: pbBuffer=0x1280e4e0) returned 1 [0168.225] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0168.225] ReadFile (in: hFile=0x408, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x5fa6, lpOverlapped=0x0) returned 1 [0168.231] GetFileType (hFile=0x408) returned 0x1 [0168.231] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.231] WriteFile (in: hFile=0x408, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x5fa6, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x1282fd00*=0x5fa6, lpOverlapped=0x1282fd0c) returned 1 [0168.231] GetFileType (hFile=0x408) returned 0x1 [0168.231] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x5fa6, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0168.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0168.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0168.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0168.232] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.232] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.232] WriteFile (in: hFile=0x41c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0168.233] CloseHandle (hObject=0x41c) returned 1 [0168.237] CloseHandle (hObject=0x408) returned 1 [0168.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0168.243] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[63EA2297C7E8F809]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[63ea2297c7e8f809]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.529] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0168.552] SetEvent (hEvent=0x1d0) returned 1 [0168.552] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0168.553] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.553] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8436b436, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8436b436, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65211dfd, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xe048)) returned 1 [0168.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0168.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914ad0 | out: pbBuffer=0x12914ad0) returned 1 [0168.554] ReadFile (in: hFile=0x408, lpBuffer=0x1298c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1298c000*, lpNumberOfBytesRead=0x1282fd1c*=0xe048, lpOverlapped=0x0) returned 1 [0168.565] GetFileType (hFile=0x408) returned 0x1 [0168.565] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.565] WriteFile (in: hFile=0x408, lpBuffer=0x12bd2000*, nNumberOfBytesToWrite=0xe048, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bd2000*, lpNumberOfBytesWritten=0x1282fd00*=0xe048, lpOverlapped=0x1282fd0c) returned 1 [0168.566] GetFileType (hFile=0x408) returned 0x1 [0168.566] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0xe048, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0168.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0168.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0168.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914b88 | out: pbBuffer=0x12914b88) returned 1 [0168.567] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.567] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.567] WriteFile (in: hFile=0x41c, lpBuffer=0x12af4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0168.568] CloseHandle (hObject=0x41c) returned 1 [0168.575] CloseHandle (hObject=0x408) returned 1 [0168.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914ba0 | out: pbBuffer=0x12914ba0) returned 1 [0168.580] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[E118DE39692FA6FA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[e118de39692fa6fa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.837] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0168.842] SetEvent (hEvent=0xfc) returned 1 [0168.842] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0168.842] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.843] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6553a708, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x17f6)) returned 1 [0168.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0168.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0168.843] ReadFile (in: hFile=0x3c4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x17f6, lpOverlapped=0x0) returned 1 [0168.849] GetFileType (hFile=0x3c4) returned 0x1 [0168.849] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.849] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x17f6, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x1282fd00*=0x17f6, lpOverlapped=0x1282fd0c) returned 1 [0168.849] GetFileType (hFile=0x3c4) returned 0x1 [0168.849] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x17f6, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0168.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0168.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0168.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0168.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0168.851] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0168.851] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0168.851] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0168.851] CloseHandle (hObject=0x42c) returned 1 [0168.856] CloseHandle (hObject=0x3c4) returned 1 [0168.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0168.858] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[59A3D2D7018E4949]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[59a3d2d7018e4949]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.182] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0169.189] SetEvent (hEvent=0xfc) returned 1 [0169.189] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0169.190] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.190] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e76fbe, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82e76fbe, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x650f791d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x414c2)) returned 1 [0169.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0169.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0169.190] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ca0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca0000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0169.199] GetFileType (hFile=0x1a0) returned 0x1 [0169.199] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.199] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ce0000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ce0000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0169.200] GetFileType (hFile=0x1a0) returned 0x1 [0169.200] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0169.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0169.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0169.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0169.201] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0169.201] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.201] WriteFile (in: hFile=0x3c4, lpBuffer=0x12af4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0169.206] CloseHandle (hObject=0x3c4) returned 1 [0169.224] CloseHandle (hObject=0x1a0) returned 1 [0169.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a0 | out: pbBuffer=0x129146a0) returned 1 [0169.227] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[BB61665407031F13]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[bb61665407031f13]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.348] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0169.355] SetEvent (hEvent=0xfc) returned 1 [0169.355] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0169.355] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.355] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d54840, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d54840, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656d7217, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2b14)) returned 1 [0169.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ece0 | out: pbBuffer=0x1280ece0) returned 1 [0169.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ab10 | out: pbBuffer=0x12a9ab10) returned 1 [0169.356] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0169.361] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0169.361] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb20, ulCount=0x10, ulNumEntriesRemoved=0x32affb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb20, ulNumEntriesRemoved=0x32affb04) returned 0 [0169.361] SetEvent (hEvent=0x110) returned 1 [0169.361] SetEvent (hEvent=0xfc) returned 1 [0169.362] ReadFile (in: hFile=0x1a0, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x1282fd1c*=0x2b14, lpOverlapped=0x0) returned 1 [0169.372] GetFileType (hFile=0x1a0) returned 0x1 [0169.372] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.372] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c4e000*, nNumberOfBytesToWrite=0x2b14, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c4e000*, lpNumberOfBytesWritten=0x1282fd00*=0x2b14, lpOverlapped=0x1282fd0c) returned 1 [0169.372] GetFileType (hFile=0x1a0) returned 0x1 [0169.373] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2b14, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0169.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0169.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0169.374] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849fa0 | out: pbBuffer=0x12849fa0) returned 1 [0169.374] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0169.374] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.374] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c2ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ea00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0169.374] CloseHandle (hObject=0x3c4) returned 1 [0169.396] CloseHandle (hObject=0x1a0) returned 1 [0169.469] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0169.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0169.480] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[3A90074B6515A301]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[3a90074b6515a301]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.592] SetEvent (hEvent=0x3f8) returned 1 [0169.593] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0169.593] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.593] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65aa9e3b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.593] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4e0 | out: pbBuffer=0x1280e4e0) returned 1 [0169.593] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ae8 | out: pbBuffer=0x12848ae8) returned 1 [0169.594] ReadFile (in: hFile=0x3c4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x7fa, lpOverlapped=0x0) returned 1 [0169.600] GetFileType (hFile=0x3c4) returned 0x1 [0169.600] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.600] WriteFile (in: hFile=0x3c4, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x1282fd00*=0x7fa, lpOverlapped=0x1282fd0c) returned 1 [0169.600] GetFileType (hFile=0x3c4) returned 0x1 [0169.600] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x7fa, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0169.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0169.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0169.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0169.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848bb0 | out: pbBuffer=0x12848bb0) returned 1 [0169.601] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.602] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.602] WriteFile (in: hFile=0x42c, lpBuffer=0x12a4c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4c500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0169.602] CloseHandle (hObject=0x42c) returned 1 [0169.606] CloseHandle (hObject=0x3c4) returned 1 [0169.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848bc8 | out: pbBuffer=0x12848bc8) returned 1 [0169.608] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[825DB2012A7430A8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[825db2012a7430a8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.872] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0169.880] SetEvent (hEvent=0x1b8) returned 1 [0169.880] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0169.880] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0169.880] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb55735, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcf4)) returned 1 [0169.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0169.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b10 | out: pbBuffer=0x12810b10) returned 1 [0169.881] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0170.039] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0170.052] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb20, ulCount=0x10, ulNumEntriesRemoved=0x32affb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb20, ulNumEntriesRemoved=0x32affb04) returned 0 [0170.053] SetEvent (hEvent=0x110) returned 1 [0170.053] SetEvent (hEvent=0x1b8) returned 1 [0170.053] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d28000*, lpNumberOfBytesRead=0x1282fd1c*=0xcf4, lpOverlapped=0x0) returned 1 [0170.104] GetFileType (hFile=0x3c4) returned 0x1 [0170.104] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0170.104] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c10000*, nNumberOfBytesToWrite=0xcf4, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c10000*, lpNumberOfBytesWritten=0x1282fd00*=0xcf4, lpOverlapped=0x1282fd0c) returned 1 [0170.105] GetFileType (hFile=0x3c4) returned 0x1 [0170.105] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xcf4, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0170.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0170.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0170.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0170.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810bc8 | out: pbBuffer=0x12810bc8) returned 1 [0170.165] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0170.165] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0170.165] WriteFile (in: hFile=0x42c, lpBuffer=0x12b66000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b66000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0170.166] CloseHandle (hObject=0x42c) returned 1 [0170.177] SwitchToThread () returned 1 [0170.180] CloseHandle (hObject=0x3c4) returned 1 [0170.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0170.203] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[34F2311A2FDE5C6A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[34f2311a2fde5c6a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.432] SetEvent (hEvent=0x3f8) returned 1 [0170.432] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0170.432] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0170.432] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd)) returned 1 [0170.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0170.432] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ae0 | out: pbBuffer=0x12810ae0) returned 1 [0170.435] ReadFile (in: hFile=0x408, lpBuffer=0x12b84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b84000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0170.488] GetFileType (hFile=0x408) returned 0x1 [0170.488] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0170.488] WriteFile (in: hFile=0x408, lpBuffer=0x12bc4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bc4000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0170.489] GetFileType (hFile=0x408) returned 0x1 [0170.489] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0170.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0170.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0170.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0170.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c68 | out: pbBuffer=0x12810c68) returned 1 [0170.489] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.490] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0170.490] WriteFile (in: hFile=0x41c, lpBuffer=0x1285e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x1285e000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0170.505] CloseHandle (hObject=0x41c) returned 1 [0170.554] CloseHandle (hObject=0x408) returned 1 [0170.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c80 | out: pbBuffer=0x12810c80) returned 1 [0170.589] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[6941B3748A0B9B71]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[6941b3748a0b9b71]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0171.037] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0171.748] SetEvent (hEvent=0x19c) returned 1 [0171.762] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0171.762] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0171.775] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0171.974] SetEvent (hEvent=0x420) returned 1 [0171.987] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.000] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.001] SwitchToThread () returned 1 [0172.041] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.042] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.042] SwitchToThread () returned 1 [0172.078] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.330] SetEvent (hEvent=0x420) returned 1 [0172.331] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.331] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.331] SwitchToThread () returned 1 [0172.376] SwitchToThread () returned 1 [0172.390] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.506] SetEvent (hEvent=0x420) returned 1 [0172.506] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.507] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.507] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.521] SetEvent (hEvent=0x420) returned 1 [0172.522] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.522] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.522] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.523] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.523] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.523] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.523] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.637] SetEvent (hEvent=0x420) returned 1 [0172.637] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.638] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.638] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.756] SetEvent (hEvent=0x420) returned 1 [0172.756] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.756] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.757] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0172.913] SetEvent (hEvent=0x19c) returned 1 [0172.914] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.914] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.927] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.927] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.927] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0173.024] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0173.139] SetEvent (hEvent=0x19c) returned 1 [0173.139] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0173.291] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.292] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.292] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.292] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.293] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.293] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.293] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0173.293] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.293] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.293] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0173.293] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.294] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.294] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.294] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0173.294] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0173.295] CloseHandle (hObject=0x3c4) returned 1 [0173.296] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.296] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.296] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0173.296] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.296] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.296] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0173.297] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.297] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.297] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.297] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.297] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b1300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x128b1300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.299] CloseHandle (hObject=0x3c4) returned 1 [0173.299] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.337] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.337] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0173.337] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.338] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.338] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0173.338] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.338] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.338] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.339] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.339] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b2600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x128b2600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.340] CloseHandle (hObject=0x3c4) returned 1 [0173.340] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.340] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.340] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0173.341] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.341] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.341] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0173.341] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.341] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.341] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.381] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.381] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b3900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x128b3900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.382] CloseHandle (hObject=0x3c4) returned 1 [0173.382] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.389] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.389] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0173.389] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.389] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.389] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0173.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.389] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.390] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.390] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.390] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b4c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x128b4c00*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.391] CloseHandle (hObject=0x3c4) returned 1 [0173.391] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.392] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.392] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0173.392] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.392] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.392] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0173.392] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.392] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.392] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.393] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.393] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.394] CloseHandle (hObject=0x3c4) returned 1 [0173.394] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events00.rbs"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000)) returned 1 [0173.394] SetEvent (hEvent=0x3f8) returned 1 [0173.394] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events01.rbs"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c)) returned 1 [0173.395] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events00.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.395] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.395] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events01.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.395] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.395] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events10.rbs"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28)) returned 1 [0173.395] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events11.rbs"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a)) returned 1 [0173.396] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events10.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.396] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.396] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events11.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.396] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.396] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.435] SetEvent (hEvent=0x3f8) returned 1 [0173.435] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL" (normalized: "c:\\programdata\\microsoft\\identitycrl"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.436] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL" (normalized: "c:\\programdata\\microsoft\\identitycrl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.436] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0173.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INT", cAlternateFileName="")) returned 1 [0173.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0173.436] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.436] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0173.436] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.436] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.436] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.437] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0173.437] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ae9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12ae9300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0173.438] CloseHandle (hObject=0x3c4) returned 1 [0173.438] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.438] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.439] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0173.439] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.439] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0173.439] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.439] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0173.439] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.439] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.439] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.440] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.440] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aea600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12aea600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.441] CloseHandle (hObject=0x3c4) returned 1 [0173.442] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8)) returned 1 [0173.442] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.442] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.442] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0173.442] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0173.442] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8)) returned 1 [0173.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0173.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ac0 | out: pbBuffer=0x12810ac0) returned 1 [0173.443] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12927d1c*=0x5ed8, lpOverlapped=0x0) returned 1 [0173.652] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0173.856] GetFileType (hFile=0x3c4) returned 0x1 [0173.857] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.857] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x5ed8, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12927d00*=0x5ed8, lpOverlapped=0x12927d0c) returned 1 [0173.857] GetFileType (hFile=0x3c4) returned 0x1 [0173.858] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x5ed8, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0173.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0173.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0174.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4b8 | out: pbBuffer=0x12a9a4b8) returned 1 [0174.060] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.120] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.120] WriteFile (in: hFile=0x428, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.121] CloseHandle (hObject=0x428) returned 1 [0174.123] CloseHandle (hObject=0x3c4) returned 1 [0174.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4d0 | out: pbBuffer=0x12a9a4d0) returned 1 [0174.123] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), lpNewFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\#_THIS_FILE_IS_ENCRYPTED_[EFEA54BEAB010229]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\#_this_file_is_encrypted_[efea54beab010229]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.124] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.203] SetEvent (hEvent=0x40c) returned 1 [0174.203] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.203] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0174.203] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c)) returned 1 [0174.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e580 | out: pbBuffer=0x1280e580) returned 1 [0174.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a518 | out: pbBuffer=0x12a9a518) returned 1 [0174.213] ReadFile (in: hFile=0x428, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12829d1c*=0x3a7c, lpOverlapped=0x0) returned 1 [0174.352] GetFileType (hFile=0x428) returned 0x1 [0174.352] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.352] WriteFile (in: hFile=0x428, lpBuffer=0x12c0a000*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c0a000*, lpNumberOfBytesWritten=0x12829d00*=0x3a7c, lpOverlapped=0x12829d0c) returned 1 [0174.352] GetFileType (hFile=0x428) returned 0x1 [0174.353] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0174.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0174.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0174.354] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a710 | out: pbBuffer=0x12a9a710) returned 1 [0174.354] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.354] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0174.354] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.354] CloseHandle (hObject=0x3c4) returned 1 [0174.356] CloseHandle (hObject=0x428) returned 1 [0174.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a728 | out: pbBuffer=0x12a9a728) returned 1 [0174.357] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="C:\\ProgramData\\Microsoft\\MF\\#_THIS_FILE_IS_ENCRYPTED_[F888006D74602891]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\mf\\#_this_file_is_encrypted_[f888006d74602891]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.380] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.380] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0174.380] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.403] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.492] SetEvent (hEvent=0x40c) returned 1 [0174.492] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.519] SetEvent (hEvent=0x1d0) returned 1 [0174.519] SetEvent (hEvent=0x3f8) returned 1 [0174.519] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.540] SetEvent (hEvent=0x40c) returned 1 [0174.540] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.553] SetEvent (hEvent=0x19c) returned 1 [0174.554] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.554] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0174.554] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f)) returned 1 [0174.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0174.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0174.554] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a63d1c*=0x22f, lpOverlapped=0x0) returned 1 [0174.556] GetFileType (hFile=0x42c) returned 0x1 [0174.556] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.556] WriteFile (in: hFile=0x42c, lpBuffer=0x1288a000*, nNumberOfBytesToWrite=0x22f, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1288a000*, lpNumberOfBytesWritten=0x12a63d00*=0x22f, lpOverlapped=0x12a63d0c) returned 1 [0174.557] GetFileType (hFile=0x42c) returned 0x1 [0174.557] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x22f, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0174.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0174.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0174.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0174.558] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.558] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0174.558] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.600] CloseHandle (hObject=0x1a0) returned 1 [0174.601] CloseHandle (hObject=0x42c) returned 1 [0174.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e8 | out: pbBuffer=0x128483e8) returned 1 [0174.602] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[ACEDA27F48730206]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\#_this_file_is_encrypted_[aceda27f48730206]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.616] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.644] SetEvent (hEvent=0x1d0) returned 1 [0174.644] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.644] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0174.644] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157)) returned 1 [0174.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928480 | out: pbBuffer=0x12928480) returned 1 [0174.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a0 | out: pbBuffer=0x129146a0) returned 1 [0174.645] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a63d1c*=0x157, lpOverlapped=0x0) returned 1 [0174.646] GetFileType (hFile=0x1a0) returned 0x1 [0174.646] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.646] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x157, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x12a63d00*=0x157, lpOverlapped=0x12a63d0c) returned 1 [0174.646] GetFileType (hFile=0x1a0) returned 0x1 [0174.646] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x157, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0174.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0174.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0174.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914758 | out: pbBuffer=0x12914758) returned 1 [0174.647] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.647] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0174.647] WriteFile (in: hFile=0x428, lpBuffer=0x12c2ef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ef00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.685] SetEvent (hEvent=0x110) returned 1 [0174.686] CloseHandle (hObject=0x428) returned 1 [0174.687] CloseHandle (hObject=0x1a0) returned 1 [0174.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0174.688] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[7B9DC3BF52422911]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\#_this_file_is_encrypted_[7b9dc3bf52422911]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.866] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0174.963] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0174.964] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0176.224] SetEvent (hEvent=0x3f8) returned 1 [0176.224] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0176.277] SetEvent (hEvent=0x19c) returned 1 [0176.277] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0176.572] SetEvent (hEvent=0x420) returned 1 [0176.572] SetEvent (hEvent=0x40c) returned 1 [0176.572] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0204.791] SetEvent (hEvent=0x3f4) returned 1 [0204.791] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.776] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.831] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.909] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.934] SetEvent (hEvent=0xfc) returned 1 [0205.934] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.941] SetEvent (hEvent=0x19c) returned 1 [0205.942] SetEvent (hEvent=0x420) returned 1 [0205.942] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0205.946] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.946] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x0 [0205.949] SetEvent (hEvent=0x420) returned 1 [0205.949] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0205.952] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.952] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0205.953] SetEvent (hEvent=0x420) returned 1 [0205.953] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0205.961] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0205.961] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.962] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0205.962] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c4220a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4220a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1d118c6c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0205.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0205.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0205.962] ReadFile (in: hFile=0x448, lpBuffer=0x129ae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x129ae000*, lpNumberOfBytesRead=0x129add1c*=0x20000, lpOverlapped=0x0) returned 1 [0206.178] GetFileType (hFile=0x448) returned 0x1 [0206.178] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0206.178] WriteFile (in: hFile=0x448, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x129add00*=0x20000, lpOverlapped=0x129add0c) returned 1 [0206.179] GetFileType (hFile=0x448) returned 0x1 [0206.179] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0206.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0206.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0206.179] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0206.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a390 | out: pbBuffer=0x12a9a390) returned 1 [0206.180] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0206.180] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0206.180] WriteFile (in: hFile=0x438, lpBuffer=0x12918000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12918000*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0206.281] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0206.356] CloseHandle (hObject=0x438) returned 1 [0206.360] CloseHandle (hObject=0x448) returned 1 [0206.367] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f8 | out: pbBuffer=0x128483f8) returned 1 [0206.367] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[9EDC13C13531EAE8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[9edc13c13531eae8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.549] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0206.598] SetEvent (hEvent=0x420) returned 1 [0206.598] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0206.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.603] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0206.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a7cae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b2b2bd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0206.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0206.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b3f0 | out: pbBuffer=0x12a9b3f0) returned 1 [0206.604] ReadFile (in: hFile=0x3c4, lpBuffer=0x129ce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ce000*, lpNumberOfBytesRead=0x12829d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0206.609] GetFileType (hFile=0x3c4) returned 0x1 [0206.609] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.609] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12829d00*=0x15cc0, lpOverlapped=0x12829d0c) returned 1 [0206.610] GetFileType (hFile=0x3c4) returned 0x1 [0206.610] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0206.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0206.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0206.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b4a8 | out: pbBuffer=0x12a9b4a8) returned 1 [0206.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.611] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0206.611] WriteFile (in: hFile=0x15c, lpBuffer=0x12918f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12918f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.612] CloseHandle (hObject=0x15c) returned 1 [0206.612] CloseHandle (hObject=0x3c4) returned 1 [0206.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b4c0 | out: pbBuffer=0x12a9b4c0) returned 1 [0206.613] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\#_THIS_FILE_IS_ENCRYPTED_[107E548157C3E589]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\#_this_file_is_encrypted_[107e548157c3e589]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.615] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x0 [0206.632] SetEvent (hEvent=0xfc) returned 1 [0206.632] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0206.641] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0206.641] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0206.641] SetEvent (hEvent=0x19c) returned 1 [0206.642] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0206.659] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0206.661] GetFileType (hFile=0x448) returned 0x1 [0206.661] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.661] WriteFile (in: hFile=0x448, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0xf2c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x129a7d00*=0xf2c0, lpOverlapped=0x129a7d0c) returned 1 [0206.662] GetFileType (hFile=0x448) returned 0x1 [0206.662] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xf2c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0206.662] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0206.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0206.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0206.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0206.663] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.663] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.663] CloseHandle (hObject=0x438) returned 1 [0206.664] CloseHandle (hObject=0x448) returned 1 [0206.664] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0206.664] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\#_THIS_FILE_IS_ENCRYPTED_[6F2A660D207D4358]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\#_this_file_is_encrypted_[6f2a660d207d4358]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.666] GetFileType (hFile=0x1a0) returned 0x1 [0206.666] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0206.666] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x129add00*=0x156c0, lpOverlapped=0x129add0c) returned 1 [0206.667] GetFileType (hFile=0x1a0) returned 0x1 [0206.667] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0206.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0206.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0206.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0206.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0206.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0206.668] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0206.669] WriteFile (in: hFile=0x448, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0206.669] CloseHandle (hObject=0x448) returned 1 [0206.669] CloseHandle (hObject=0x1a0) returned 1 [0206.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484f0 | out: pbBuffer=0x128484f0) returned 1 [0206.670] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\#_THIS_FILE_IS_ENCRYPTED_[CC9701AE4DB720C1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\#_this_file_is_encrypted_[cc9701ae4db720c1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0207.050] SetEvent (hEvent=0x40c) returned 1 [0207.050] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.057] SetEvent (hEvent=0x420) returned 1 [0207.057] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0207.098] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.098] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0207.145] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.145] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0207.194] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.194] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0207.258] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.258] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0207.258] SetEvent (hEvent=0x110) returned 1 [0207.258] SetEvent (hEvent=0x19c) returned 1 [0207.258] SetEvent (hEvent=0x3f8) returned 1 [0207.258] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0207.393] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0207.394] GetFileType (hFile=0x15c) returned 0x1 [0207.394] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.394] WriteFile (in: hFile=0x15c, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x16da, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x129a7d00*=0x16da, lpOverlapped=0x129a7d0c) returned 1 [0207.394] GetFileType (hFile=0x15c) returned 0x1 [0207.394] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x16da, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.394] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0207.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0207.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0207.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0207.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0207.395] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0207.395] WriteFile (in: hFile=0x1a0, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0207.396] CloseHandle (hObject=0x1a0) returned 1 [0207.396] CloseHandle (hObject=0x15c) returned 1 [0207.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0207.396] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[968714CCA9F678C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[968714cca9f678c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0208.687] SetEvent (hEvent=0x3f8) returned 1 [0208.687] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0208.688] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0208.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42ba1e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe42ba1e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7c64fd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0208.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98600 | out: pbBuffer=0x12a98600) returned 1 [0208.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810380 | out: pbBuffer=0x12810380) returned 1 [0208.689] ReadFile (in: hFile=0x15c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x129a7d1c*=0x4e5f, lpOverlapped=0x0) returned 1 [0208.723] GetFileType (hFile=0x15c) returned 0x1 [0208.723] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0208.723] WriteFile (in: hFile=0x15c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x4e5f, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x129a7d00*=0x4e5f, lpOverlapped=0x129a7d0c) returned 1 [0208.724] GetFileType (hFile=0x15c) returned 0x1 [0208.724] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4e5f, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0208.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0208.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0208.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0208.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810438 | out: pbBuffer=0x12810438) returned 1 [0208.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0208.725] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0208.725] WriteFile (in: hFile=0x1a0, lpBuffer=0x128af400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x128af400*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0208.725] CloseHandle (hObject=0x1a0) returned 1 [0208.730] CloseHandle (hObject=0x15c) returned 1 [0208.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0208.743] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[A79C02697813C322]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[a79c02697813c322]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0208.979] SetEvent (hEvent=0xf4) returned 1 [0208.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0208.980] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0208.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8878a7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8878a7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc424655, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0208.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99580 | out: pbBuffer=0x12a99580) returned 1 [0208.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811060 | out: pbBuffer=0x12811060) returned 1 [0208.981] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0208.983] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0209.005] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb20, ulCount=0x10, ulNumEntriesRemoved=0x32affb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb20, ulNumEntriesRemoved=0x32affb04) returned 0 [0209.005] SetEvent (hEvent=0x110) returned 1 [0209.005] SetEvent (hEvent=0xf4) returned 1 [0209.006] ReadFile (in: hFile=0x15c, lpBuffer=0x12a0e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a0e000*, lpNumberOfBytesRead=0x129a7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0209.077] SetEvent (hEvent=0x110) returned 1 [0209.078] GetFileType (hFile=0x15c) returned 0x1 [0209.078] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0209.079] WriteFile (in: hFile=0x15c, lpBuffer=0x129ae000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x129ae000*, lpNumberOfBytesWritten=0x129a7d00*=0x20000, lpOverlapped=0x129a7d0c) returned 1 [0209.080] GetFileType (hFile=0x15c) returned 0x1 [0209.081] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0209.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0209.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0209.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0209.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0209.082] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0209.082] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0209.082] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0209.152] CloseHandle (hObject=0x1a0) returned 1 [0209.771] CloseHandle (hObject=0x15c) returned 1 [0209.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34378 | out: pbBuffer=0x12c34378) returned 1 [0209.856] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[0D1E78D7B807D19B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[0d1e78d7b807d19b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.142] SetEvent (hEvent=0x110) returned 1 [0210.142] SetEvent (hEvent=0xf4) returned 1 [0210.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0210.143] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0210.155] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eeba5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x32eeba5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4889ef2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0210.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ac0 | out: pbBuffer=0x12844ac0) returned 1 [0210.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848558 | out: pbBuffer=0x12848558) returned 1 [0210.156] ReadFile (in: hFile=0x15c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x129a7d1c*=0x1a8c0, lpOverlapped=0x0) returned 1 [0210.191] GetFileType (hFile=0x15c) returned 0x1 [0210.191] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.191] WriteFile (in: hFile=0x15c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x1a8c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x129a7d00*=0x1a8c0, lpOverlapped=0x129a7d0c) returned 1 [0210.192] GetFileType (hFile=0x15c) returned 0x1 [0210.192] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1a8c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0210.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0210.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0210.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848640 | out: pbBuffer=0x12848640) returned 1 [0210.225] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0210.225] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0210.225] WriteFile (in: hFile=0x1a0, lpBuffer=0x12850a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850a00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0210.225] CloseHandle (hObject=0x1a0) returned 1 [0210.233] CloseHandle (hObject=0x15c) returned 1 [0210.235] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848678 | out: pbBuffer=0x12848678) returned 1 [0210.235] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[564FFDAF845711A6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[564ffdaf845711a6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.416] SetEvent (hEvent=0x110) returned 1 [0210.416] SetEvent (hEvent=0xf4) returned 1 [0210.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0210.417] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0210.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1347c6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1347c6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x140b472d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0210.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845560 | out: pbBuffer=0x12845560) returned 1 [0210.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a08 | out: pbBuffer=0x12848a08) returned 1 [0210.417] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0210.422] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0210.422] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb20, ulCount=0x10, ulNumEntriesRemoved=0x32affb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb20, ulNumEntriesRemoved=0x32affb04) returned 0 [0210.422] SetEvent (hEvent=0xf4) returned 1 [0210.423] ReadFile (in: hFile=0x15c, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x129a7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0210.438] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0210.480] GetFileType (hFile=0x15c) returned 0x1 [0210.480] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.480] WriteFile (in: hFile=0x15c, lpBuffer=0x12d44000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12d44000*, lpNumberOfBytesWritten=0x129a7d00*=0x20000, lpOverlapped=0x129a7d0c) returned 1 [0210.481] GetFileType (hFile=0x15c) returned 0x1 [0210.481] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0210.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0210.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0210.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0210.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0210.482] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0210.482] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c1c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c1c000*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0210.507] SetEvent (hEvent=0x110) returned 1 [0210.507] CloseHandle (hObject=0x3c4) returned 1 [0210.508] CloseHandle (hObject=0x15c) returned 1 [0210.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34568 | out: pbBuffer=0x12c34568) returned 1 [0210.524] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[101516E841DB9D03]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[101516e841db9d03]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0211.695] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0211.866] SetEvent (hEvent=0x420) returned 1 [0211.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0211.917] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0211.917] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17410332, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17410332, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x130000)) returned 1 [0211.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0211.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0211.919] ReadFile (in: hFile=0x438, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x129add1c*=0x20000, lpOverlapped=0x0) returned 1 [0212.054] GetFileType (hFile=0x438) returned 0x1 [0212.054] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0212.054] WriteFile (in: hFile=0x438, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x129add00*=0x20000, lpOverlapped=0x129add0c) returned 1 [0212.055] GetFileType (hFile=0x438) returned 0x1 [0212.055] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0212.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0212.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec58f0d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0212.617] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0212.618] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec58f0d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0212.633] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec58f0d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0212.633] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec58f0d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0212.633] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0212.633] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0212.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0212.728] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0212.729] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0212.731] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0212.731] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0212.733] CloseHandle (hObject=0x3c4) returned 1 [0212.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec58f0d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0212.734] SetEvent (hEvent=0x40c) returned 1 [0212.734] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0212.968] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0213.123] SetEvent (hEvent=0xf4) returned 1 [0213.147] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0213.177] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0213.177] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0213.190] SetEvent (hEvent=0x420) returned 1 [0213.190] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0213.200] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0213.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.200] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0213.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea3742a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef0c5c11, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0213.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0213.201] ReadFile (in: hFile=0x15c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x129a7d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0213.397] SetEvent (hEvent=0x110) returned 1 [0213.398] GetFileType (hFile=0x15c) returned 0x1 [0213.398] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.398] WriteFile (in: hFile=0x15c, lpBuffer=0x12c0a000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12c0a000*, lpNumberOfBytesWritten=0x129a7d00*=0x156c0, lpOverlapped=0x129a7d0c) returned 1 [0213.398] GetFileType (hFile=0x15c) returned 0x1 [0213.399] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0213.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0213.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0213.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0213.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.399] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0213.400] WriteFile (in: hFile=0x448, lpBuffer=0x12be6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be6000*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.400] CloseHandle (hObject=0x448) returned 1 [0213.400] CloseHandle (hObject=0x15c) returned 1 [0213.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0213.400] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\#_THIS_FILE_IS_ENCRYPTED_[E69E42A996F4961A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\#_this_file_is_encrypted_[e69e42a996f4961a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.429] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0213.439] SetEvent (hEvent=0x420) returned 1 [0213.439] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.440] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0213.440] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0497564, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0dfa874, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0213.440] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0213.440] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0213.440] ReadFile (in: hFile=0x15c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x129add1c*=0x172c0, lpOverlapped=0x0) returned 1 [0213.539] GetFileType (hFile=0x15c) returned 0x1 [0213.539] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0213.539] WriteFile (in: hFile=0x15c, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x172c0, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x129add00*=0x172c0, lpOverlapped=0x129add0c) returned 1 [0213.540] GetFileType (hFile=0x15c) returned 0x1 [0213.541] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x172c0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0213.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0213.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0213.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0213.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35180 | out: pbBuffer=0x12c35180) returned 1 [0213.541] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.542] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0213.542] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0213.542] CloseHandle (hObject=0x3c4) returned 1 [0213.542] CloseHandle (hObject=0x15c) returned 1 [0213.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35198 | out: pbBuffer=0x12c35198) returned 1 [0213.542] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\#_THIS_FILE_IS_ENCRYPTED_[0836027C4FEE7A52]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\#_this_file_is_encrypted_[0836027c4fee7a52]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.544] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf90f72a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.609] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf90f72a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0213.609] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf90f72a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.609] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90f72a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9608373, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.609] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.609] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0213.609] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.616] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.616] WriteFile (in: hFile=0x448, lpBuffer=0x12c90000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c90000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.618] CloseHandle (hObject=0x448) returned 1 [0213.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90f72a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9608373, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0213.623] SetEvent (hEvent=0x110) returned 1 [0213.624] SetEvent (hEvent=0x40c) returned 1 [0213.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfa977fad, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.633] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0213.709] SetEvent (hEvent=0x40c) returned 1 [0213.709] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.709] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfa977fad, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0213.709] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfa977fad, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.710] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa977fad, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfaefb782, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.710] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.710] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0213.710] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.710] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.710] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.711] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.711] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.713] CloseHandle (hObject=0x1a0) returned 1 [0213.713] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa977fad, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfaefb782, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0213.716] SetEvent (hEvent=0x420) returned 1 [0213.716] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb3017e0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.716] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.717] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb3017e0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0213.717] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb3017e0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.717] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb3017e0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb622788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.717] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.718] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0213.718] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.719] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.719] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.721] CloseHandle (hObject=0x1a0) returned 1 [0213.721] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb3017e0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb622788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0213.722] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbe2e789, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.725] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.725] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbe2e789, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0213.725] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbe2e789, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.725] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbfd20c1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.725] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.725] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0213.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.726] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.727] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d12000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.728] CloseHandle (hObject=0x1a0) returned 1 [0213.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbfd20c1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc2f31ae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.746] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.746] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc2f31ae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0213.746] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc2f31ae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.747] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2f31ae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc63a815, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.747] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.747] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0213.747] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.761] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.806] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.809] CloseHandle (hObject=0x438) returned 1 [0213.809] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2f31ae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc63a815, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0213.814] SetEvent (hEvent=0xfc) returned 1 [0213.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcf9de36, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.814] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcf9de36, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0213.815] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcf9de36, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.815] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf9de36, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd4c8811, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.815] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.815] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0213.815] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.816] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.817] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.817] WriteFile (in: hFile=0x438, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.818] CloseHandle (hObject=0x438) returned 1 [0213.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf9de36, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd4c8811, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0213.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe14cdcb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0213.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0213.820] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe14cdcb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0213.820] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe14cdcb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0213.820] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe14cdcb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe388ff2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0213.820] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0213.820] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0213.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0213.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0213.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.821] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0213.821] WriteFile (in: hFile=0x438, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0213.823] CloseHandle (hObject=0x438) returned 1 [0213.823] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe14cdcb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe388ff2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0213.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.824] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0213.824] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf9de36, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd4c8811, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0213.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0213.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae60 | out: pbBuffer=0x12a9ae60) returned 1 [0213.825] ReadFile (in: hFile=0x438, lpBuffer=0x12980000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12980000*, lpNumberOfBytesRead=0x12829d1c*=0x186c0, lpOverlapped=0x0) returned 1 [0213.905] GetFileType (hFile=0x438) returned 0x1 [0213.905] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.905] WriteFile (in: hFile=0x438, lpBuffer=0x129de000*, nNumberOfBytesToWrite=0x186c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129de000*, lpNumberOfBytesWritten=0x12829d00*=0x186c0, lpOverlapped=0x12829d0c) returned 1 [0213.906] GetFileType (hFile=0x438) returned 0x1 [0213.906] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x186c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0213.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0213.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0213.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9af28 | out: pbBuffer=0x12a9af28) returned 1 [0213.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.907] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0213.907] WriteFile (in: hFile=0x3c4, lpBuffer=0x12924000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12924000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.907] CloseHandle (hObject=0x3c4) returned 1 [0213.908] CloseHandle (hObject=0x438) returned 1 [0213.908] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9af40 | out: pbBuffer=0x12a9af40) returned 1 [0213.908] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\#_THIS_FILE_IS_ENCRYPTED_[2B2D2CF856FA3ED0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\#_this_file_is_encrypted_[2b2d2cf856fa3ed0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.981] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.002] SetEvent (hEvent=0x420) returned 1 [0214.002] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.020] SetEvent (hEvent=0xfc) returned 1 [0214.020] SetEvent (hEvent=0xf4) returned 1 [0214.020] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.025] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.037] SetEvent (hEvent=0x3f8) returned 1 [0214.037] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.820] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.841] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.880] SetEvent (hEvent=0x1d0) returned 1 [0214.880] SetEvent (hEvent=0x1b8) returned 1 [0214.880] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0214.898] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.898] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x32affb28, ulCount=0x10, ulNumEntriesRemoved=0x32affb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x32affb28, ulNumEntriesRemoved=0x32affb0c) returned 0 [0214.898] SetEvent (hEvent=0x420) returned 1 [0214.898] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x1) returned 0x102 [0214.910] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.910] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0215.554] SetEvent (hEvent=0xf4) returned 1 [0215.555] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0225.003] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0225.794] SetEvent (hEvent=0x1b8) returned 1 [0225.794] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) Thread: id = 7 os_tid = 0x880 [0113.559] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3307ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3307ff30*=0x1b4) returned 1 [0113.560] VirtualQuery (in: lpAddress=0x3307ff40, lpBuffer=0x3307ff40, dwLength=0x1c | out: lpBuffer=0x3307ff40*(BaseAddress=0x3307f000, AllocationBase=0x32f80000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0113.617] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1b8 [0113.618] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0113.862] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fad4, ulCount=0x10, ulNumEntriesRemoved=0x3307fab8, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fad4, ulNumEntriesRemoved=0x3307fab8) returned 0 [0113.862] SwitchToThread () returned 1 [0113.965] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fad4, ulCount=0x10, ulNumEntriesRemoved=0x3307fab8, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3307fad4, ulNumEntriesRemoved=0x3307fab8) returned 1 [0122.836] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x3307fab4, fWait=0, lpdwFlags=0x3307fac4 | out: lpcbTransfer=0x3307fab4, lpdwFlags=0x3307fac4) returned 1 [0122.836] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fad4, ulCount=0x10, ulNumEntriesRemoved=0x3307fab8, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3307fad4, ulNumEntriesRemoved=0x3307fab8) returned 1 [0124.000] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x3307fab4, fWait=0, lpdwFlags=0x3307fac4 | out: lpcbTransfer=0x3307fab4, lpdwFlags=0x3307fac4) returned 1 [0124.043] VirtualAlloc (lpAddress=0x0, dwSize=0xafc7c, flAllocationType=0x3000, flProtect=0x4) returned 0x33740000 [0124.064] SetEvent (hEvent=0x10c) returned 1 [0124.072] SetEvent (hEvent=0x110) returned 1 [0124.073] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0124.307] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x58, buf=0x128f4000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x58, lpOverlapped=0x128e6088) returned 0 [0124.308] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0124.428] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307facc, ulCount=0x10, ulNumEntriesRemoved=0x3307fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307facc, ulNumEntriesRemoved=0x3307fab0) returned 0 [0124.428] SetEvent (hEvent=0x1d0) returned 1 [0124.428] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fab4, ulCount=0x10, ulNumEntriesRemoved=0x3307fa98, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fab4, ulNumEntriesRemoved=0x3307fa98) returned 0 [0124.428] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fab4, ulCount=0x10, ulNumEntriesRemoved=0x3307fa98, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3307fab4, ulNumEntriesRemoved=0x3307fa98) returned 1 [0127.654] WSAGetOverlappedResult (in: s=0x3e4, lpOverlapped=0x12b1c088, lpcbTransfer=0x3307fa94, fWait=0, lpdwFlags=0x3307faa4 | out: lpcbTransfer=0x3307fa94, lpdwFlags=0x3307faa4) returned 1 [0127.654] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fab4, ulCount=0x10, ulNumEntriesRemoved=0x3307fa98, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3307fab4, ulNumEntriesRemoved=0x3307fa98) returned 1 [0129.578] WSAGetOverlappedResult (in: s=0x3e4, lpOverlapped=0x12b1c014, lpcbTransfer=0x3307fa94, fWait=0, lpdwFlags=0x3307faa4 | out: lpcbTransfer=0x3307fa94, lpdwFlags=0x3307faa4) returned 1 [0129.605] VirtualAlloc (lpAddress=0x12c18000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c18000 [0129.857] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x33ab0000 [0129.858] SetEvent (hEvent=0x3f4) returned 1 [0130.127] VirtualAlloc (lpAddress=0x12c20000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c20000 [0130.128] SetEvent (hEvent=0x3f4) returned 1 [0130.210] WSARecv (in: s=0x3e4, lpBuffers=0x12b1c040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12b1c034, lpFlags=0x12b1c078*=0x0, lpOverlapped=0x12b1c014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12b1c040*=((len=0x1000, buf=0x12bf0000)), lpNumberOfBytesRecvd=0x12b1c034*=0x2b6, lpFlags=0x12b1c078*=0x0, lpOverlapped=0x12b1c014) returned 0xffffffff [0130.460] VirtualAlloc (lpAddress=0x12c22000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c22000 [0130.460] VirtualAlloc (lpAddress=0x12c24000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c24000 [0130.461] VirtualAlloc (lpAddress=0x12c26000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c26000 [0130.891] VirtualAlloc (lpAddress=0x12c3e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c3e000 [0130.902] SetEvent (hEvent=0x10c) returned 1 [0130.902] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0130.945] SetEvent (hEvent=0x3f8) returned 1 [0130.945] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0130.961] SetEvent (hEvent=0x3f8) returned 1 [0130.961] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0130.976] SetEvent (hEvent=0x110) returned 1 [0130.976] SetEvent (hEvent=0x3f8) returned 1 [0130.976] SetEvent (hEvent=0x3f4) returned 1 [0130.976] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0131.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0131.015] SetEvent (hEvent=0x1d0) returned 1 [0131.015] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c3e000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0131.060] VirtualAlloc (lpAddress=0x12c4a000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c4a000 [0131.061] VirtualAlloc (lpAddress=0x12c52000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c52000 [0131.062] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0xe40000 [0131.062] GetFileAttributesExW (in: lpFileName="cmd.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.com"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.com" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.063] GetFileAttributesExW (in: lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.063] GetFileAttributesExW (in: lpFileName="cmd.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.bat"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.063] GetFileAttributesExW (in: lpFileName="cmd.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.cmd"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.cmd" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.063] GetFileAttributesExW (in: lpFileName="cmd.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.vbs"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.vbs" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.063] GetFileAttributesExW (in: lpFileName="cmd.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.vbe"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.063] CreateFileW (lpFileName="cmd.vbe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.064] GetFileAttributesExW (in: lpFileName="cmd.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.js"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.064] CreateFileW (lpFileName="cmd.js" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.064] GetFileAttributesExW (in: lpFileName="cmd.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.jse"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.064] CreateFileW (lpFileName="cmd.jse" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.064] GetFileAttributesExW (in: lpFileName="cmd.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.wsf"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.064] CreateFileW (lpFileName="cmd.wsf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.064] GetFileAttributesExW (in: lpFileName="cmd.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.wsh"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.064] CreateFileW (lpFileName="cmd.wsh" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.065] GetFileAttributesExW (in: lpFileName="cmd.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.msc"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.065] CreateFileW (lpFileName="cmd.msc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cmd.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.065] VirtualAlloc (lpAddress=0x12c54000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c54000 [0131.065] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x12c54000, nSize=0x64 | out: lpBuffer="") returned 0x63 [0131.065] VirtualAlloc (lpAddress=0x12c56000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c56000 [0131.066] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.com" (normalized: "c:\\windows\\syswow64\\cmd.com"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.067] CreateFileW (lpFileName="C:\\Windows\\system32\\cmd.com" (normalized: "c:\\windows\\syswow64\\cmd.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.067] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x129279bc | out: lpFileInformation=0x129279bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0131.087] VirtualAlloc (lpAddress=0x12c58000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c58000 [0131.087] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x12c58000, nSize=0x64 | out: lpBuffer="") returned 0x35 [0131.087] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0x129278bc | out: lpFileInformation=0x129278bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa5d0fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2aa5d0fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2aa5d0fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x31600)) returned 1 [0131.088] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0131.088] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x12927bf8 | out: lpMode=0x12927bf8) returned 0 [0131.088] GetProcAddress (hModule=0x75600000, lpProcName="CreatePipe") returned 0x75610540 [0131.088] CreatePipe (in: hReadPipe=0x12927c3c, hWritePipe=0x12927c40, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x12927c3c*=0x408, hWritePipe=0x12927c40*=0x40c) returned 1 [0131.112] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12927c14 | out: lpMode=0x12927c14) returned 0 [0131.112] GetConsoleMode (in: hConsoleHandle=0x40c, lpMode=0x12927c14 | out: lpMode=0x12927c14) returned 0 [0131.112] CreatePipe (in: hReadPipe=0x12927c3c, hWritePipe=0x12927c40, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x12927c3c*=0x410, hWritePipe=0x12927c40*=0x414) returned 1 [0131.112] GetConsoleMode (in: hConsoleHandle=0x410, lpMode=0x12927c14 | out: lpMode=0x12927c14) returned 0 [0131.112] GetConsoleMode (in: hConsoleHandle=0x414, lpMode=0x12927c14 | out: lpMode=0x12927c14) returned 0 [0131.112] GetProcAddress (hModule=0x75600000, lpProcName="GetEnvironmentStringsW") returned 0x7561aac0 [0131.113] GetEnvironmentStringsW () returned 0x3366fe80* [0131.113] VirtualAlloc (lpAddress=0x12c5a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c5a000 [0131.113] VirtualAlloc (lpAddress=0x12c5c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c5c000 [0131.113] VirtualAlloc (lpAddress=0x12c5e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c5e000 [0131.114] GetProcAddress (hModule=0x75600000, lpProcName="FreeEnvironmentStringsW") returned 0x7561a7e0 [0131.114] FreeEnvironmentStringsW (penv=0x3366fe80) returned 1 [0131.114] VirtualAlloc (lpAddress=0x12c60000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c60000 [0131.114] VirtualAlloc (lpAddress=0x12c62000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c62000 [0131.114] GetProcAddress (hModule=0x75600000, lpProcName="GetCurrentProcess") returned 0x756138c0 [0131.114] GetCurrentProcess () returned 0xffffffff [0131.115] GetProcAddress (hModule=0x75600000, lpProcName="DuplicateHandle") returned 0x75626640 [0131.115] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12a9a360, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12a9a360*=0x418) returned 1 [0131.115] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12a9a364, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12a9a364*=0x41c) returned 1 [0131.115] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x414, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x12a9a368, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x12a9a368*=0x420) returned 1 [0131.115] VirtualAlloc (lpAddress=0x12c64000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c64000 [0131.115] VirtualAlloc (lpAddress=0x12c68000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c68000 [0131.115] VirtualAlloc (lpAddress=0x12c6c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c6c000 [0131.116] GetProcAddress (hModule=0x75600000, lpProcName="CreateProcessW") returned 0x7561b000 [0131.116] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd /c ver", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x12c6c000, lpCurrentDirectory=0x0, lpStartupInfo=0x12927bc4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x418, hStdOutput=0x41c, hStdError=0x420), lpProcessInformation=0x12927ba0 | out: lpCommandLine="cmd /c ver", lpProcessInformation=0x12927ba0*(hProcess=0x424, hThread=0x3c4, dwProcessId=0x1054, dwThreadId=0x5c4)) returned 1 [0131.727] CloseHandle (hObject=0x3c4) returned 1 [0131.727] CloseHandle (hObject=0x420) returned 1 [0131.727] CloseHandle (hObject=0x41c) returned 1 [0131.727] CloseHandle (hObject=0x418) returned 1 [0131.727] CloseHandle (hObject=0x3fc) returned 1 [0131.727] CloseHandle (hObject=0x40c) returned 1 [0131.727] CloseHandle (hObject=0x414) returned 1 [0131.875] GetProcAddress (hModule=0x75600000, lpProcName="WaitForSingleObject") returned 0x75626820 [0131.875] WaitForSingleObject (hHandle=0x424, dwMilliseconds=0xffffffff) returned 0x0 [0157.579] ReadFile (in: hFile=0x408, lpBuffer=0x12b08002, nNumberOfBytesToRead=0x5fe, lpNumberOfBytesRead=0x12820eb8, lpOverlapped=0x0 | out: lpBuffer=0x12b08002*, lpNumberOfBytesRead=0x12820eb8*=0x28, lpOverlapped=0x0) returned 1 [0157.579] ReadFile (in: hFile=0x408, lpBuffer=0x12b0802a, nNumberOfBytesToRead=0x5d6, lpNumberOfBytesRead=0x12820eb8, lpOverlapped=0x0 | out: lpBuffer=0x12b0802a, lpNumberOfBytesRead=0x12820eb8*=0x0, lpOverlapped=0x0) returned 0 [0157.579] CloseHandle (hObject=0x408) returned 1 [0157.580] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0157.768] SetEvent (hEvent=0x1d0) returned 1 [0158.122] GetEnvironmentVariableW (in: lpName="PROCESSOR_ARCHITECTURE", lpBuffer=0x12c540d0, nSize=0x64 | out: lpBuffer="") returned 0x3 [0160.010] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cb, buf=0x1286c5a0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cb, lpOverlapped=0x128e6088) returned 0 [0160.072] CreateFileW (lpFileName="C:\\ProgramData\\Desktop" (normalized: "c:\\programdata\\desktop"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.073] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Desktop\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0160.073] CreateFileW (lpFileName="C:\\ProgramData\\Documents" (normalized: "c:\\programdata\\documents"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.073] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Documents\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0160.074] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0160.189] SetEvent (hEvent=0x1d0) returned 1 [0160.189] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0160.189] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0160.189] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0160.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0160.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100d0 | out: pbBuffer=0x128100d0) returned 1 [0160.191] ReadFile (in: hFile=0x424, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12925d1c*=0x66, lpOverlapped=0x0) returned 1 [0160.203] GetFileType (hFile=0x424) returned 0x1 [0160.203] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0160.203] WriteFile (in: hFile=0x424, lpBuffer=0x12c5e380*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12c5e380*, lpNumberOfBytesWritten=0x12925d00*=0x66, lpOverlapped=0x12925d0c) returned 1 [0160.203] GetFileType (hFile=0x424) returned 0x1 [0160.204] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x66, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0161.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0162.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0162.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0163.640] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0164.079] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0164.131] SetEvent (hEvent=0xfc) returned 1 [0164.131] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0164.254] SetEvent (hEvent=0xfc) returned 1 [0164.254] SetEvent (hEvent=0x1d0) returned 1 [0164.254] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.255] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.255] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.256] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0164.256] WriteFile (in: hFile=0x19c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0164.258] CloseHandle (hObject=0x19c) returned 1 [0164.258] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.259] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.259] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0164.259] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.259] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0164.259] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.261] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0164.261] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.261] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.261] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.262] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0164.262] WriteFile (in: hFile=0x19c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0164.264] CloseHandle (hObject=0x19c) returned 1 [0164.264] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a743f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.265] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.265] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0164.265] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.265] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0164.265] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.265] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0164.266] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.266] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.266] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.267] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0164.267] WriteFile (in: hFile=0x19c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0164.268] CloseHandle (hObject=0x19c) returned 1 [0164.269] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a743f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0164.269] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.269] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0164.269] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.269] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0164.269] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.269] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0164.270] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.270] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.270] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.271] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0164.271] WriteFile (in: hFile=0x19c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0164.274] CloseHandle (hObject=0x19c) returned 1 [0164.275] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0164.275] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.275] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0164.276] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.276] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7a88c0, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a88c0, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeploymentConfiguration.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0164.276] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb33ac2, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cb33ac2, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cb9ca40, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4b480e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Manifest.xml", cAlternateFileName="")) returned 1 [0164.276] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db44a9e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1db44a9e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserDeploymentConfiguration.xml", cAlternateFileName="USERDE~1.XML")) returned 1 [0164.277] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa4efc6e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 1 [0164.277] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0164.277] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0164.278] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0164.279] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0164.279] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.280] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0164.280] WriteFile (in: hFile=0x19c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0164.282] CloseHandle (hObject=0x19c) returned 1 [0164.282] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7a88c0, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a88c0, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266)) returned 1 [0164.283] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb33ac2, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cb33ac2, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cb9ca40, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4b480e)) returned 1 [0164.283] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db44a9e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1db44a9e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266)) returned 1 [0164.284] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa4efc6e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107)) returned 1 [0164.285] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.285] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0164.286] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db44a9e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1db44a9e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266)) returned 1 [0164.286] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a32c00 | out: pbBuffer=0x12a32c00) returned 1 [0164.286] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849a00 | out: pbBuffer=0x12849a00) returned 1 [0164.341] ReadFile (in: hFile=0x19c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12921d1c*=0x266, lpOverlapped=0x0) returned 1 [0164.350] GetFileType (hFile=0x19c) returned 0x1 [0164.350] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.350] WriteFile (in: hFile=0x19c, lpBuffer=0x12a4b180*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12a4b180*, lpNumberOfBytesWritten=0x12921d00*=0x266, lpOverlapped=0x12921d0c) returned 1 [0164.350] GetFileType (hFile=0x19c) returned 0x1 [0164.350] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x266, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0164.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0164.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0164.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849ab8 | out: pbBuffer=0x12849ab8) returned 1 [0164.353] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0164.353] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0164.353] WriteFile (in: hFile=0x408, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.353] CloseHandle (hObject=0x408) returned 1 [0164.357] CloseHandle (hObject=0x19c) returned 1 [0164.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ad0 | out: pbBuffer=0x12849ad0) returned 1 [0164.357] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\#_THIS_FILE_IS_ENCRYPTED_[36AB2D0609B69680]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\#_this_file_is_encrypted_[36ab2d0609b69680]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0164.359] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0164.359] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0164.359] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa4efc6e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107)) returned 1 [0164.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a32e00 | out: pbBuffer=0x12a32e00) returned 1 [0164.359] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849b18 | out: pbBuffer=0x12849b18) returned 1 [0164.360] ReadFile (in: hFile=0x19c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12921d1c*=0x20000, lpOverlapped=0x0) returned 1 [0164.522] GetFileType (hFile=0x19c) returned 0x1 [0164.522] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.522] WriteFile (in: hFile=0x19c, lpBuffer=0x12b7e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12b7e000*, lpNumberOfBytesWritten=0x12921d00*=0x20000, lpOverlapped=0x12921d0c) returned 1 [0164.523] GetFileType (hFile=0x19c) returned 0x1 [0164.523] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0164.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0164.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0164.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0164.524] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0164.524] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0164.524] WriteFile (in: hFile=0x41c, lpBuffer=0x12c3a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c3a000*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.623] CloseHandle (hObject=0x41c) returned 1 [0165.730] CloseHandle (hObject=0x19c) returned 1 [0165.752] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0165.962] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\#_THIS_FILE_IS_ENCRYPTED_[5BEA0FCEC1D46365]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\#_this_file_is_encrypted_[5bea0fcec1d46365]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0166.040] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0166.132] SetEvent (hEvent=0x40c) returned 1 [0166.132] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0166.132] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0166.132] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x844141f3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x844141f3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6448e57d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9786)) returned 1 [0166.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0166.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914598 | out: pbBuffer=0x12914598) returned 1 [0166.163] ReadFile (in: hFile=0x19c, lpBuffer=0x129e0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e0000*, lpNumberOfBytesRead=0x12925d1c*=0x9786, lpOverlapped=0x0) returned 1 [0166.273] GetFileType (hFile=0x19c) returned 0x1 [0166.273] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.273] WriteFile (in: hFile=0x19c, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x9786, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x12925d00*=0x9786, lpOverlapped=0x12925d0c) returned 1 [0166.273] GetFileType (hFile=0x19c) returned 0x1 [0166.274] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x9786, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.302] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0167.024] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0167.201] SetEvent (hEvent=0x420) returned 1 [0167.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0167.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0167.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0167.470] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848030 | out: pbBuffer=0x12848030) returned 1 [0167.471] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.471] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0167.471] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.512] CloseHandle (hObject=0x1a0) returned 1 [0167.528] CloseHandle (hObject=0x408) returned 1 [0167.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848048 | out: pbBuffer=0x12848048) returned 1 [0167.600] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[A4041C99F5201907]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[a4041c99f5201907]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.691] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0167.695] SetEvent (hEvent=0x40c) returned 1 [0167.695] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0167.695] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0167.695] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4f8c1, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4f8c1, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645ce8f3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0167.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e620 | out: pbBuffer=0x1280e620) returned 1 [0167.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101e8 | out: pbBuffer=0x128101e8) returned 1 [0167.696] ReadFile (in: hFile=0x19c, lpBuffer=0x12cee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesRead=0x12925d1c*=0x8fa, lpOverlapped=0x0) returned 1 [0167.743] GetFileType (hFile=0x19c) returned 0x1 [0167.743] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.743] WriteFile (in: hFile=0x19c, lpBuffer=0x1286e000*, nNumberOfBytesToWrite=0x8fa, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x1286e000*, lpNumberOfBytesWritten=0x12925d00*=0x8fa, lpOverlapped=0x12925d0c) returned 1 [0167.744] GetFileType (hFile=0x19c) returned 0x1 [0167.744] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x8fa, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.744] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0167.744] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0167.744] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b001 | out: pbBuffer=0x1286b001) returned 1 [0167.744] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102b0 | out: pbBuffer=0x128102b0) returned 1 [0167.744] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0167.745] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0167.745] WriteFile (in: hFile=0x424, lpBuffer=0x12916a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916a00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.745] CloseHandle (hObject=0x424) returned 1 [0167.751] CloseHandle (hObject=0x19c) returned 1 [0167.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102c8 | out: pbBuffer=0x128102c8) returned 1 [0167.756] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[2933485261CFCDE1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[2933485261cfcde1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.830] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0167.833] SetEvent (hEvent=0x40c) returned 1 [0167.833] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0167.833] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0167.833] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cc820c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82cc820c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6452e5d6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xadce8)) returned 1 [0167.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a986e0 | out: pbBuffer=0x12a986e0) returned 1 [0167.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914fe0 | out: pbBuffer=0x12914fe0) returned 1 [0167.834] ReadFile (in: hFile=0x19c, lpBuffer=0x129e6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e6000*, lpNumberOfBytesRead=0x12923d1c*=0x20000, lpOverlapped=0x0) returned 1 [0167.859] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0167.859] SetEvent (hEvent=0x40c) returned 1 [0167.860] GetFileType (hFile=0x19c) returned 0x1 [0167.860] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.860] WriteFile (in: hFile=0x19c, lpBuffer=0x12b5e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12b5e000*, lpNumberOfBytesWritten=0x12923d00*=0x20000, lpOverlapped=0x12923d0c) returned 1 [0167.861] GetFileType (hFile=0x19c) returned 0x1 [0167.861] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.862] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0167.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0167.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0167.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915098 | out: pbBuffer=0x12915098) returned 1 [0167.870] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0167.870] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0167.870] WriteFile (in: hFile=0x424, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.906] CloseHandle (hObject=0x424) returned 1 [0168.010] CloseHandle (hObject=0x19c) returned 1 [0168.017] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0168.017] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[9FDF223DD32616EC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[9fdf223dd32616ec]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.252] SetEvent (hEvent=0x3f8) returned 1 [0168.252] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0168.253] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.253] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b78136, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6)) returned 1 [0168.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0168.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d80 | out: pbBuffer=0x12848d80) returned 1 [0168.254] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b72000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b72000*, lpNumberOfBytesRead=0x12923d1c*=0x5fa6, lpOverlapped=0x0) returned 1 [0168.258] GetFileType (hFile=0x1a0) returned 0x1 [0168.258] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.258] WriteFile (in: hFile=0x1a0, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x5fa6, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12923d00*=0x5fa6, lpOverlapped=0x12923d0c) returned 1 [0168.258] GetFileType (hFile=0x1a0) returned 0x1 [0168.258] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x5fa6, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0168.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0168.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0168.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848eb8 | out: pbBuffer=0x12848eb8) returned 1 [0168.259] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.259] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.260] WriteFile (in: hFile=0x41c, lpBuffer=0x12b4c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b4c000*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.260] CloseHandle (hObject=0x41c) returned 1 [0168.264] CloseHandle (hObject=0x1a0) returned 1 [0168.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ed0 | out: pbBuffer=0x12848ed0) returned 1 [0168.298] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[B5175A7A13EB1F29]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[b5175a7a13eb1f29]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.599] SetEvent (hEvent=0x110) returned 1 [0168.600] SetEvent (hEvent=0x3f8) returned 1 [0168.600] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0168.600] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.600] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x654c802f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0168.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d00 | out: pbBuffer=0x12844d00) returned 1 [0168.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914bf8 | out: pbBuffer=0x12914bf8) returned 1 [0168.601] ReadFile (in: hFile=0x1a0, lpBuffer=0x129cc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x129cc000*, lpNumberOfBytesRead=0x12923d1c*=0x7fa, lpOverlapped=0x0) returned 1 [0168.605] GetFileType (hFile=0x1a0) returned 0x1 [0168.605] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.605] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4e000*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12a4e000*, lpNumberOfBytesWritten=0x12923d00*=0x7fa, lpOverlapped=0x12923d0c) returned 1 [0168.605] GetFileType (hFile=0x1a0) returned 0x1 [0168.606] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x7fa, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0168.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a01 | out: pbBuffer=0x12801a01) returned 1 [0168.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b01 | out: pbBuffer=0x12801b01) returned 1 [0168.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914cc0 | out: pbBuffer=0x12914cc0) returned 1 [0168.606] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.607] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.607] WriteFile (in: hFile=0x41c, lpBuffer=0x12af4f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4f00*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.607] CloseHandle (hObject=0x41c) returned 1 [0168.611] CloseHandle (hObject=0x1a0) returned 1 [0168.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914cd8 | out: pbBuffer=0x12914cd8) returned 1 [0168.614] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[57FB1A353023334C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[57fb1a353023334c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.934] SetEvent (hEvent=0x3f8) returned 1 [0168.934] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0168.935] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.935] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8303f160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8303f160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6556f8c0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5b20)) returned 1 [0168.935] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4e0 | out: pbBuffer=0x1280e4e0) returned 1 [0168.935] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a140 | out: pbBuffer=0x12a9a140) returned 1 [0168.936] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b90000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b90000*, lpNumberOfBytesRead=0x12923d1c*=0x5b20, lpOverlapped=0x0) returned 1 [0168.944] GetFileType (hFile=0x1a0) returned 0x1 [0168.944] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.944] WriteFile (in: hFile=0x1a0, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x5b20, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12923d00*=0x5b20, lpOverlapped=0x12923d0c) returned 1 [0168.945] GetFileType (hFile=0x1a0) returned 0x1 [0168.945] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x5b20, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0168.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0168.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0168.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0168.946] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0168.946] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0168.946] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.946] CloseHandle (hObject=0x42c) returned 1 [0168.954] CloseHandle (hObject=0x1a0) returned 1 [0168.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a220 | out: pbBuffer=0x12a9a220) returned 1 [0168.966] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[8716DDF546293E39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[8716ddf546293e39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.213] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.227] SetEvent (hEvent=0xfc) returned 1 [0169.227] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0169.227] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.228] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d85586, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d85586, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6598f087, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1a182)) returned 1 [0169.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e8e0 | out: pbBuffer=0x1280e8e0) returned 1 [0169.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8e0 | out: pbBuffer=0x12a9a8e0) returned 1 [0169.229] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d00000*, lpNumberOfBytesRead=0x12923d1c*=0x1a182, lpOverlapped=0x0) returned 1 [0169.234] GetFileType (hFile=0x3c4) returned 0x1 [0169.234] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.235] WriteFile (in: hFile=0x3c4, lpBuffer=0x12bd0000*, nNumberOfBytesToWrite=0x1a182, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12bd0000*, lpNumberOfBytesWritten=0x12923d00*=0x1a182, lpOverlapped=0x12923d0c) returned 1 [0169.235] GetFileType (hFile=0x3c4) returned 0x1 [0169.235] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x1a182, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.235] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd481 | out: pbBuffer=0x12afd481) returned 1 [0169.236] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd581 | out: pbBuffer=0x12afd581) returned 1 [0169.236] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd681 | out: pbBuffer=0x12afd681) returned 1 [0169.236] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a998 | out: pbBuffer=0x12a9a998) returned 1 [0169.236] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.237] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.237] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.237] CloseHandle (hObject=0x42c) returned 1 [0169.254] CloseHandle (hObject=0x3c4) returned 1 [0169.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9b0 | out: pbBuffer=0x12a9a9b0) returned 1 [0169.259] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[B964149DD3765693]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[b964149dd3765693]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.396] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.469] SetEvent (hEvent=0xfc) returned 1 [0169.469] SetEvent (hEvent=0x1d0) returned 1 [0169.469] SwitchToThread () returned 1 [0169.477] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.530] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.570] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.604] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.688] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.714] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.849] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0169.885] SetEvent (hEvent=0x10c) returned 1 [0169.885] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0170.071] SetEvent (hEvent=0xfc) returned 1 [0170.093] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0170.153] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0170.153] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0170.176] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0170.176] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0170.176] SetEvent (hEvent=0x40c) returned 1 [0170.176] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0170.181] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0170.181] SetEvent (hEvent=0x3f8) returned 1 [0170.181] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0209.017] SetEvent (hEvent=0x3f8) returned 1 [0209.017] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0209.075] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0210.438] SetEvent (hEvent=0x10c) returned 1 [0210.438] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0214.891] SetEvent (hEvent=0x10c) returned 1 [0214.891] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0215.558] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0219.039] SetEvent (hEvent=0x3f8) returned 1 [0219.039] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0219.073] SetEvent (hEvent=0x3f8) returned 1 [0219.073] SetEvent (hEvent=0x1d0) returned 1 [0219.073] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\#_THIS_FILE_IS_ENCRYPTED_[5D688D09F1A4B856]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\#_this_file_is_encrypted_[5d688d09f1a4b856]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0219.791] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0221.477] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cd, buf=0x128f43c0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cd, lpOverlapped=0x128e6088) returned 0 [0221.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0221.746] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0222.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0222.148] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0222.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7329ea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7329ea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0222.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844500 | out: pbBuffer=0x12844500) returned 1 [0222.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487b0 | out: pbBuffer=0x128487b0) returned 1 [0222.305] ReadFile (in: hFile=0x438, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12b05d1c*=0x27f2, lpOverlapped=0x0) returned 1 [0222.520] GetFileType (hFile=0x438) returned 0x1 [0222.520] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0222.520] WriteFile (in: hFile=0x438, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x27f2, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12b05d00*=0x27f2, lpOverlapped=0x12b05d0c) returned 1 [0222.521] GetFileType (hFile=0x438) returned 0x1 [0222.521] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x27f2, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0222.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f96ed39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f96ed39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fa075cf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0223.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0223.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0223.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0223.434] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849008 | out: pbBuffer=0x12849008) returned 1 [0223.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0223.435] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0223.435] WriteFile (in: hFile=0x450, lpBuffer=0x12ae2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ae2500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0223.576] CloseHandle (hObject=0x450) returned 1 [0223.576] CloseHandle (hObject=0x1a0) returned 1 [0223.756] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0224.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849020 | out: pbBuffer=0x12849020) returned 1 [0224.007] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[B2A85B842EDA2626]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[b2a85b842eda2626]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.478] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0224.519] SetEvent (hEvent=0x19c) returned 1 [0224.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0224.520] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0224.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa075cf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4fa075cf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fc43cb2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0224.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98340 | out: pbBuffer=0x12a98340) returned 1 [0224.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343e8 | out: pbBuffer=0x12c343e8) returned 1 [0224.531] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0224.538] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0224.583] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0224.584] SetEvent (hEvent=0x110) returned 1 [0224.584] SetEvent (hEvent=0x19c) returned 1 [0224.584] SetEvent (hEvent=0x420) returned 1 [0224.603] ReadFile (in: hFile=0x450, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12be7d1c*=0x4e5f, lpOverlapped=0x0) returned 1 [0224.618] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0224.632] GetFileType (hFile=0x450) returned 0x1 [0224.632] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.632] WriteFile (in: hFile=0x450, lpBuffer=0x12d76000*, nNumberOfBytesToWrite=0x4e5f, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d76000*, lpNumberOfBytesWritten=0x12be7d00*=0x4e5f, lpOverlapped=0x12be7d0c) returned 1 [0224.632] GetFileType (hFile=0x450) returned 0x1 [0224.632] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x4e5f, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0224.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0224.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0224.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c344a0 | out: pbBuffer=0x12c344a0) returned 1 [0224.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.634] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0224.634] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.634] CloseHandle (hObject=0x42c) returned 1 [0224.634] CloseHandle (hObject=0x450) returned 1 [0224.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344b8 | out: pbBuffer=0x12c344b8) returned 1 [0224.635] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[8BCF0428F05F325F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[8bcf0428f05f325f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.743] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0224.850] SetEvent (hEvent=0x420) returned 1 [0224.850] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncconfig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0224.850] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0224.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5096097b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5096097b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0224.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0224.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0224.851] ReadFile (in: hFile=0x438, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12be7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.860] GetFileType (hFile=0x438) returned 0x1 [0224.860] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.860] WriteFile (in: hFile=0x438, lpBuffer=0x129e2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x129e2000*, lpNumberOfBytesWritten=0x12be7d00*=0x20000, lpOverlapped=0x12be7d0c) returned 1 [0224.860] GetFileType (hFile=0x438) returned 0x1 [0224.861] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0224.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0224.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0224.879] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0224.880] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncconfig.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0224.880] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0224.880] WriteFile (in: hFile=0x44c, lpBuffer=0x12cf6a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf6a00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.880] CloseHandle (hObject=0x44c) returned 1 [0224.889] CloseHandle (hObject=0x438) returned 1 [0224.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0224.894] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncconfig.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[565C293D90F77FB0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[565c293d90f77fb0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.159] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0225.167] SetEvent (hEvent=0x3cc) returned 1 [0225.167] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\onedrive.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0225.167] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0225.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518475c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518475c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519eadfe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0225.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0225.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0225.168] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12be7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0225.413] SetEvent (hEvent=0x110) returned 1 [0225.427] GetFileType (hFile=0x438) returned 0x1 [0225.427] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.427] WriteFile (in: hFile=0x438, lpBuffer=0x12c86000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12c86000*, lpNumberOfBytesWritten=0x12be7d00*=0x20000, lpOverlapped=0x12be7d0c) returned 1 [0225.429] GetFileType (hFile=0x438) returned 0x1 [0225.429] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0225.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0225.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0225.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0225.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\onedrive.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0225.475] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0225.476] WriteFile (in: hFile=0x44c, lpBuffer=0x12aea500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aea500*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.701] SetEvent (hEvent=0x110) returned 1 [0225.701] CloseHandle (hObject=0x44c) returned 1 [0225.701] CloseHandle (hObject=0x438) returned 1 [0225.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9e38 | out: pbBuffer=0x128e9e38) returned 1 [0225.702] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\onedrive.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[05851CF4B6ED669B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[05851cf4b6ed669b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.715] SetEvent (hEvent=0x40c) returned 1 [0225.715] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0225.716] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0225.716] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a649506, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a649506, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x624f252c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0)) returned 1 [0225.716] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f520 | out: pbBuffer=0x1280f520) returned 1 [0225.716] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9e80 | out: pbBuffer=0x128e9e80) returned 1 [0225.716] ReadFile (in: hFile=0x438, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12be7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0225.749] GetFileType (hFile=0x438) returned 0x1 [0225.749] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.749] WriteFile (in: hFile=0x438, lpBuffer=0x12d6a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d6a000*, lpNumberOfBytesWritten=0x12be7d00*=0x20000, lpOverlapped=0x12be7d0c) returned 1 [0225.750] GetFileType (hFile=0x438) returned 0x1 [0225.750] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0225.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0225.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0225.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810070 | out: pbBuffer=0x12810070) returned 1 [0225.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0225.750] GetConsoleMode (in: hConsoleHandle=0x454, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0225.750] WriteFile (in: hFile=0x454, lpBuffer=0x12c18500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c18500*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.763] CloseHandle (hObject=0x454) returned 1 [0225.781] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0225.828] CloseHandle (hObject=0x438) returned 1 [0225.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0225.835] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[E6F01D4BE938B936]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[e6f01d4be938b936]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0226.829] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0227.020] SetEvent (hEvent=0x40c) returned 1 [0227.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0227.095] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0227.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68b901fc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0)) returned 1 [0227.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0227.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0227.157] ReadFile (in: hFile=0x42c, lpBuffer=0x1297a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x1297a000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0227.249] GetFileType (hFile=0x42c) returned 0x1 [0227.250] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0227.250] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0227.251] GetFileType (hFile=0x42c) returned 0x1 [0227.252] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0228.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0228.525] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0228.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0228.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0228.835] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0228.835] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0228.868] CloseHandle (hObject=0x450) returned 1 [0228.868] CloseHandle (hObject=0x42c) returned 1 [0228.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0228.869] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[CDC9DDEF5EC358AD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[cdc9ddef5ec358ad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0228.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c7a9cca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.871] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c7a9cca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0228.871] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c7a9cca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.871] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7a9cca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4caa4b91, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0228.871] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.871] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0228.871] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0228.872] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.872] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.874] CloseHandle (hObject=0x42c) returned 1 [0228.874] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7a9cca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4caa4b91, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0228.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4e9ef895, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.875] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.875] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4e9ef895, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0228.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4e9ef895, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9ef895, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4edf5bbb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0228.875] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.875] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0228.876] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0228.878] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.878] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.879] CloseHandle (hObject=0x42c) returned 1 [0228.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9ef895, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4edf5bbb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0228.880] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0228.881] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0228.881] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7a9cca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4caa4b91, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0228.881] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0228.881] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8c00 | out: pbBuffer=0x128e8c00) returned 1 [0228.882] ReadFile (in: hFile=0x42c, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12829d1c*=0x152c0, lpOverlapped=0x0) returned 1 [0229.004] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0229.135] SetEvent (hEvent=0x19c) returned 1 [0229.136] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0229.920] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.008] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.286] SetEvent (hEvent=0x3cc) returned 1 [0230.286] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.304] SetEvent (hEvent=0x454) returned 1 [0230.305] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.315] SetEvent (hEvent=0x454) returned 1 [0230.315] SetEvent (hEvent=0xfc) returned 1 [0230.315] SwitchToThread () returned 1 [0230.334] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.360] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.677] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.971] SetEvent (hEvent=0x40c) returned 1 [0230.971] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.975] SetEvent (hEvent=0xfc) returned 1 [0230.975] SetEvent (hEvent=0x1d0) returned 1 [0230.975] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.992] SetEvent (hEvent=0xfc) returned 1 [0230.992] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0230.994] SetEvent (hEvent=0xfc) returned 1 [0230.994] SetEvent (hEvent=0x454) returned 1 [0230.994] SwitchToThread () returned 1 [0230.995] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.037] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.090] SetEvent (hEvent=0x454) returned 1 [0231.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.091] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.091] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65834c57, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65b2fd08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0231.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0231.091] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12be9d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0231.198] GetFileType (hFile=0x42c) returned 0x1 [0231.198] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.198] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be9d00*=0x156c0, lpOverlapped=0x12be9d0c) returned 1 [0231.199] GetFileType (hFile=0x42c) returned 0x1 [0231.199] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0231.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0231.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0231.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a368 | out: pbBuffer=0x12a9a368) returned 1 [0231.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.200] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.200] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b00500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00500*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.200] CloseHandle (hObject=0x3e4) returned 1 [0231.200] CloseHandle (hObject=0x42c) returned 1 [0231.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a380 | out: pbBuffer=0x12a9a380) returned 1 [0231.201] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\#_THIS_FILE_IS_ENCRYPTED_[1BA867400E084054]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\#_this_file_is_encrypted_[1ba867400e084054]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.224] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.237] SetEvent (hEvent=0x454) returned 1 [0231.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.237] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6787d40a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0231.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0231.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0231.238] ReadFile (in: hFile=0x42c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0231.290] GetFileType (hFile=0x42c) returned 0x1 [0231.291] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.291] WriteFile (in: hFile=0x42c, lpBuffer=0x12bc6000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bc6000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ec0, lpOverlapped=0x1282fd0c) returned 1 [0231.292] GetFileType (hFile=0x42c) returned 0x1 [0231.292] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.292] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0231.292] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0231.292] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0231.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80b0 | out: pbBuffer=0x128e80b0) returned 1 [0231.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.293] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.294] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0231.294] CloseHandle (hObject=0x458) returned 1 [0231.294] CloseHandle (hObject=0x42c) returned 1 [0231.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80c8 | out: pbBuffer=0x128e80c8) returned 1 [0231.295] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\#_THIS_FILE_IS_ENCRYPTED_[8FEEF6909DD10252]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\#_this_file_is_encrypted_[8feef6909dd10252]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.299] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694c8d43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0231.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0231.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8110 | out: pbBuffer=0x128e8110) returned 1 [0231.300] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0231.338] GetFileType (hFile=0x42c) returned 0x1 [0231.338] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.338] WriteFile (in: hFile=0x42c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x1282fd00*=0x164c0, lpOverlapped=0x1282fd0c) returned 1 [0231.339] GetFileType (hFile=0x42c) returned 0x1 [0231.339] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0231.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0231.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0231.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0231.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.340] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.340] WriteFile (in: hFile=0x458, lpBuffer=0x12afa500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0231.340] CloseHandle (hObject=0x458) returned 1 [0231.341] CloseHandle (hObject=0x42c) returned 1 [0231.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0231.341] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\#_THIS_FILE_IS_ENCRYPTED_[0F84DE33687B75D0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\#_this_file_is_encrypted_[0f84de33687b75d0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.342] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b2cbc78, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.343] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b2cbc78, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b2cbc78, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.343] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.343] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.345] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.345] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.346] CloseHandle (hObject=0x42c) returned 1 [0231.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.351] SetEvent (hEvent=0x3f4) returned 1 [0231.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d10fdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56d10fdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x571d59f7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0231.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6675a388, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6675a388, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x679d4966, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x684c0)) returned 1 [0231.352] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.352] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.352] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d10fdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56d10fdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x571d59f7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0231.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0231.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109a0 | out: pbBuffer=0x128109a0) returned 1 [0231.353] ReadFile (in: hFile=0x438, lpBuffer=0x12c06000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c06000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0231.360] GetFileType (hFile=0x438) returned 0x1 [0231.360] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.360] WriteFile (in: hFile=0x438, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0231.361] GetFileType (hFile=0x438) returned 0x1 [0231.361] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.362] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0231.362] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0231.362] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0231.362] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810a58 | out: pbBuffer=0x12810a58) returned 1 [0231.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.362] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.363] WriteFile (in: hFile=0x458, lpBuffer=0x12a4c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4c500*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.363] CloseHandle (hObject=0x458) returned 1 [0231.363] CloseHandle (hObject=0x438) returned 1 [0231.363] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a70 | out: pbBuffer=0x12810a70) returned 1 [0231.363] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[F2E3776F77EC92DE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[f2e3776f77ec92de]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.525] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.675] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.676] SetEvent (hEvent=0x3cc) returned 1 [0231.676] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.678] SetEvent (hEvent=0x3cc) returned 1 [0231.678] SetEvent (hEvent=0x40c) returned 1 [0231.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0231.678] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.679] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0231.679] WriteFile (in: hFile=0x42c, lpBuffer=0x129c4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x129c4500*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.679] CloseHandle (hObject=0x42c) returned 1 [0231.679] CloseHandle (hObject=0x44c) returned 1 [0231.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810050 | out: pbBuffer=0x12810050) returned 1 [0231.680] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\#_THIS_FILE_IS_ENCRYPTED_[B8815803C0E14654]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\#_this_file_is_encrypted_[b8815803c0e14654]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.681] SwitchToThread () returned 1 [0231.690] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0231.729] SetEvent (hEvent=0x1d0) returned 1 [0231.729] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.730] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5e9b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2ca5e9b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0231.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e420 | out: pbBuffer=0x1280e420) returned 1 [0231.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848520 | out: pbBuffer=0x12848520) returned 1 [0231.731] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12be9d1c*=0x123c, lpOverlapped=0x0) returned 1 [0231.739] GetFileType (hFile=0x458) returned 0x1 [0231.739] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.739] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12be9d00*=0x123c, lpOverlapped=0x12be9d0c) returned 1 [0231.739] GetFileType (hFile=0x458) returned 0x1 [0231.739] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x123c, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0231.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0231.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0231.744] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485f8 | out: pbBuffer=0x128485f8) returned 1 [0231.744] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.745] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.745] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.745] CloseHandle (hObject=0x438) returned 1 [0231.745] CloseHandle (hObject=0x458) returned 1 [0231.745] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0231.746] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[2F552C93F020E69F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[2f552c93f020e69f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.902] SetEvent (hEvent=0x110) returned 1 [0231.902] SetEvent (hEvent=0xfc) returned 1 [0231.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.903] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.903] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd410ff09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd410ff09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4810e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0231.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284c0 | out: pbBuffer=0x129284c0) returned 1 [0231.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0231.904] ReadFile (in: hFile=0x458, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12be9d1c*=0x72c0, lpOverlapped=0x0) returned 1 [0231.908] GetFileType (hFile=0x458) returned 0x1 [0231.908] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.908] WriteFile (in: hFile=0x458, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12be9d00*=0x72c0, lpOverlapped=0x12be9d0c) returned 1 [0231.909] GetFileType (hFile=0x458) returned 0x1 [0231.909] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x72c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.909] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0231.909] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0231.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0231.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a248 | out: pbBuffer=0x12a9a248) returned 1 [0231.910] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.910] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.910] WriteFile (in: hFile=0x42c, lpBuffer=0x12aee500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee500*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.910] CloseHandle (hObject=0x42c) returned 1 [0231.914] CloseHandle (hObject=0x458) returned 1 [0231.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0231.917] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[72DD10F739F7572E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[72dd10f739f7572e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0232.103] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0232.920] SwitchToThread () returned 1 [0233.038] SetEvent (hEvent=0x3f4) returned 1 [0233.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0233.071] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0233.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe663028c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe663028c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6d7d6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0233.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fc60 | out: pbBuffer=0x1280fc60) returned 1 [0233.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849b60 | out: pbBuffer=0x12849b60) returned 1 [0233.342] ReadFile (in: hFile=0x458, lpBuffer=0x12a08000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a08000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0233.417] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0233.507] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0233.546] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0233.555] SetEvent (hEvent=0x110) returned 1 [0233.555] SetEvent (hEvent=0x40c) returned 1 [0233.779] GetFileType (hFile=0x458) returned 0x1 [0233.780] SetEvent (hEvent=0xfc) returned 1 [0233.780] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0234.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0234.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0234.418] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0234.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80d0 | out: pbBuffer=0x128e80d0) returned 1 [0234.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0234.555] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0234.555] WriteFile (in: hFile=0x45c, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0234.556] CloseHandle (hObject=0x45c) returned 1 [0234.556] CloseHandle (hObject=0x458) returned 1 [0234.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0234.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8290 | out: pbBuffer=0x128e8290) returned 1 [0234.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncconfig.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0234.845] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0234.846] WriteFile (in: hFile=0x3e4, lpBuffer=0x128ac500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0234.846] CloseHandle (hObject=0x3e4) returned 1 [0234.846] CloseHandle (hObject=0x44c) returned 1 [0234.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e82a8 | out: pbBuffer=0x128e82a8) returned 1 [0234.847] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncconfig.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[88160600767F6500]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[88160600767f6500]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0234.849] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0234.850] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0234.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf016ee08, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf016ee08, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf515bba6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0234.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a6a2a0 | out: pbBuffer=0x12a6a2a0) returned 1 [0234.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8320 | out: pbBuffer=0x128e8320) returned 1 [0234.852] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0234.929] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0235.202] GetFileType (hFile=0x44c) returned 0x1 [0235.202] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0235.202] WriteFile (in: hFile=0x44c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0235.204] GetFileType (hFile=0x44c) returned 0x1 [0235.204] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0235.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0235.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0235.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0235.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8498 | out: pbBuffer=0x128e8498) returned 1 [0235.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0235.205] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0235.205] WriteFile (in: hFile=0x42c, lpBuffer=0x128aca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128aca00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0235.626] CloseHandle (hObject=0x42c) returned 1 [0235.726] CloseHandle (hObject=0x44c) returned 1 [0235.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8578 | out: pbBuffer=0x128e8578) returned 1 [0235.868] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[BF4B020E9348D748]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[bf4b020e9348d748]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.207] SetEvent (hEvent=0x110) returned 1 [0236.207] SetEvent (hEvent=0x19c) returned 1 [0236.207] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0236.207] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.207] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178673a6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x178673a6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0236.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0236.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0236.208] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282fd1c*=0x124b, lpOverlapped=0x0) returned 1 [0236.216] GetFileType (hFile=0x44c) returned 0x1 [0236.216] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.216] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x124b, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282fd00*=0x124b, lpOverlapped=0x1282fd0c) returned 1 [0236.216] GetFileType (hFile=0x44c) returned 0x1 [0236.216] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x124b, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0236.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0236.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0236.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810490 | out: pbBuffer=0x12810490) returned 1 [0236.217] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.217] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.217] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0236.217] CloseHandle (hObject=0x3e4) returned 1 [0236.221] CloseHandle (hObject=0x44c) returned 1 [0236.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104a8 | out: pbBuffer=0x128104a8) returned 1 [0236.223] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[0BBB062EC746A667]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[0bbb062ec746a667]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.546] SetEvent (hEvent=0x19c) returned 1 [0236.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.547] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.547] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da1851d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2da1851d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3089629e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x494c0)) returned 1 [0236.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0236.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ca0 | out: pbBuffer=0x12c34ca0) returned 1 [0236.547] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.694] GetFileType (hFile=0x3e4) returned 0x1 [0236.694] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.694] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0236.695] GetFileType (hFile=0x3e4) returned 0x1 [0236.695] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0236.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0236.696] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0236.696] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34e98 | out: pbBuffer=0x12c34e98) returned 1 [0236.696] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0236.696] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.696] WriteFile (in: hFile=0x45c, lpBuffer=0x128ac500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0236.913] SetEvent (hEvent=0x110) returned 1 [0236.913] CloseHandle (hObject=0x45c) returned 1 [0236.913] CloseHandle (hObject=0x3e4) returned 1 [0236.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128107b8 | out: pbBuffer=0x128107b8) returned 1 [0236.913] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[B02860C882C2CA2B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[b02860c882c2ca2b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.914] SetEvent (hEvent=0x1d0) returned 1 [0236.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.915] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3beb3411, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c1fa809, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x114c0)) returned 1 [0236.916] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98820 | out: pbBuffer=0x12a98820) returned 1 [0236.916] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810800 | out: pbBuffer=0x12810800) returned 1 [0236.916] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0236.926] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0236.940] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0236.940] SetEvent (hEvent=0x1d0) returned 1 [0236.941] ReadFile (in: hFile=0x3e4, lpBuffer=0x129c0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129c0000*, lpNumberOfBytesRead=0x1282fd1c*=0x114c0, lpOverlapped=0x0) returned 1 [0236.945] GetFileType (hFile=0x3e4) returned 0x1 [0236.945] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.945] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bd0000*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bd0000*, lpNumberOfBytesWritten=0x1282fd00*=0x114c0, lpOverlapped=0x1282fd0c) returned 1 [0236.946] GetFileType (hFile=0x3e4) returned 0x1 [0236.946] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x114c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0236.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0236.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0236.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0236.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128108b8 | out: pbBuffer=0x128108b8) returned 1 [0236.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0236.948] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0236.948] WriteFile (in: hFile=0x45c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0236.948] CloseHandle (hObject=0x45c) returned 1 [0236.948] CloseHandle (hObject=0x3e4) returned 1 [0236.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108d0 | out: pbBuffer=0x128108d0) returned 1 [0236.948] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\#_THIS_FILE_IS_ENCRYPTED_[E62A79757FB7960B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\#_this_file_is_encrypted_[e62a79757fb7960b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.950] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0236.957] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0236.957] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0236.965] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0236.966] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0236.969] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0236.969] SetEvent (hEvent=0x110) returned 1 [0236.970] SetEvent (hEvent=0x1d0) returned 1 [0236.970] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0236.975] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0236.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0236.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0236.975] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c993fab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c993fab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e46677b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x45cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f15d6eb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f15d6eb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x439eedd5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncShell64.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448d594d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x448d594d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45ee3647, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x210c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LoggingPlatform64.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x471cffdb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x471cffdb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4a322aae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa9af2b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x59bfc168, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0236.976] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0236.976] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0237.001] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.003] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.003] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.004] CloseHandle (hObject=0x42c) returned 1 [0237.005] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c993fab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c993fab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e46677b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x45cc0)) returned 1 [0237.011] SetEvent (hEvent=0x420) returned 1 [0237.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncshell64.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f15d6eb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f15d6eb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x439eedd5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c0)) returned 1 [0237.012] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448d594d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x448d594d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45ee3647, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x210c0)) returned 1 [0237.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x471cffdb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x471cffdb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4a322aae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0)) returned 1 [0237.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa9af2b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x59bfc168, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0)) returned 1 [0237.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.043] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll\\*", lpFindFileData=0x12a65a44 | out: lpFindFileData=0x12a65a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0237.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.044] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll\\*", lpFindFileData=0x12a65a44 | out: lpFindFileData=0x12a65a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0237.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c3eb6a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.060] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c3eb6a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.060] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c3eb6a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.060] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3eb6a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.061] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.061] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.062] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.062] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.064] CloseHandle (hObject=0x42c) returned 1 [0237.064] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3eb6a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0)) returned 1 [0237.065] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d1a1361, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.065] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.065] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d1a1361, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.065] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d1a1361, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.065] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1a1361, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d7e32a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.065] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.066] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.066] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.066] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.067] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.067] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.070] CloseHandle (hObject=0x42c) returned 1 [0237.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1a1361, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d7e32a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63c7855a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.101] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63c7855a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0237.102] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63c7855a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.102] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c7855a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66788e59, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.102] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.102] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0237.102] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.102] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.102] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0237.120] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.120] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.121] CloseHandle (hObject=0x458) returned 1 [0237.122] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c7855a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66788e59, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0237.128] SetEvent (hEvent=0x1d0) returned 1 [0237.128] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x676496c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.143] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x676496c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0237.144] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x676496c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.144] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x676496c0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6836654c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.144] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.144] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0237.144] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.145] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.145] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.147] CloseHandle (hObject=0x3e4) returned 1 [0237.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x676496c0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6836654c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0237.173] SetEvent (hEvent=0x110) returned 1 [0237.173] SetEvent (hEvent=0x40c) returned 1 [0237.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6c2bae6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.174] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6c2bae6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0237.174] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6c2bae6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.174] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bae6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e062107, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.174] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.174] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0237.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.176] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.176] WriteFile (in: hFile=0x450, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.177] CloseHandle (hObject=0x450) returned 1 [0237.177] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bae6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e062107, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.181] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0237.242] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6ec4dc4a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.366] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.366] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6ec4dc4a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.367] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6ec4dc4a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.367] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec4dc4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6f91e779, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.367] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.367] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.367] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.369] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.369] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.393] CloseHandle (hObject=0x44c) returned 1 [0237.393] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec4dc4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6f91e779, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0237.400] SetEvent (hEvent=0x40c) returned 1 [0237.400] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x70b72988, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.407] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x70b72988, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.407] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x70b72988, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.407] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b72988, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x71e855e0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.407] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.407] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.408] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.408] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.408] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.409] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.409] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.410] CloseHandle (hObject=0x44c) returned 1 [0237.410] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b72988, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x71e855e0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0237.420] SetEvent (hEvent=0x40c) returned 1 [0237.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c9f0fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.421] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c9f0fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.422] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c9f0fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.422] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c9f0fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.422] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.422] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.422] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.424] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.424] WriteFile (in: hFile=0x450, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.426] CloseHandle (hObject=0x450) returned 1 [0237.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c9f0fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0237.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7445ea47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.427] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.427] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7445ea47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0237.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7445ea47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7445ea47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7470d604, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.428] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0237.428] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.429] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.429] WriteFile (in: hFile=0x450, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.431] CloseHandle (hObject=0x450) returned 1 [0237.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7445ea47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7470d604, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0237.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74ac7152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.432] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74ac7152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0237.433] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74ac7152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.433] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74ac7152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74d75bd7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.433] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.433] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0237.433] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.434] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.434] WriteFile (in: hFile=0x450, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.435] CloseHandle (hObject=0x450) returned 1 [0237.435] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74ac7152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74d75bd7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0237.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7512f465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.446] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.446] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7512f465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.447] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7512f465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.447] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7512f465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7568cb81, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.447] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.447] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.447] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.447] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.448] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.449] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.449] WriteFile (in: hFile=0x44c, lpBuffer=0x12851300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12851300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.451] CloseHandle (hObject=0x44c) returned 1 [0237.451] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7512f465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7568cb81, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0237.452] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.453] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.453] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74ac7152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74d75bd7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0237.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0237.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e96e0 | out: pbBuffer=0x128e96e0) returned 1 [0237.453] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a65d1c*=0x168c0, lpOverlapped=0x0) returned 1 [0237.540] GetFileType (hFile=0x44c) returned 0x1 [0237.540] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.540] WriteFile (in: hFile=0x44c, lpBuffer=0x12980000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12980000*, lpNumberOfBytesWritten=0x12a65d00*=0x168c0, lpOverlapped=0x12a65d0c) returned 1 [0237.541] GetFileType (hFile=0x44c) returned 0x1 [0237.541] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0237.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0237.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0237.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9798 | out: pbBuffer=0x128e9798) returned 1 [0237.542] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.542] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.542] WriteFile (in: hFile=0x450, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.542] CloseHandle (hObject=0x450) returned 1 [0237.543] CloseHandle (hObject=0x44c) returned 1 [0237.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e97b0 | out: pbBuffer=0x128e97b0) returned 1 [0237.543] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\#_THIS_FILE_IS_ENCRYPTED_[91B64213EE2DE055]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\#_this_file_is_encrypted_[91b64213ee2de055]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.640] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0237.720] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0237.741] SetEvent (hEvent=0x420) returned 1 [0237.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.742] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.742] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75cf4da3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76015f2a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0237.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0237.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0237.742] ReadFile (in: hFile=0x44c, lpBuffer=0x12c5c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c5c000*, lpNumberOfBytesRead=0x1282fd1c*=0x152c0, lpOverlapped=0x0) returned 1 [0237.756] GetFileType (hFile=0x44c) returned 0x1 [0237.756] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.756] WriteFile (in: hFile=0x44c, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x1282fd00*=0x152c0, lpOverlapped=0x1282fd0c) returned 1 [0237.757] GetFileType (hFile=0x44c) returned 0x1 [0237.757] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.757] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0237.757] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0237.757] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0237.757] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0237.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.758] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.758] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0237.758] CloseHandle (hObject=0x450) returned 1 [0237.758] CloseHandle (hObject=0x44c) returned 1 [0237.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0237.758] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\#_THIS_FILE_IS_ENCRYPTED_[197B93094EE87A58]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\#_this_file_is_encrypted_[197b93094ee87a58]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.789] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0237.878] SetEvent (hEvent=0xfc) returned 1 [0237.878] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.880] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0237.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a69ad0 | out: lpFileInformation=0x12a69ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78176e22, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7820f937, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0237.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0237.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849270 | out: pbBuffer=0x12849270) returned 1 [0237.880] ReadFile (in: hFile=0x44c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a69d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a69d1c*=0x140c0, lpOverlapped=0x0) returned 1 [0237.895] GetFileType (hFile=0x44c) returned 0x1 [0237.895] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.895] WriteFile (in: hFile=0x44c, lpBuffer=0x129b4000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x12a69d00, lpOverlapped=0x12a69d0c | out: lpBuffer=0x129b4000*, lpNumberOfBytesWritten=0x12a69d00*=0x140c0, lpOverlapped=0x12a69d0c) returned 1 [0237.895] GetFileType (hFile=0x44c) returned 0x1 [0237.896] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0237.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0237.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0237.897] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849358 | out: pbBuffer=0x12849358) returned 1 [0237.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.897] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0237.897] WriteFile (in: hFile=0x450, lpBuffer=0x12b86000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a69d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b86000*, lpNumberOfBytesWritten=0x12a69d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.897] CloseHandle (hObject=0x450) returned 1 [0237.899] CloseHandle (hObject=0x44c) returned 1 [0237.899] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849380 | out: pbBuffer=0x12849380) returned 1 [0237.900] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\#_THIS_FILE_IS_ENCRYPTED_[0A5EA117B067F4FB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\#_this_file_is_encrypted_[0a5ea117b067f4fb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.041] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.067] SetEvent (hEvent=0x420) returned 1 [0238.067] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.068] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0238.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c23223, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79cbbda6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0)) returned 1 [0238.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0238.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128493f8 | out: pbBuffer=0x128493f8) returned 1 [0238.068] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0238.073] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.073] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0238.073] SetEvent (hEvent=0x110) returned 1 [0238.073] SetEvent (hEvent=0x420) returned 1 [0238.073] ReadFile (in: hFile=0x44c, lpBuffer=0x12cdc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cdc000*, lpNumberOfBytesRead=0x12a63d1c*=0x14ac0, lpOverlapped=0x0) returned 1 [0238.081] GetFileType (hFile=0x44c) returned 0x1 [0238.081] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.081] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x14ac0, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a63d00*=0x14ac0, lpOverlapped=0x12a63d0c) returned 1 [0238.082] GetFileType (hFile=0x44c) returned 0x1 [0238.082] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x14ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0238.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0238.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0238.095] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849530 | out: pbBuffer=0x12849530) returned 1 [0238.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.096] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0238.096] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b86500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b86500*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.096] CloseHandle (hObject=0x3e4) returned 1 [0238.096] CloseHandle (hObject=0x44c) returned 1 [0238.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849548 | out: pbBuffer=0x12849548) returned 1 [0238.097] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\#_THIS_FILE_IS_ENCRYPTED_[42C68A71906009E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\#_this_file_is_encrypted_[42c68a71906009e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.099] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0238.111] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.111] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0238.111] SetEvent (hEvent=0x40c) returned 1 [0238.111] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0238.120] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.121] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.121] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b33be0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b420d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0238.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0238.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0238.121] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282fd1c*=0x158c0, lpOverlapped=0x0) returned 1 [0238.140] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.159] GetFileType (hFile=0x42c) returned 0x1 [0238.159] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.159] WriteFile (in: hFile=0x42c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x158c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x1282fd00*=0x158c0, lpOverlapped=0x1282fd0c) returned 1 [0238.160] GetFileType (hFile=0x42c) returned 0x1 [0238.160] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x158c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0238.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0238.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0238.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341c8 | out: pbBuffer=0x12c341c8) returned 1 [0238.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.160] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.160] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a60500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.161] CloseHandle (hObject=0x3e4) returned 1 [0238.161] CloseHandle (hObject=0x42c) returned 1 [0238.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341e0 | out: pbBuffer=0x12c341e0) returned 1 [0238.161] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\#_THIS_FILE_IS_ENCRYPTED_[7EE5631658AB5322]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\#_this_file_is_encrypted_[7ee5631658ab5322]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.162] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.173] SetEvent (hEvent=0xfc) returned 1 [0238.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.174] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0238.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a69ad0 | out: lpFileInformation=0x12a69ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ec4e3f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8031affd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x176c0)) returned 1 [0238.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0238.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34228 | out: pbBuffer=0x12c34228) returned 1 [0238.177] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a69d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a69d1c*=0x176c0, lpOverlapped=0x0) returned 1 [0238.188] GetFileType (hFile=0x42c) returned 0x1 [0238.188] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.188] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x176c0, lpNumberOfBytesWritten=0x12a69d00, lpOverlapped=0x12a69d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12a69d00*=0x176c0, lpOverlapped=0x12a69d0c) returned 1 [0238.189] GetFileType (hFile=0x42c) returned 0x1 [0238.189] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x176c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0238.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0238.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0238.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342e0 | out: pbBuffer=0x12c342e0) returned 1 [0238.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.190] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0238.190] WriteFile (in: hFile=0x450, lpBuffer=0x12a60a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a69d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60a00*, lpNumberOfBytesWritten=0x12a69d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.190] CloseHandle (hObject=0x450) returned 1 [0238.190] CloseHandle (hObject=0x42c) returned 1 [0238.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342f8 | out: pbBuffer=0x12c342f8) returned 1 [0238.190] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\#_THIS_FILE_IS_ENCRYPTED_[42F1F720A88FBB21]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\#_this_file_is_encrypted_[42f1f720a88fbb21]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.210] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806d483e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80a1bf57, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0)) returned 1 [0238.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e800 | out: pbBuffer=0x1280e800) returned 1 [0238.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489b8 | out: pbBuffer=0x128489b8) returned 1 [0238.210] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0238.223] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0238.223] SetEvent (hEvent=0x110) returned 1 [0238.223] SetEvent (hEvent=0xfc) returned 1 [0238.223] ReadFile (in: hFile=0x42c, lpBuffer=0x1294e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1294e000*, lpNumberOfBytesRead=0x1282fd1c*=0x180c0, lpOverlapped=0x0) returned 1 [0238.231] GetFileType (hFile=0x42c) returned 0x1 [0238.231] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.231] WriteFile (in: hFile=0x42c, lpBuffer=0x1298e000*, nNumberOfBytesToWrite=0x180c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x1298e000*, lpNumberOfBytesWritten=0x1282fd00*=0x180c0, lpOverlapped=0x1282fd0c) returned 1 [0238.232] GetFileType (hFile=0x42c) returned 0x1 [0238.232] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x180c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0238.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0238.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835101 | out: pbBuffer=0x12835101) returned 1 [0238.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848aa0 | out: pbBuffer=0x12848aa0) returned 1 [0238.233] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.233] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.233] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.234] CloseHandle (hObject=0x3e4) returned 1 [0238.234] CloseHandle (hObject=0x42c) returned 1 [0238.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ab8 | out: pbBuffer=0x12848ab8) returned 1 [0238.234] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\#_THIS_FILE_IS_ENCRYPTED_[437BE14038B1451A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\#_this_file_is_encrypted_[437be14038b1451a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.237] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0238.246] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0238.246] SetEvent (hEvent=0x19c) returned 1 [0238.246] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0238.265] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.265] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.266] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0238.266] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81a0d6f7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0238.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0238.266] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12925d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0238.282] GetFileType (hFile=0x3e4) returned 0x1 [0238.282] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.282] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bc4000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12bc4000*, lpNumberOfBytesWritten=0x12925d00*=0x160c0, lpOverlapped=0x12925d0c) returned 1 [0238.283] GetFileType (hFile=0x3e4) returned 0x1 [0238.283] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0238.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0238.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0238.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0238.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.285] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0238.285] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.285] CloseHandle (hObject=0x42c) returned 1 [0238.285] CloseHandle (hObject=0x3e4) returned 1 [0238.285] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0238.286] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\#_THIS_FILE_IS_ENCRYPTED_[400CE29ED7C43CD1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\#_this_file_is_encrypted_[400ce29ed7c43cd1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.287] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.294] SetEvent (hEvent=0x19c) returned 1 [0238.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.294] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0238.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ef8607, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0238.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0238.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0238.295] ReadFile (in: hFile=0x44c, lpBuffer=0x12d1c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d1c000*, lpNumberOfBytesRead=0x12927d1c*=0x158c0, lpOverlapped=0x0) returned 1 [0238.309] GetFileType (hFile=0x44c) returned 0x1 [0238.309] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.309] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x158c0, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12927d00*=0x158c0, lpOverlapped=0x12927d0c) returned 1 [0238.310] GetFileType (hFile=0x44c) returned 0x1 [0238.310] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x158c0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0238.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0238.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0238.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0238.310] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.310] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0238.311] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c36500*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.311] CloseHandle (hObject=0x42c) returned 1 [0238.311] CloseHandle (hObject=0x44c) returned 1 [0238.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0238.311] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\#_THIS_FILE_IS_ENCRYPTED_[5B9D0FD75753C799]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\#_this_file_is_encrypted_[5b9d0fd75753c799]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.312] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834939f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x126c0)) returned 1 [0238.313] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0238.313] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8488 | out: pbBuffer=0x128e8488) returned 1 [0238.313] ReadFile (in: hFile=0x44c, lpBuffer=0x12d68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesRead=0x1282fd1c*=0x126c0, lpOverlapped=0x0) returned 1 [0238.351] GetFileType (hFile=0x44c) returned 0x1 [0238.351] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.351] WriteFile (in: hFile=0x44c, lpBuffer=0x12d52000*, nNumberOfBytesToWrite=0x126c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12d52000*, lpNumberOfBytesWritten=0x1282fd00*=0x126c0, lpOverlapped=0x1282fd0c) returned 1 [0238.352] GetFileType (hFile=0x44c) returned 0x1 [0238.352] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x126c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0238.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0238.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0238.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8540 | out: pbBuffer=0x128e8540) returned 1 [0238.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.353] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.353] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c36a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.353] CloseHandle (hObject=0x42c) returned 1 [0238.353] CloseHandle (hObject=0x44c) returned 1 [0238.354] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8558 | out: pbBuffer=0x128e8558) returned 1 [0238.354] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\#_THIS_FILE_IS_ENCRYPTED_[BBA4DFD4B33A2EE7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\#_this_file_is_encrypted_[bba4dfd4b33a2ee7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.438] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.769] SetEvent (hEvent=0x420) returned 1 [0238.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0238.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0238.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0238.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c347d8 | out: pbBuffer=0x12c347d8) returned 1 [0238.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.771] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0238.771] WriteFile (in: hFile=0x458, lpBuffer=0x12a6e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6e500*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.771] CloseHandle (hObject=0x458) returned 1 [0238.771] CloseHandle (hObject=0x42c) returned 1 [0238.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c347f0 | out: pbBuffer=0x12c347f0) returned 1 [0238.771] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\#_THIS_FILE_IS_ENCRYPTED_[780A000D706B0776]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\#_this_file_is_encrypted_[780a000d706b0776]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.775] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0238.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaa3767, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdee62eb6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0238.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88620 | out: pbBuffer=0x12b88620) returned 1 [0238.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34838 | out: pbBuffer=0x12c34838) returned 1 [0238.776] ReadFile (in: hFile=0x42c, lpBuffer=0x12cba000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cba000*, lpNumberOfBytesRead=0x12857d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0238.789] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.809] SetEvent (hEvent=0x420) returned 1 [0238.809] GetFileType (hFile=0x42c) returned 0x1 [0238.809] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.809] WriteFile (in: hFile=0x42c, lpBuffer=0x12cfa000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12cfa000*, lpNumberOfBytesWritten=0x12857d00*=0x156c0, lpOverlapped=0x12857d0c) returned 1 [0238.810] GetFileType (hFile=0x42c) returned 0x1 [0238.810] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0238.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0238.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0238.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e96d8 | out: pbBuffer=0x128e96d8) returned 1 [0238.811] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.812] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0238.812] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.812] CloseHandle (hObject=0x44c) returned 1 [0238.812] CloseHandle (hObject=0x42c) returned 1 [0238.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e96f0 | out: pbBuffer=0x128e96f0) returned 1 [0238.812] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\#_THIS_FILE_IS_ENCRYPTED_[FB503359B9DA39AB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\#_this_file_is_encrypted_[fb503359b9da39ab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.814] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0238.843] SetEvent (hEvent=0x420) returned 1 [0238.843] SetEvent (hEvent=0xfc) returned 1 [0238.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0238.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0238.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0238.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848580 | out: pbBuffer=0x12848580) returned 1 [0238.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.844] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.844] WriteFile (in: hFile=0x42c, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.845] CloseHandle (hObject=0x42c) returned 1 [0238.845] CloseHandle (hObject=0x450) returned 1 [0238.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848598 | out: pbBuffer=0x12848598) returned 1 [0238.845] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\#_THIS_FILE_IS_ENCRYPTED_[031D32C58A25A91B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\#_this_file_is_encrypted_[031d32c58a25a91b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0238.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0238.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0238.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848908 | out: pbBuffer=0x12848908) returned 1 [0238.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.848] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0238.848] WriteFile (in: hFile=0x450, lpBuffer=0x12a6ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6ea00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.848] CloseHandle (hObject=0x450) returned 1 [0238.849] CloseHandle (hObject=0x3e4) returned 1 [0238.849] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848940 | out: pbBuffer=0x12848940) returned 1 [0238.849] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\#_THIS_FILE_IS_ENCRYPTED_[DCA77CA27CA0BB36]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\#_this_file_is_encrypted_[dca77ca27ca0bb36]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0443839, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.851] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0443839, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0238.851] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0443839, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.851] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0443839, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe07b0e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.851] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.851] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0238.851] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.852] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.853] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.854] CloseHandle (hObject=0x3e4) returned 1 [0238.854] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0443839, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe07b0e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0238.855] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0b90d17, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.855] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0b90d17, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.855] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0b90d17, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.855] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0b90d17, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0d5aa8c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.855] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.856] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.856] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.856] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.857] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.858] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.860] CloseHandle (hObject=0x3e4) returned 1 [0238.860] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0b90d17, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0d5aa8c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0238.924] SetEvent (hEvent=0xfc) returned 1 [0238.924] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe12dddac, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.924] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.924] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe12dddac, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0238.925] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe12dddac, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.925] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12dddac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1697913, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.925] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.925] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0238.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.926] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.926] WriteFile (in: hFile=0x450, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.928] CloseHandle (hObject=0x450) returned 1 [0238.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12dddac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1697913, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0238.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1a9d74e, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.929] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.947] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1a9d74e, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0238.948] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1a9d74e, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.948] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a9d74e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1e310fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.948] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.948] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0238.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.949] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.949] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.950] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.950] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.952] CloseHandle (hObject=0x42c) returned 1 [0238.952] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a9d74e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1e310fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.969] SetEvent (hEvent=0xfc) returned 1 [0238.969] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe22f5ba3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.974] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.974] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe22f5ba3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0238.975] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe22f5ba3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.975] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f5ba3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25584f2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.975] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.975] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0238.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.977] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.977] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.978] CloseHandle (hObject=0x3e4) returned 1 [0238.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f5ba3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25584f2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0238.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe28ebb97, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.979] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe28ebb97, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0238.980] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe28ebb97, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.980] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe28ebb97, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2c590be, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.980] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.980] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0238.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.981] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.982] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.984] CloseHandle (hObject=0x3e4) returned 1 [0238.984] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe28ebb97, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2c590be, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0238.984] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe597b70f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.985] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe597b70f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe597b70f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597b70f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe663028c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.986] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.986] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.986] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.986] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.987] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.987] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.989] CloseHandle (hObject=0x3e4) returned 1 [0238.989] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597b70f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe663028c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0239.004] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0239.076] SetEvent (hEvent=0xfc) returned 1 [0239.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6a82a2d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.076] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.077] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6a82a2d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0239.077] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6a82a2d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.077] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a82a2d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe702bf73, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.077] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.077] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0239.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.077] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.079] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.079] WriteFile (in: hFile=0x450, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.081] CloseHandle (hObject=0x450) returned 1 [0239.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a82a2d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe702bf73, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0239.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe791d114, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.085] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe791d114, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0239.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe791d114, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791d114, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7ba5701, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.085] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0239.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.086] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.086] WriteFile (in: hFile=0x450, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.088] CloseHandle (hObject=0x450) returned 1 [0239.088] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791d114, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7ba5701, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0239.089] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7f391d8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.090] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.090] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7f391d8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0239.090] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7f391d8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.091] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f391d8, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe83b18d7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.091] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.091] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0239.091] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.092] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.092] WriteFile (in: hFile=0x450, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.094] CloseHandle (hObject=0x450) returned 1 [0239.094] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f391d8, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe83b18d7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0239.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.095] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0239.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791d114, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7ba5701, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0239.095] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0239.095] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810980 | out: pbBuffer=0x12810980) returned 1 [0239.095] ReadFile (in: hFile=0x450, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0239.110] GetFileType (hFile=0x450) returned 0x1 [0239.110] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.111] WriteFile (in: hFile=0x450, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x12829d00*=0x156c0, lpOverlapped=0x12829d0c) returned 1 [0239.112] GetFileType (hFile=0x450) returned 0x1 [0239.112] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.112] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0239.112] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0239.112] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0239.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810a38 | out: pbBuffer=0x12810a38) returned 1 [0239.113] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.113] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0239.113] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.118] CloseHandle (hObject=0x44c) returned 1 [0239.118] CloseHandle (hObject=0x450) returned 1 [0239.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a50 | out: pbBuffer=0x12810a50) returned 1 [0239.118] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\#_THIS_FILE_IS_ENCRYPTED_[DEA915EA4BD28EC9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\#_this_file_is_encrypted_[dea915ea4bd28ec9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.121] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0239.121] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f391d8, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe83b18d7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0239.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0239.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a98 | out: pbBuffer=0x12810a98) returned 1 [0239.121] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0239.144] GetFileType (hFile=0x450) returned 0x1 [0239.144] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.144] WriteFile (in: hFile=0x450, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12829d00*=0x162c0, lpOverlapped=0x12829d0c) returned 1 [0239.145] GetFileType (hFile=0x450) returned 0x1 [0239.145] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0239.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0239.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0239.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810b50 | out: pbBuffer=0x12810b50) returned 1 [0239.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0239.146] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0239.146] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.146] CloseHandle (hObject=0x3e4) returned 1 [0239.146] CloseHandle (hObject=0x450) returned 1 [0239.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b68 | out: pbBuffer=0x12810b68) returned 1 [0239.146] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\#_THIS_FILE_IS_ENCRYPTED_[CEEA0999BEF6F8DF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\#_this_file_is_encrypted_[ceea0999bef6f8df]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.217] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0239.291] SetEvent (hEvent=0x1d0) returned 1 [0239.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.292] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0239.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe905bcdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xea041623, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0239.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0239.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0239.293] ReadFile (in: hFile=0x450, lpBuffer=0x129e0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e0000*, lpNumberOfBytesRead=0x12b05d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0239.575] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0240.692] GetFileType (hFile=0x450) returned 0x1 [0240.693] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a87ce4 | out: lpNewFilePointer=0x0) returned 1 [0240.693] WriteFile (in: hFile=0x450, lpBuffer=0x12c94000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12a87d00, lpOverlapped=0x12a87d0c | out: lpBuffer=0x12c94000*, lpNumberOfBytesWritten=0x12a87d00*=0x15ac0, lpOverlapped=0x12a87d0c) returned 1 [0240.694] GetFileType (hFile=0x450) returned 0x1 [0240.694] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12a87ce4 | out: lpNewFilePointer=0x0) returned 1 [0241.093] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0241.309] SetEvent (hEvent=0xfc) returned 1 [0241.439] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0241.441] CloseHandle (hObject=0x42c) returned 1 [0241.630] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0502516, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0764d71, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0242.028] SetEvent (hEvent=0xfc) returned 1 [0242.045] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b23a97, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6b23a97, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9af8e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0242.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb2aa39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc8b7ea2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0242.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0242.155] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0242.156] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b23a97, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6b23a97, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9af8e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0242.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0242.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ba0 | out: pbBuffer=0x12810ba0) returned 1 [0242.158] ReadFile (in: hFile=0x3e4, lpBuffer=0x129b8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b8000*, lpNumberOfBytesRead=0x12a97d1c*=0x20000, lpOverlapped=0x0) returned 1 [0242.529] GetFileType (hFile=0x3e4) returned 0x1 [0242.529] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.529] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12a97d00*=0x20000, lpOverlapped=0x12a97d0c) returned 1 [0242.530] GetFileType (hFile=0x3e4) returned 0x1 [0242.530] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0242.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0242.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0242.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c58 | out: pbBuffer=0x12810c58) returned 1 [0242.696] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0242.698] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0242.698] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0242.822] CloseHandle (hObject=0x458) returned 1 [0242.822] CloseHandle (hObject=0x3e4) returned 1 [0242.822] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c70 | out: pbBuffer=0x12810c70) returned 1 [0242.822] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[B9FA0C81D9AA720E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[b9fa0c81d9aa720e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0242.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0242.825] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0242.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb2aa39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc8b7ea2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0242.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e560 | out: pbBuffer=0x1280e560) returned 1 [0242.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cb8 | out: pbBuffer=0x12810cb8) returned 1 [0242.826] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a97d1c*=0x20000, lpOverlapped=0x0) returned 1 [0242.881] GetFileType (hFile=0x3e4) returned 0x1 [0242.881] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.881] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a97d00*=0x20000, lpOverlapped=0x12a97d0c) returned 1 [0242.882] GetFileType (hFile=0x3e4) returned 0x1 [0242.882] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0242.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0242.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0242.882] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0242.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d80 | out: pbBuffer=0x12810d80) returned 1 [0242.883] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0242.883] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0242.883] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0242.890] CloseHandle (hObject=0x42c) returned 1 [0242.891] CloseHandle (hObject=0x3e4) returned 1 [0242.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d98 | out: pbBuffer=0x12810d98) returned 1 [0242.891] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[0F65926365BF743E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[0f65926365bf743e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.011] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.038] SetEvent (hEvent=0xfc) returned 1 [0243.038] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.039] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0243.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1298fad0 | out: lpFileInformation=0x1298fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b36552, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf34924de, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0243.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34478 | out: pbBuffer=0x12c34478) returned 1 [0243.040] ReadFile (in: hFile=0x3e4, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1298fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1298fd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0243.051] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.100] SetEvent (hEvent=0x420) returned 1 [0243.101] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.139] SetEvent (hEvent=0x19c) returned 1 [0243.139] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.146] SetEvent (hEvent=0x19c) returned 1 [0243.146] SwitchToThread () returned 1 [0243.156] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.200] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.219] SetEvent (hEvent=0x1d0) returned 1 [0243.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.220] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12993ad0 | out: lpFileInformation=0x12993ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcf838, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb5f1603, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0243.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0243.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0243.220] ReadFile (in: hFile=0x458, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12993d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12993d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0243.229] GetFileType (hFile=0x458) returned 0x1 [0243.230] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.230] WriteFile (in: hFile=0x458, lpBuffer=0x12c06000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12993d00, lpOverlapped=0x12993d0c | out: lpBuffer=0x12c06000*, lpNumberOfBytesWritten=0x12993d00*=0x160c0, lpOverlapped=0x12993d0c) returned 1 [0243.261] GetFileType (hFile=0x458) returned 0x1 [0243.261] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12993ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.261] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0243.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0243.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0243.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0243.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.263] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0243.263] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12993d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12993d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.282] CloseHandle (hObject=0x44c) returned 1 [0243.282] CloseHandle (hObject=0x458) returned 1 [0243.288] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0243.288] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\#_THIS_FILE_IS_ENCRYPTED_[DB2B32B05DF02089]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\#_this_file_is_encrypted_[db2b32b05df02089]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.309] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.327] SetEvent (hEvent=0x1d0) returned 1 [0243.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.328] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.328] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x148de442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x14ace4c5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e540 | out: pbBuffer=0x1280e540) returned 1 [0243.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104b0 | out: pbBuffer=0x128104b0) returned 1 [0243.328] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a97d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0243.337] GetFileType (hFile=0x3e4) returned 0x1 [0243.337] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.337] WriteFile (in: hFile=0x3e4, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12a97d00*=0x15ec0, lpOverlapped=0x12a97d0c) returned 1 [0243.347] GetFileType (hFile=0x3e4) returned 0x1 [0243.347] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0243.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0243.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0243.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810568 | out: pbBuffer=0x12810568) returned 1 [0243.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.348] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.348] WriteFile (in: hFile=0x458, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.369] CloseHandle (hObject=0x458) returned 1 [0243.370] CloseHandle (hObject=0x3e4) returned 1 [0243.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ed0 | out: pbBuffer=0x12849ed0) returned 1 [0243.430] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\#_THIS_FILE_IS_ENCRYPTED_[954EFF21A3D77975]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\#_this_file_is_encrypted_[954eff21a3d77975]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.452] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.472] SetEvent (hEvent=0xfc) returned 1 [0243.472] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.473] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a93d0c | out: lpMode=0x12a93d0c) returned 0 [0243.473] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a93ad0 | out: lpFileInformation=0x12a93ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1fe3748c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.473] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0243.473] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0243.473] ReadFile (in: hFile=0x44c, lpBuffer=0x12c9c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a93d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9c000*, lpNumberOfBytesRead=0x12a93d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0243.501] GetFileType (hFile=0x44c) returned 0x1 [0243.501] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a93ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.502] WriteFile (in: hFile=0x44c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12a93d00, lpOverlapped=0x12a93d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a93d00*=0x15ac0, lpOverlapped=0x12a93d0c) returned 1 [0243.502] GetFileType (hFile=0x44c) returned 0x1 [0243.503] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12a93ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0243.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0243.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0243.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0243.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.504] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a93d0c | out: lpMode=0x12a93d0c) returned 0 [0243.504] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a93d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a93d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.504] CloseHandle (hObject=0x42c) returned 1 [0243.504] CloseHandle (hObject=0x44c) returned 1 [0243.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0243.505] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\#_THIS_FILE_IS_ENCRYPTED_[5CFF35490E2C088E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\#_this_file_is_encrypted_[5cff35490e2c088e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.506] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.525] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.539] SetEvent (hEvent=0xfc) returned 1 [0243.539] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.540] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a93d0c | out: lpMode=0x12a93d0c) returned 0 [0243.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a93ad0 | out: lpFileInformation=0x12a93ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f77c72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262e4835, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0243.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0243.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0243.540] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a93d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12a93d1c*=0x168c0, lpOverlapped=0x0) returned 1 [0243.554] GetFileType (hFile=0x3e4) returned 0x1 [0243.554] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a93ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.554] WriteFile (in: hFile=0x3e4, lpBuffer=0x129d8000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x12a93d00, lpOverlapped=0x12a93d0c | out: lpBuffer=0x129d8000*, lpNumberOfBytesWritten=0x12a93d00*=0x168c0, lpOverlapped=0x12a93d0c) returned 1 [0243.555] GetFileType (hFile=0x3e4) returned 0x1 [0243.555] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a93ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0243.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0243.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0243.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0243.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.556] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a93d0c | out: lpMode=0x12a93d0c) returned 0 [0243.556] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a93d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a93d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.556] CloseHandle (hObject=0x42c) returned 1 [0243.556] CloseHandle (hObject=0x3e4) returned 1 [0243.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0243.556] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\#_THIS_FILE_IS_ENCRYPTED_[910AEEC9D825343F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\#_this_file_is_encrypted_[910aeec9d825343f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.598] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.809] SetEvent (hEvent=0x19c) returned 1 [0243.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.810] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28445fae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0243.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811510 | out: pbBuffer=0x12811510) returned 1 [0243.810] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0243.818] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.818] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0243.819] SetEvent (hEvent=0x110) returned 1 [0243.819] SetEvent (hEvent=0x19c) returned 1 [0243.820] ReadFile (in: hFile=0x3e4, lpBuffer=0x12cbc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cbc000*, lpNumberOfBytesRead=0x12a97d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0243.829] GetFileType (hFile=0x3e4) returned 0x1 [0243.829] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.830] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a30000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12a30000*, lpNumberOfBytesWritten=0x12a97d00*=0x156c0, lpOverlapped=0x12a97d0c) returned 1 [0243.831] GetFileType (hFile=0x3e4) returned 0x1 [0243.831] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0243.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0243.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0243.832] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128115c8 | out: pbBuffer=0x128115c8) returned 1 [0243.832] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.833] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.833] WriteFile (in: hFile=0x458, lpBuffer=0x12d02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d02000*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.833] CloseHandle (hObject=0x458) returned 1 [0243.833] CloseHandle (hObject=0x3e4) returned 1 [0243.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128115e0 | out: pbBuffer=0x128115e0) returned 1 [0243.833] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\#_THIS_FILE_IS_ENCRYPTED_[6125247C58C2C34B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\#_this_file_is_encrypted_[6125247c58c2c34b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.836] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0243.850] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.850] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0243.851] SetEvent (hEvent=0x1d0) returned 1 [0243.851] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0243.866] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.868] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x293271fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0243.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0243.868] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0243.890] GetFileType (hFile=0x44c) returned 0x1 [0243.891] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.891] WriteFile (in: hFile=0x44c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ac0, lpOverlapped=0x1282fd0c) returned 1 [0243.892] GetFileType (hFile=0x44c) returned 0x1 [0243.892] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0243.893] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0243.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0243.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0243.894] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.894] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.895] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.895] CloseHandle (hObject=0x3e4) returned 1 [0243.895] CloseHandle (hObject=0x44c) returned 1 [0243.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0243.898] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\#_THIS_FILE_IS_ENCRYPTED_[695866898597A986]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\#_this_file_is_encrypted_[695866898597a986]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.899] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0243.913] SetEvent (hEvent=0x19c) returned 1 [0243.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.914] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29ac0a15, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0243.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0243.914] ReadFile (in: hFile=0x44c, lpBuffer=0x12998000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12998000*, lpNumberOfBytesRead=0x12829d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0243.927] GetFileType (hFile=0x44c) returned 0x1 [0243.927] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.928] WriteFile (in: hFile=0x44c, lpBuffer=0x12a10000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a10000*, lpNumberOfBytesWritten=0x12829d00*=0x15ac0, lpOverlapped=0x12829d0c) returned 1 [0243.928] GetFileType (hFile=0x44c) returned 0x1 [0243.929] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0243.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0243.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0243.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0243.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.930] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.930] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.930] CloseHandle (hObject=0x3e4) returned 1 [0243.930] CloseHandle (hObject=0x44c) returned 1 [0243.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0243.931] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\#_THIS_FILE_IS_ENCRYPTED_[9928FDE3FEA356DC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\#_this_file_is_encrypted_[9928fde3fea356dc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.006] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.123] SetEvent (hEvent=0xfc) returned 1 [0244.123] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.139] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0244.139] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x214b780e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x214b780e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22a78c0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0244.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e580 | out: pbBuffer=0x1280e580) returned 1 [0244.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811330 | out: pbBuffer=0x12811330) returned 1 [0244.140] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12857d1c*=0x20000, lpOverlapped=0x0) returned 1 [0244.159] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.170] GetFileType (hFile=0x42c) returned 0x1 [0244.170] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.170] WriteFile (in: hFile=0x42c, lpBuffer=0x12c9a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12c9a000*, lpNumberOfBytesWritten=0x12857d00*=0x20000, lpOverlapped=0x12857d0c) returned 1 [0244.171] GetFileType (hFile=0x42c) returned 0x1 [0244.171] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0244.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0244.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0244.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848bc8 | out: pbBuffer=0x12848bc8) returned 1 [0244.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.173] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0244.173] WriteFile (in: hFile=0x458, lpBuffer=0x12d03400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d03400*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.174] CloseHandle (hObject=0x458) returned 1 [0244.174] CloseHandle (hObject=0x42c) returned 1 [0244.174] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848be0 | out: pbBuffer=0x12848be0) returned 1 [0244.174] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[ED9D6FD2287D2F5B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[ed9d6fd2287d2f5b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.177] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.180] SetEvent (hEvent=0xf4) returned 1 [0244.180] SetEvent (hEvent=0xfc) returned 1 [0244.181] GetFileType (hFile=0x3e4) returned 0x1 [0244.181] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.181] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x1285bd00, lpOverlapped=0x1285bd0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x1285bd00*=0x164c0, lpOverlapped=0x1285bd0c) returned 1 [0244.182] GetFileType (hFile=0x3e4) returned 0x1 [0244.182] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x1285bce4 | out: lpNewFilePointer=0x0) returned 1 [0244.182] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0244.182] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0244.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0244.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0244.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.183] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.183] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1285bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1285bd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.184] CloseHandle (hObject=0x42c) returned 1 [0244.184] CloseHandle (hObject=0x3e4) returned 1 [0244.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a108 | out: pbBuffer=0x12a9a108) returned 1 [0244.184] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\#_THIS_FILE_IS_ENCRYPTED_[10CE4213E5F28EE4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\#_this_file_is_encrypted_[10ce4213e5f28ee4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.223] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.280] SetEvent (hEvent=0xfc) returned 1 [0244.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.294] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31566c2e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x328ec16f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0244.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0244.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0244.295] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x160c0, lpOverlapped=0x0) returned 1 [0244.332] GetFileType (hFile=0x3e4) returned 0x1 [0244.332] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.332] WriteFile (in: hFile=0x3e4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1282fd00*=0x160c0, lpOverlapped=0x1282fd0c) returned 1 [0244.333] GetFileType (hFile=0x3e4) returned 0x1 [0244.333] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0244.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0244.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0244.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0244.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a340 | out: pbBuffer=0x12a9a340) returned 1 [0244.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.335] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0244.335] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0244.335] CloseHandle (hObject=0x44c) returned 1 [0244.335] CloseHandle (hObject=0x3e4) returned 1 [0244.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a358 | out: pbBuffer=0x12a9a358) returned 1 [0244.336] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\#_THIS_FILE_IS_ENCRYPTED_[0DA1F278F4B4B1E4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\#_this_file_is_encrypted_[0da1f278f4b4b1e4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.429] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.465] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.494] SetEvent (hEvent=0xfc) returned 1 [0244.494] SetEvent (hEvent=0x19c) returned 1 [0244.494] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.550] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.551] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0244.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a4b4493, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3aad5fdc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0)) returned 1 [0244.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0244.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0244.551] ReadFile (in: hFile=0x458, lpBuffer=0x12d86000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d86000*, lpNumberOfBytesRead=0x12927d1c*=0x170c0, lpOverlapped=0x0) returned 1 [0244.602] GetFileType (hFile=0x458) returned 0x1 [0244.602] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.603] WriteFile (in: hFile=0x458, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x170c0, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12927d00*=0x170c0, lpOverlapped=0x12927d0c) returned 1 [0244.605] GetFileType (hFile=0x458) returned 0x1 [0244.605] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x170c0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0244.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0244.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0244.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0244.606] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.607] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0244.607] WriteFile (in: hFile=0x450, lpBuffer=0x12b18000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18000*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.607] CloseHandle (hObject=0x450) returned 1 [0244.607] CloseHandle (hObject=0x458) returned 1 [0244.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848638 | out: pbBuffer=0x12848638) returned 1 [0244.607] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\#_THIS_FILE_IS_ENCRYPTED_[17902E9334BFB61A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\#_this_file_is_encrypted_[17902e9334bfb61a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.610] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd73d9d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3dcf3371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88260 | out: pbBuffer=0x12b88260) returned 1 [0244.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848890 | out: pbBuffer=0x12848890) returned 1 [0244.610] ReadFile (in: hFile=0x458, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0244.635] GetFileType (hFile=0x458) returned 0x1 [0244.635] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.635] WriteFile (in: hFile=0x458, lpBuffer=0x12a0e000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a0e000*, lpNumberOfBytesWritten=0x12829d00*=0x154c0, lpOverlapped=0x12829d0c) returned 1 [0244.636] GetFileType (hFile=0x458) returned 0x1 [0244.636] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0244.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0244.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0244.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128489d8 | out: pbBuffer=0x128489d8) returned 1 [0244.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.637] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.637] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b18500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.637] CloseHandle (hObject=0x3e4) returned 1 [0244.638] CloseHandle (hObject=0x458) returned 1 [0244.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a00 | out: pbBuffer=0x12848a00) returned 1 [0244.638] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\#_THIS_FILE_IS_ENCRYPTED_[E7C1807338EBFE99]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\#_this_file_is_encrypted_[e7c1807338ebfe99]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.670] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.687] SetEvent (hEvent=0xfc) returned 1 [0244.687] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.695] SetEvent (hEvent=0x19c) returned 1 [0244.695] SetEvent (hEvent=0xf4) returned 1 [0244.695] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.803] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0244.803] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255e9da, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4293ea9a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0244.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0244.804] ReadFile (in: hFile=0x3e4, lpBuffer=0x12970000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12970000*, lpNumberOfBytesRead=0x12851d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0244.819] GetFileType (hFile=0x3e4) returned 0x1 [0244.819] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.819] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d82000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12d82000*, lpNumberOfBytesWritten=0x12851d00*=0x154c0, lpOverlapped=0x12851d0c) returned 1 [0244.820] GetFileType (hFile=0x3e4) returned 0x1 [0244.820] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0244.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0244.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0244.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0244.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.821] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0244.821] WriteFile (in: hFile=0x44c, lpBuffer=0x12b04000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b04000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.821] CloseHandle (hObject=0x44c) returned 1 [0244.821] CloseHandle (hObject=0x3e4) returned 1 [0244.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0244.821] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\#_THIS_FILE_IS_ENCRYPTED_[6E36C78B792345F0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\#_this_file_is_encrypted_[6e36c78b792345f0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.887] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0244.897] SetEvent (hEvent=0x19c) returned 1 [0244.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.897] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0244.897] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431bcd83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44031086, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0244.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0244.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104b0 | out: pbBuffer=0x128104b0) returned 1 [0244.898] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12853d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0244.911] GetFileType (hFile=0x3e4) returned 0x1 [0244.911] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.911] WriteFile (in: hFile=0x3e4, lpBuffer=0x129f0000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x129f0000*, lpNumberOfBytesWritten=0x12853d00*=0x15cc0, lpOverlapped=0x12853d0c) returned 1 [0244.911] GetFileType (hFile=0x3e4) returned 0x1 [0244.911] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0244.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0244.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0244.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810568 | out: pbBuffer=0x12810568) returned 1 [0244.912] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0244.912] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0244.913] WriteFile (in: hFile=0x42c, lpBuffer=0x12b04500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b04500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.913] CloseHandle (hObject=0x42c) returned 1 [0244.913] CloseHandle (hObject=0x3e4) returned 1 [0244.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810580 | out: pbBuffer=0x12810580) returned 1 [0244.914] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\#_THIS_FILE_IS_ENCRYPTED_[028C780DEC299C3C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\#_this_file_is_encrypted_[028c780dec299c3c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.946] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.071] SetEvent (hEvent=0x19c) returned 1 [0245.072] SetEvent (hEvent=0x3f8) returned 1 [0245.072] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0245.276] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.276] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0245.290] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.290] SetEvent (hEvent=0x3f8) returned 1 [0245.290] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0245.297] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.297] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0245.297] SetEvent (hEvent=0x19c) returned 1 [0245.297] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0245.318] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.319] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0245.319] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c43715, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x555ccdf4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0245.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0245.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0245.320] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x150c0, lpOverlapped=0x0) returned 1 [0245.355] GetFileType (hFile=0x458) returned 0x1 [0245.355] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.355] WriteFile (in: hFile=0x458, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x150c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12829d00*=0x150c0, lpOverlapped=0x12829d0c) returned 1 [0245.356] GetFileType (hFile=0x458) returned 0x1 [0245.356] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x150c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0245.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0245.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0245.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0245.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0245.357] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0245.357] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.357] CloseHandle (hObject=0x450) returned 1 [0245.358] CloseHandle (hObject=0x458) returned 1 [0245.358] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0245.358] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\#_THIS_FILE_IS_ENCRYPTED_[23EF958DD0656006]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\#_this_file_is_encrypted_[23ef958dd0656006]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x637d9cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.360] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x637d9cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0245.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x637d9cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637d9cb5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63e1c02f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0245.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.361] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0245.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.362] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.362] WriteFile (in: hFile=0x458, lpBuffer=0x12da9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12da9300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.363] CloseHandle (hObject=0x458) returned 1 [0245.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637d9cb5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63e1c02f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0245.416] SetEvent (hEvent=0x19c) returned 1 [0245.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e2ad9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12862516, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0245.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.417] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.417] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0245.417] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.417] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Personal", cAlternateFileName="")) returned 1 [0245.417] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.417] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0245.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.419] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0245.419] WriteFile (in: hFile=0x42c, lpBuffer=0x12daa600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12daa600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0245.421] CloseHandle (hObject=0x42c) returned 1 [0245.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.421] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0245.421] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c44d76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TraceCurrent.5892.0626.etl", cAlternateFileName="TRACEC~1.ETL")) returned 1 [0245.422] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.422] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0245.422] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.422] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.422] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.423] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.423] WriteFile (in: hFile=0x42c, lpBuffer=0x12dab900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12dab900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.425] CloseHandle (hObject=0x42c) returned 1 [0245.425] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\tracecurrent.5892.0626.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c44d76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0245.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.426] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.426] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0245.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0245.427] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.427] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0245.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.427] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.429] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0245.429] WriteFile (in: hFile=0x42c, lpBuffer=0x12dacc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12dacc00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0245.431] CloseHandle (hObject=0x42c) returned 1 [0245.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0245.432] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6630871f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66bb717b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x215e, dwReserved0=0x0, dwReserved1=0x0, cFileName="2021-02-18_130550_474-cac.log", cAlternateFileName="2021-0~2.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f2e5a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x65f2e5a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f8974f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x20ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="2021-02-18_130550_ac-d08.log", cAlternateFileName="2021-0~1.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8805a3a7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8805a3a7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x234b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install-PerUser_2021-02-11_125336_9c0-9f8.log", cAlternateFileName="INSTAL~2.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x137c38b0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x137c38b0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2745e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install-PerUser_2021-02-11_131859_f38-f3c.log", cAlternateFileName="INSTAL~4.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xced0b146, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xced0b146, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x36366, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install-PerUser_2021-02-11_132413_e60-e64.log", cAlternateFileName="IN9480~1.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bb4b96d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4bb4b96d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x390a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install-PerUser_2021-02-11_132743_ca8-cac.log", cAlternateFileName="IN2849~1.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd27489e1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd27489e1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8afcf13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5c1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install-PerUser_2021-02-11_134548_958-b14.log", cAlternateFileName="IN9042~1.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install_2021-02-11_125336_460-898.log", cAlternateFileName="INSTAL~1.LOG")) returned 1 [0245.450] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13219ec0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13219ec0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae607dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install_2021-02-11_131858_ed0-ed4.log", cAlternateFileName="INSTAL~3.LOG")) returned 1 [0245.451] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce65674c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xce65674c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed3dd471, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install_2021-02-11_132412_e10-e14.log", cAlternateFileName="IN9930~1.LOG")) returned 1 [0245.451] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b7b80c2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4b7b80c2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5db470, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install_2021-02-11_132742_c8c-c90.log", cAlternateFileName="IN7F4F~1.LOG")) returned 1 [0245.451] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2499e2e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2499e2e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8b2a3f4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xfa9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Install_2021-02-11_134547_2bc-868.log", cAlternateFileName="IN58DE~1.LOG")) returned 1 [0245.451] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.451] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0245.471] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0245.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0245.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.474] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0245.475] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0245.476] CloseHandle (hObject=0x3e4) returned 1 [0245.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6630871f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66bb717b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x215e)) returned 1 [0245.486] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.526] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.569] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.570] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), fInfoLevelId=0x0, lpFileInformation=0x12db5ad0 | out: lpFileInformation=0x12db5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8805a3a7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8805a3a7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x234b2)) returned 1 [0245.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0245.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0245.571] ReadFile (in: hFile=0x458, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12db5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12db5d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.649] GetFileType (hFile=0x458) returned 0x1 [0245.649] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.650] WriteFile (in: hFile=0x458, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12db5d00, lpOverlapped=0x12db5d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12db5d00*=0x20000, lpOverlapped=0x12db5d0c) returned 1 [0245.651] GetFileType (hFile=0x458) returned 0x1 [0245.651] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0245.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0245.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0245.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0245.652] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.652] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.652] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12db5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x12db5d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.652] CloseHandle (hObject=0x3e4) returned 1 [0245.680] CloseHandle (hObject=0x458) returned 1 [0245.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34118 | out: pbBuffer=0x12c34118) returned 1 [0245.783] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[923153097D92DF4D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[923153097d92df4d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.972] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0245.976] SetEvent (hEvent=0x19c) returned 1 [0245.976] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.977] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0245.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0245.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342c0 | out: pbBuffer=0x12c342c0) returned 1 [0245.977] ReadFile (in: hFile=0x44c, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12857d1c*=0xf5f6, lpOverlapped=0x0) returned 1 [0245.982] GetFileType (hFile=0x44c) returned 0x1 [0245.982] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.982] WriteFile (in: hFile=0x44c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0xf5f6, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12857d00*=0xf5f6, lpOverlapped=0x12857d0c) returned 1 [0245.983] GetFileType (hFile=0x44c) returned 0x1 [0245.983] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xf5f6, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0245.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0245.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0245.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34378 | out: pbBuffer=0x12c34378) returned 1 [0245.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.984] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.984] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.984] CloseHandle (hObject=0x458) returned 1 [0245.988] CloseHandle (hObject=0x44c) returned 1 [0246.102] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34390 | out: pbBuffer=0x12c34390) returned 1 [0246.102] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[5ACDCF0651BD24D6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[5acdcf0651bd24d6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0248.420] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307facc, ulCount=0x10, ulNumEntriesRemoved=0x3307fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307facc, ulNumEntriesRemoved=0x3307fab0) returned 0 [0248.431] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307facc, ulCount=0x10, ulNumEntriesRemoved=0x3307fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3307facc, ulNumEntriesRemoved=0x3307fab0) returned 1 [0265.950] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x3307faac, fWait=0, lpdwFlags=0x3307fabc | out: lpcbTransfer=0x3307faac, lpdwFlags=0x3307fabc) returned 1 [0266.283] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0266.418] SetEvent (hEvent=0x420) returned 1 [0266.419] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.179] SwitchToThread () returned 1 [0267.183] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.221] SetEvent (hEvent=0x3f8) returned 1 [0267.221] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.223] SetEvent (hEvent=0x3f8) returned 1 [0267.223] SetEvent (hEvent=0x40c) returned 1 [0267.223] ReadFile (in: hFile=0x42c, lpBuffer=0x12982000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12982000*, lpNumberOfBytesRead=0x12a49d1c*=0x18905, lpOverlapped=0x0) returned 1 [0267.225] GetFileType (hFile=0x42c) returned 0x1 [0267.225] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.226] WriteFile (in: hFile=0x42c, lpBuffer=0x12d1a000*, nNumberOfBytesToWrite=0x18905, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12d1a000*, lpNumberOfBytesWritten=0x12a49d00*=0x18905, lpOverlapped=0x12a49d0c) returned 1 [0267.226] GetFileType (hFile=0x42c) returned 0x1 [0267.226] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x18905, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0267.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0267.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0267.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0267.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4T9378rzN.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4t9378rzn.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.227] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.227] WriteFile (in: hFile=0x458, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.228] CloseHandle (hObject=0x458) returned 1 [0267.228] CloseHandle (hObject=0x42c) returned 1 [0267.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0267.228] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4T9378rzN.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4t9378rzn.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[299BED433AA6CD8F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[299bed433aa6cd8f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.229] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4vIO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4vio.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.230] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4vIO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4vio.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a1ac380, ftCreationTime.dwHighDateTime=0x1d827ec, ftLastAccessTime.dwLowDateTime=0x238a4c70, ftLastAccessTime.dwHighDateTime=0x1d828d9, ftLastWriteTime.dwLowDateTime=0x238a4c70, ftLastWriteTime.dwHighDateTime=0x1d828d9, nFileSizeHigh=0x0, nFileSizeLow=0x1b8e)) returned 1 [0267.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129281e0 | out: pbBuffer=0x129281e0) returned 1 [0267.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0267.230] ReadFile (in: hFile=0x42c, lpBuffer=0x129a2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a2000*, lpNumberOfBytesRead=0x12a49d1c*=0x1b8e, lpOverlapped=0x0) returned 1 [0267.231] GetFileType (hFile=0x42c) returned 0x1 [0267.232] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.232] WriteFile (in: hFile=0x42c, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0x1b8e, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x12a49d00*=0x1b8e, lpOverlapped=0x12a49d0c) returned 1 [0267.232] GetFileType (hFile=0x42c) returned 0x1 [0267.232] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1b8e, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0267.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0267.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0267.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0267.233] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4vIO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4vio.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.233] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.233] WriteFile (in: hFile=0x458, lpBuffer=0x12db0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0500*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.233] CloseHandle (hObject=0x458) returned 1 [0267.233] CloseHandle (hObject=0x42c) returned 1 [0267.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0267.233] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4vIO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4vio.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[7BFCD432ADE3CE54]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[7bfcd432ade3ce54]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.234] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ALLS85J2YU51TsHzc3b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\alls85j2yu51tshzc3b.ods"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecefdb40, ftCreationTime.dwHighDateTime=0x1d81d24, ftLastAccessTime.dwLowDateTime=0xdca26c10, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xdca26c10, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x1f70)) returned 1 [0267.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\AyRUpK5H.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ayrupk5h.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262752f0, ftCreationTime.dwHighDateTime=0x1d81a8a, ftLastAccessTime.dwLowDateTime=0x84ab52c0, ftLastAccessTime.dwHighDateTime=0x1d81e10, ftLastWriteTime.dwLowDateTime=0x84ab52c0, ftLastWriteTime.dwHighDateTime=0x1d81e10, nFileSizeHigh=0x0, nFileSizeLow=0x6a81)) returned 1 [0267.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ALLS85J2YU51TsHzc3b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\alls85j2yu51tshzc3b.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.235] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ALLS85J2YU51TsHzc3b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\alls85j2yu51tshzc3b.ods"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecefdb40, ftCreationTime.dwHighDateTime=0x1d81d24, ftLastAccessTime.dwLowDateTime=0xdca26c10, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xdca26c10, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x1f70)) returned 1 [0267.235] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129289e0 | out: pbBuffer=0x129289e0) returned 1 [0267.236] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ab0 | out: pbBuffer=0x12810ab0) returned 1 [0267.236] ReadFile (in: hFile=0x42c, lpBuffer=0x12bbc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bbc000*, lpNumberOfBytesRead=0x12a49d1c*=0x1f70, lpOverlapped=0x0) returned 1 [0267.237] GetFileType (hFile=0x42c) returned 0x1 [0267.237] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.237] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x1f70, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x12a49d00*=0x1f70, lpOverlapped=0x12a49d0c) returned 1 [0267.237] GetFileType (hFile=0x42c) returned 0x1 [0267.237] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1f70, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0267.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0267.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0267.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810b68 | out: pbBuffer=0x12810b68) returned 1 [0267.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ALLS85J2YU51TsHzc3b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\alls85j2yu51tshzc3b.ods"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.238] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.238] WriteFile (in: hFile=0x458, lpBuffer=0x12db1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db1400*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.238] CloseHandle (hObject=0x458) returned 1 [0267.239] CloseHandle (hObject=0x42c) returned 1 [0267.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b80 | out: pbBuffer=0x12810b80) returned 1 [0267.239] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ALLS85J2YU51TsHzc3b.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\alls85j2yu51tshzc3b.ods"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[DE60E2DF24633550]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[de60e2df24633550]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\AyRUpK5H.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ayrupk5h.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.241] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\AyRUpK5H.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ayrupk5h.docx"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262752f0, ftCreationTime.dwHighDateTime=0x1d81a8a, ftLastAccessTime.dwLowDateTime=0x84ab52c0, ftLastAccessTime.dwHighDateTime=0x1d81e10, ftLastWriteTime.dwLowDateTime=0x84ab52c0, ftLastWriteTime.dwHighDateTime=0x1d81e10, nFileSizeHigh=0x0, nFileSizeLow=0x6a81)) returned 1 [0267.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928be0 | out: pbBuffer=0x12928be0) returned 1 [0267.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810bc8 | out: pbBuffer=0x12810bc8) returned 1 [0267.241] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a49d1c*=0x6a81, lpOverlapped=0x0) returned 1 [0267.242] GetFileType (hFile=0x42c) returned 0x1 [0267.242] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.243] WriteFile (in: hFile=0x42c, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0x6a81, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12a49d00*=0x6a81, lpOverlapped=0x12a49d0c) returned 1 [0267.243] GetFileType (hFile=0x42c) returned 0x1 [0267.243] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x6a81, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0267.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0267.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0267.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c80 | out: pbBuffer=0x12810c80) returned 1 [0267.244] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\AyRUpK5H.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ayrupk5h.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.244] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.244] WriteFile (in: hFile=0x458, lpBuffer=0x12db1900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db1900*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.244] CloseHandle (hObject=0x458) returned 1 [0267.244] CloseHandle (hObject=0x42c) returned 1 [0267.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c98 | out: pbBuffer=0x12810c98) returned 1 [0267.244] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\AyRUpK5H.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ayrupk5h.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[1A639C6E624AAD26]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[1a639c6e624aad26]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.382] SetEvent (hEvent=0x110) returned 1 [0267.382] SetEvent (hEvent=0x40c) returned 1 [0267.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DMPSVLqM3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dmpsvlqm3.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.383] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.383] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DMPSVLqM3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dmpsvlqm3.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x308cb7e0, ftCreationTime.dwHighDateTime=0x1d82713, ftLastAccessTime.dwLowDateTime=0x7da17940, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x7da17940, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0x14d3c)) returned 1 [0267.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0267.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848470 | out: pbBuffer=0x12848470) returned 1 [0267.384] ReadFile (in: hFile=0x42c, lpBuffer=0x129f0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f0000*, lpNumberOfBytesRead=0x12a49d1c*=0x14d3c, lpOverlapped=0x0) returned 1 [0267.386] GetFileType (hFile=0x42c) returned 0x1 [0267.386] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.386] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x14d3c, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12a49d00*=0x14d3c, lpOverlapped=0x12a49d0c) returned 1 [0267.387] GetFileType (hFile=0x42c) returned 0x1 [0267.387] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x14d3c, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0267.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0267.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0267.387] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848528 | out: pbBuffer=0x12848528) returned 1 [0267.387] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DMPSVLqM3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dmpsvlqm3.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.387] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.388] WriteFile (in: hFile=0x45c, lpBuffer=0x128b0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0500*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.388] CloseHandle (hObject=0x45c) returned 1 [0267.390] CloseHandle (hObject=0x42c) returned 1 [0267.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848540 | out: pbBuffer=0x12848540) returned 1 [0267.393] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DMPSVLqM3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dmpsvlqm3.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[5BA79D9882B0EB0D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[5ba79d9882b0eb0d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.461] SetEvent (hEvent=0x40c) returned 1 [0267.461] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JURtp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jurtp.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.462] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.462] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JURtp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jurtp.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x206b75f0, ftCreationTime.dwHighDateTime=0x1d820e6, ftLastAccessTime.dwLowDateTime=0xc0cbf9d0, ftLastAccessTime.dwHighDateTime=0x1d8292d, ftLastWriteTime.dwLowDateTime=0xc0cbf9d0, ftLastWriteTime.dwHighDateTime=0x1d8292d, nFileSizeHigh=0x0, nFileSizeLow=0xd5e3)) returned 1 [0267.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0267.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0267.463] ReadFile (in: hFile=0x458, lpBuffer=0x12d5e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d5e000*, lpNumberOfBytesRead=0x12a49d1c*=0xd5e3, lpOverlapped=0x0) returned 1 [0267.464] GetFileType (hFile=0x458) returned 0x1 [0267.464] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.465] WriteFile (in: hFile=0x458, lpBuffer=0x12d9e000*, nNumberOfBytesToWrite=0xd5e3, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12d9e000*, lpNumberOfBytesWritten=0x12a49d00*=0xd5e3, lpOverlapped=0x12a49d0c) returned 1 [0267.465] GetFileType (hFile=0x458) returned 0x1 [0267.465] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xd5e3, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0267.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0267.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0267.466] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0267.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JURtp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jurtp.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.466] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.466] WriteFile (in: hFile=0x45c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.466] CloseHandle (hObject=0x45c) returned 1 [0267.469] CloseHandle (hObject=0x458) returned 1 [0267.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0267.479] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JURtp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jurtp.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[F2B6F879F30E87D2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[f2b6f879f30e87d2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.573] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.575] SetEvent (hEvent=0xfc) returned 1 [0267.575] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KnoA7FD.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\knoa7fd.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.577] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KnoA7FD.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\knoa7fd.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd1af23, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdd1af23, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdd1af23, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f0e0 | out: pbBuffer=0x1280f0e0) returned 1 [0267.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35650 | out: pbBuffer=0x12c35650) returned 1 [0267.577] ReadFile (in: hFile=0x458, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0267.577] CloseHandle (hObject=0x458) returned 1 [0267.577] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.607] SetEvent (hEvent=0x19c) returned 1 [0267.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MUUIz3me61vcXxlVyHi.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\muuiz3me61vcxxlvyhi.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.608] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MUUIz3me61vcXxlVyHi.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\muuiz3me61vcxxlvyhi.pps"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa24d0, ftCreationTime.dwHighDateTime=0x1d820a3, ftLastAccessTime.dwLowDateTime=0xd18d4810, ftLastAccessTime.dwHighDateTime=0x1d8217f, ftLastWriteTime.dwLowDateTime=0xd18d4810, ftLastWriteTime.dwHighDateTime=0x1d8217f, nFileSizeHigh=0x0, nFileSizeLow=0xa6eb)) returned 1 [0267.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f100 | out: pbBuffer=0x1280f100) returned 1 [0267.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35660 | out: pbBuffer=0x12c35660) returned 1 [0267.609] ReadFile (in: hFile=0x44c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12853d1c*=0xa6eb, lpOverlapped=0x0) returned 1 [0267.610] GetFileType (hFile=0x44c) returned 0x1 [0267.611] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.611] WriteFile (in: hFile=0x44c, lpBuffer=0x12cf8000*, nNumberOfBytesToWrite=0xa6eb, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12cf8000*, lpNumberOfBytesWritten=0x12853d00*=0xa6eb, lpOverlapped=0x12853d0c) returned 1 [0267.611] GetFileType (hFile=0x44c) returned 0x1 [0267.611] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xa6eb, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0267.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0267.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0267.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35718 | out: pbBuffer=0x12c35718) returned 1 [0267.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MUUIz3me61vcXxlVyHi.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\muuiz3me61vcxxlvyhi.pps"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.612] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.612] WriteFile (in: hFile=0x45c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.612] CloseHandle (hObject=0x45c) returned 1 [0267.619] CloseHandle (hObject=0x44c) returned 1 [0267.623] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.646] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0267.683] SetEvent (hEvent=0x40c) returned 1 [0267.683] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Tmjt46ivzmGJLB.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmjt46ivzmgjlb.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.684] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Tmjt46ivzmGJLB.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmjt46ivzmgjlb.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5611db0, ftCreationTime.dwHighDateTime=0x1d82491, ftLastAccessTime.dwLowDateTime=0xbe2e40e0, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xbe2e40e0, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0xf47a)) returned 1 [0267.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0267.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0267.684] ReadFile (in: hFile=0x458, lpBuffer=0x12d3e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d3e000*, lpNumberOfBytesRead=0x12a49d1c*=0xf47a, lpOverlapped=0x0) returned 1 [0267.686] GetFileType (hFile=0x458) returned 0x1 [0267.686] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.686] WriteFile (in: hFile=0x458, lpBuffer=0x12bdc000*, nNumberOfBytesToWrite=0xf47a, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12bdc000*, lpNumberOfBytesWritten=0x12a49d00*=0xf47a, lpOverlapped=0x12a49d0c) returned 1 [0267.687] GetFileType (hFile=0x458) returned 0x1 [0267.687] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xf47a, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0267.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0267.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0267.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0267.687] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Tmjt46ivzmGJLB.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmjt46ivzmgjlb.ppt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.688] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.688] WriteFile (in: hFile=0x450, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.688] CloseHandle (hObject=0x450) returned 1 [0267.726] SetEvent (hEvent=0x110) returned 1 [0267.726] CloseHandle (hObject=0x458) returned 1 [0267.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e84f8 | out: pbBuffer=0x128e84f8) returned 1 [0267.737] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Tmjt46ivzmGJLB.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmjt46ivzmgjlb.ppt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[E389660CC40B379E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[e389660cc40b379e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.811] SetEvent (hEvent=0x110) returned 1 [0267.811] SetEvent (hEvent=0xfc) returned 1 [0267.811] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\h_hvOUv.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h_hvouv.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.812] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.812] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\h_hvOUv.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h_hvouv.swf"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9521ccd0, ftCreationTime.dwHighDateTime=0x1d81deb, ftLastAccessTime.dwLowDateTime=0xa3249fe0, ftLastAccessTime.dwHighDateTime=0x1d8276b, ftLastWriteTime.dwLowDateTime=0xa3249fe0, ftLastWriteTime.dwHighDateTime=0x1d8276b, nFileSizeHigh=0x0, nFileSizeLow=0x764d)) returned 1 [0267.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0267.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848990 | out: pbBuffer=0x12848990) returned 1 [0267.813] ReadFile (in: hFile=0x44c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12a49d1c*=0x764d, lpOverlapped=0x0) returned 1 [0267.814] GetFileType (hFile=0x44c) returned 0x1 [0267.814] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.814] WriteFile (in: hFile=0x44c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x764d, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12a49d00*=0x764d, lpOverlapped=0x12a49d0c) returned 1 [0267.815] GetFileType (hFile=0x44c) returned 0x1 [0267.815] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x764d, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0267.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0267.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0267.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848a68 | out: pbBuffer=0x12848a68) returned 1 [0267.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\h_hvOUv.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h_hvouv.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.815] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.816] WriteFile (in: hFile=0x45c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.816] CloseHandle (hObject=0x45c) returned 1 [0267.818] CloseHandle (hObject=0x44c) returned 1 [0267.822] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a80 | out: pbBuffer=0x12848a80) returned 1 [0267.822] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\h_hvOUv.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h_hvouv.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[1CC887649E83B110]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[1cc887649e83b110]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.911] SetEvent (hEvent=0xf4) returned 1 [0267.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rloQMu5c-GxC4zr3Gf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rloqmu5c-gxc4zr3gf.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.912] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.913] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rloQMu5c-GxC4zr3Gf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rloqmu5c-gxc4zr3gf.swf"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ceb8e0, ftCreationTime.dwHighDateTime=0x1d823ea, ftLastAccessTime.dwLowDateTime=0xcf12c100, ftLastAccessTime.dwHighDateTime=0x1d82486, ftLastWriteTime.dwLowDateTime=0xcf12c100, ftLastWriteTime.dwHighDateTime=0x1d82486, nFileSizeHigh=0x0, nFileSizeLow=0x146ef)) returned 1 [0267.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845620 | out: pbBuffer=0x12845620) returned 1 [0267.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a628 | out: pbBuffer=0x12a9a628) returned 1 [0267.913] ReadFile (in: hFile=0x458, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12a49d1c*=0x146ef, lpOverlapped=0x0) returned 1 [0267.916] GetFileType (hFile=0x458) returned 0x1 [0267.916] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.916] WriteFile (in: hFile=0x458, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x146ef, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a49d00*=0x146ef, lpOverlapped=0x12a49d0c) returned 1 [0267.917] GetFileType (hFile=0x458) returned 0x1 [0267.917] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x146ef, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0267.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0267.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce81 | out: pbBuffer=0x12afce81) returned 1 [0267.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a6e0 | out: pbBuffer=0x12a9a6e0) returned 1 [0267.918] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rloQMu5c-GxC4zr3Gf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rloqmu5c-gxc4zr3gf.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.918] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.918] WriteFile (in: hFile=0x45c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.919] CloseHandle (hObject=0x45c) returned 1 [0267.921] CloseHandle (hObject=0x458) returned 1 [0268.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a6f8 | out: pbBuffer=0x12a9a6f8) returned 1 [0268.339] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\rloQMu5c-GxC4zr3Gf.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\rloqmu5c-gxc4zr3gf.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[4A4A408ED4B6D2AD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[4a4a408ed4b6d2ad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.478] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0269.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\upibLQsn2F_Ad.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\upiblqsn2f_ad.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0269.635] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0269.635] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\upibLQsn2F_Ad.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\upiblqsn2f_ad.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37b86830, ftCreationTime.dwHighDateTime=0x1d8211d, ftLastAccessTime.dwLowDateTime=0xe19c2010, ftLastAccessTime.dwHighDateTime=0x1d82944, ftLastWriteTime.dwLowDateTime=0xe19c2010, ftLastWriteTime.dwHighDateTime=0x1d82944, nFileSizeHigh=0x0, nFileSizeLow=0x1820d)) returned 1 [0269.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0269.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0269.635] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0269.716] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0269.716] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0269.716] SetEvent (hEvent=0x110) returned 1 [0269.716] SetEvent (hEvent=0xf4) returned 1 [0269.735] ReadFile (in: hFile=0x44c, lpBuffer=0x12c88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c88000*, lpNumberOfBytesRead=0x12a49d1c*=0x1820d, lpOverlapped=0x0) returned 1 [0269.738] GetFileType (hFile=0x44c) returned 0x1 [0269.738] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.738] WriteFile (in: hFile=0x44c, lpBuffer=0x12cd0000*, nNumberOfBytesToWrite=0x1820d, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12cd0000*, lpNumberOfBytesWritten=0x12a49d00*=0x1820d, lpOverlapped=0x12a49d0c) returned 1 [0269.739] GetFileType (hFile=0x44c) returned 0x1 [0269.739] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1820d, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0269.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0269.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0269.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0269.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\upibLQsn2F_Ad.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\upiblqsn2f_ad.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0269.740] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0269.741] WriteFile (in: hFile=0x45c, lpBuffer=0x12da4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da4500*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.741] CloseHandle (hObject=0x45c) returned 1 [0269.741] CloseHandle (hObject=0x44c) returned 1 [0269.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0269.741] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\upibLQsn2F_Ad.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\upiblqsn2f_ad.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[1599DD5FE52715C3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[1599dd5fe52715c3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.775] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0269.777] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0269.787] SetEvent (hEvent=0x40c) returned 1 [0269.787] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0269.835] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0269.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wz2nYDFysrbRUqT.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wz2nydfysrbruqt.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0269.837] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wz2nYDFysrbRUqT.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wz2nydfysrbruqt.swf"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x796e2fe0, ftCreationTime.dwHighDateTime=0x1d8294b, ftLastAccessTime.dwLowDateTime=0x5f277f60, ftLastAccessTime.dwHighDateTime=0x1d829f5, ftLastWriteTime.dwLowDateTime=0x5f277f60, ftLastWriteTime.dwHighDateTime=0x1d829f5, nFileSizeHigh=0x0, nFileSizeLow=0xdcb1)) returned 1 [0269.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0269.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0269.838] ReadFile (in: hFile=0x42c, lpBuffer=0x12c88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c88000*, lpNumberOfBytesRead=0x1282bd1c*=0xdcb1, lpOverlapped=0x0) returned 1 [0269.841] GetFileType (hFile=0x42c) returned 0x1 [0269.841] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.841] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0xdcb1, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1282bd00*=0xdcb1, lpOverlapped=0x1282bd0c) returned 1 [0269.842] GetFileType (hFile=0x42c) returned 0x1 [0269.842] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xdcb1, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0269.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0269.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0269.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0269.843] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wz2nYDFysrbRUqT.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wz2nydfysrbruqt.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0269.844] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.844] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0269.844] CloseHandle (hObject=0x458) returned 1 [0269.844] CloseHandle (hObject=0x42c) returned 1 [0269.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0269.844] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wz2nYDFysrbRUqT.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wz2nydfysrbruqt.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[449F808F39F8414D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[449f808f39f8414d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.848] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.log\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00006.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00006.log"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a8cb5a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5f47501, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00006.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00006.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0269.850] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00006.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00006.log"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a8cb5a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5f47501, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0269.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34da0 | out: pbBuffer=0x12c34da0) returned 1 [0269.851] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0269.855] GetFileType (hFile=0x42c) returned 0x1 [0269.855] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.855] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0269.856] GetFileType (hFile=0x42c) returned 0x1 [0269.856] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0269.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0269.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0269.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0269.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34e58 | out: pbBuffer=0x12c34e58) returned 1 [0269.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00006.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00006.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0269.858] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0269.858] WriteFile (in: hFile=0x458, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0269.955] CloseHandle (hObject=0x458) returned 1 [0269.955] CloseHandle (hObject=0x42c) returned 1 [0269.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34e70 | out: pbBuffer=0x12c34e70) returned 1 [0269.955] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00006.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00006.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\#_THIS_FILE_IS_ENCRYPTED_[783306D4C55DF5F9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\#_this_file_is_encrypted_[783306d4c55df5f9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0269.958] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88400 | out: pbBuffer=0x12b88400) returned 1 [0269.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34eb8 | out: pbBuffer=0x12c34eb8) returned 1 [0269.958] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0269.962] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0270.009] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0270.009] SetEvent (hEvent=0x110) returned 1 [0270.009] SetEvent (hEvent=0x104) returned 1 [0270.043] GetFileType (hFile=0x42c) returned 0x1 [0270.043] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.044] WriteFile (in: hFile=0x42c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0270.048] GetFileType (hFile=0x42c) returned 0x1 [0270.048] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0270.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0270.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0270.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34f70 | out: pbBuffer=0x12c34f70) returned 1 [0270.050] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0270.050] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0270.050] WriteFile (in: hFile=0x458, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.137] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.144] CloseHandle (hObject=0x458) returned 1 [0270.144] CloseHandle (hObject=0x42c) returned 1 [0270.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e85b8 | out: pbBuffer=0x128e85b8) returned 1 [0270.331] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\#_THIS_FILE_IS_ENCRYPTED_[D8C8C847320CABE8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\#_this_file_is_encrypted_[d8c8c847320cabe8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.353] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.539] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.582] SetEvent (hEvent=0xf4) returned 1 [0270.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0270.583] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65b4c5b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0270.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0270.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0270.583] ReadFile (in: hFile=0x458, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12851d1c*=0x1d7, lpOverlapped=0x0) returned 1 [0270.585] GetFileType (hFile=0x458) returned 0x1 [0270.585] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.585] WriteFile (in: hFile=0x458, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12851d00*=0x1d7, lpOverlapped=0x12851d0c) returned 1 [0270.586] GetFileType (hFile=0x458) returned 0x1 [0270.586] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x1d7, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0270.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0270.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0270.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0270.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0270.613] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.613] WriteFile (in: hFile=0x44c, lpBuffer=0x12da4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da4000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.635] CloseHandle (hObject=0x44c) returned 1 [0270.636] CloseHandle (hObject=0x458) returned 1 [0270.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0270.636] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\#_THIS_FILE_IS_ENCRYPTED_[A43EAD03CF720773]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\#_this_file_is_encrypted_[a43ead03cf720773]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.726] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.745] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.757] SetEvent (hEvent=0xfc) returned 1 [0270.757] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb59b3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa5afc463, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1be)) returned 1 [0270.758] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.780] SetEvent (hEvent=0x104) returned 1 [0270.780] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.789] SetEvent (hEvent=0xfc) returned 1 [0270.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\77ec63bda74bd0d0e0426dc8f8008506"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x122)) returned 1 [0270.791] SetEvent (hEvent=0x3f8) returned 1 [0270.791] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0270.803] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.803] SetEvent (hEvent=0xfc) returned 1 [0270.803] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0270.864] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.865] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0270.881] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.881] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0270.883] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.883] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0270.883] SetEvent (hEvent=0x110) returned 1 [0270.883] SetEvent (hEvent=0x1d0) returned 1 [0270.883] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0270.893] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.893] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0270.937] SetEvent (hEvent=0x104) returned 1 [0270.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.938] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0270.938] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.938] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0270.938] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.938] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0270.938] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.939] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.939] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0270.939] WriteFile (in: hFile=0x450, lpBuffer=0x12a59300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12a59300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0270.941] CloseHandle (hObject=0x450) returned 1 [0270.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.942] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0270.942] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.942] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0270.942] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.942] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0270.943] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.944] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0270.944] WriteFile (in: hFile=0x450, lpBuffer=0x12a5a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a5a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0270.946] CloseHandle (hObject=0x450) returned 1 [0270.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.946] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0270.947] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.947] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.947] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0270.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.948] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0270.948] WriteFile (in: hFile=0x450, lpBuffer=0x12a5b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0270.950] CloseHandle (hObject=0x450) returned 1 [0270.950] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FLIUZbRcCx2rfhc.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fliuzbrccx2rfhc.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66681ef0, ftCreationTime.dwHighDateTime=0x1d8250a, ftLastAccessTime.dwLowDateTime=0xda111580, ftLastAccessTime.dwHighDateTime=0x1d82796, ftLastWriteTime.dwLowDateTime=0xda111580, ftLastWriteTime.dwHighDateTime=0x1d82796, nFileSizeHigh=0x0, nFileSizeLow=0x919c)) returned 1 [0270.950] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0271.242] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0271.246] SetEvent (hEvent=0x19c) returned 1 [0271.246] SetEvent (hEvent=0x104) returned 1 [0271.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LTG-ijW6S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ltg-ijw6s.ots"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cfd5c60, ftCreationTime.dwHighDateTime=0x1d8248a, ftLastAccessTime.dwLowDateTime=0x5e404c20, ftLastAccessTime.dwHighDateTime=0x1d829d3, ftLastWriteTime.dwLowDateTime=0x5e404c20, ftLastWriteTime.dwHighDateTime=0x1d829d3, nFileSizeHigh=0x0, nFileSizeLow=0x12baa)) returned 1 [0271.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0271.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0271.247] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0271.247] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.247] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0271.247] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e898ff, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0271.247] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0271.247] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816a7a21, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spelling", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0271.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0271.248] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0271.248] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0271.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0271.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0271.266] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0271.266] WriteFile (in: hFile=0x45c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0271.267] CloseHandle (hObject=0x45c) returned 1 [0271.268] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0271.476] SetEvent (hEvent=0x110) returned 1 [0271.533] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0271.594] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0271.667] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.667] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0271.667] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0271.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0271.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0271.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0271.700] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0271.724] WriteFile (in: hFile=0x460, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0271.726] CloseHandle (hObject=0x460) returned 1 [0271.726] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0271.733] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0271.733] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0271.733] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.733] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0271.733] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0271.733] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0271.733] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0271.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0271.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0271.740] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0271.740] WriteFile (in: hFile=0x460, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0271.749] CloseHandle (hObject=0x460) returned 1 [0271.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0271.759] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0271.759] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0x0, dwReserved1=0x0, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0x0, dwReserved1=0x0, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0x0, dwReserved1=0x0, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0271.763] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0271.764] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0271.764] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0271.764] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0271.764] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0271.764] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0271.764] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0271.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0271.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0271.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0271.780] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0271.780] WriteFile (in: hFile=0x450, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0271.781] CloseHandle (hObject=0x450) returned 1 [0271.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722)) returned 1 [0271.788] SetEvent (hEvent=0x110) returned 1 [0271.788] SetEvent (hEvent=0x19c) returned 1 [0271.788] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839)) returned 1 [0271.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e)) returned 1 [0271.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966)) returned 1 [0271.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639)) returned 1 [0271.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0271.791] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0271.791] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966)) returned 1 [0271.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a988a0 | out: pbBuffer=0x12a988a0) returned 1 [0271.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9dc0 | out: pbBuffer=0x128e9dc0) returned 1 [0271.791] ReadFile (in: hFile=0x450, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.209] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.216] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.216] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0272.216] SetEvent (hEvent=0x1d0) returned 1 [0272.216] SetEvent (hEvent=0x104) returned 1 [0272.217] GetFileType (hFile=0x450) returned 0x1 [0272.217] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.218] WriteFile (in: hFile=0x450, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0272.218] GetFileType (hFile=0x450) returned 0x1 [0272.218] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0272.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0272.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0272.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9e78 | out: pbBuffer=0x128e9e78) returned 1 [0272.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.220] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.220] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.220] CloseHandle (hObject=0x44c) returned 1 [0272.220] CloseHandle (hObject=0x450) returned 1 [0272.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9e90 | out: pbBuffer=0x128e9e90) returned 1 [0272.220] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[FD67A337ABC64A99]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[fd67a337abc64a99]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.223] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.227] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.227] SetEvent (hEvent=0x104) returned 1 [0272.227] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.229] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.230] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.234] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.234] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0272.234] SetEvent (hEvent=0xf4) returned 1 [0272.234] SetEvent (hEvent=0x104) returned 1 [0272.234] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.290] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0272.290] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[7802CC1612534E82]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[7802cc1612534e82]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.294] GetFileType (hFile=0x42c) returned 0x1 [0272.294] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.294] WriteFile (in: hFile=0x42c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12851d00*=0x20000, lpOverlapped=0x12851d0c) returned 1 [0272.295] GetFileType (hFile=0x42c) returned 0x1 [0272.296] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0272.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0272.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0272.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0272.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0272.297] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0272.297] WriteFile (in: hFile=0x458, lpBuffer=0x12d94500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d94500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.298] CloseHandle (hObject=0x458) returned 1 [0272.298] CloseHandle (hObject=0x42c) returned 1 [0272.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a148 | out: pbBuffer=0x12a9a148) returned 1 [0272.298] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[1DF320DD2A6D82CF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[1df320dd2a6d82cf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.300] SetEvent (hEvent=0x1d0) returned 1 [0272.300] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.349] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0272.350] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea)) returned 1 [0272.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929120 | out: pbBuffer=0x12929120) returned 1 [0272.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9adb0 | out: pbBuffer=0x12a9adb0) returned 1 [0272.350] ReadFile (in: hFile=0x450, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.478] GetFileType (hFile=0x450) returned 0x1 [0272.478] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.478] WriteFile (in: hFile=0x450, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0272.479] GetFileType (hFile=0x450) returned 0x1 [0272.480] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0272.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0272.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0272.480] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848848 | out: pbBuffer=0x12848848) returned 1 [0272.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0272.481] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.481] WriteFile (in: hFile=0x458, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.481] CloseHandle (hObject=0x458) returned 1 [0272.489] CloseHandle (hObject=0x450) returned 1 [0272.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848890 | out: pbBuffer=0x12848890) returned 1 [0272.491] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[E0F1A6CB3A39FF3F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[e0f1a6cb3a39ff3f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.589] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.633] SetEvent (hEvent=0x1d0) returned 1 [0272.634] SetEvent (hEvent=0xfc) returned 1 [0272.634] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.665] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.665] SetEvent (hEvent=0xfc) returned 1 [0272.665] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.696] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.697] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.706] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.706] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0272.706] SetEvent (hEvent=0x40c) returned 1 [0272.706] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0272.738] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.739] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.739] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817190ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5ca4c63b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7)) returned 1 [0272.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0272.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0272.739] ReadFile (in: hFile=0x460, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.763] GetFileType (hFile=0x460) returned 0x1 [0272.763] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.764] WriteFile (in: hFile=0x460, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0272.765] GetFileType (hFile=0x460) returned 0x1 [0272.765] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0272.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0272.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0272.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0272.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0272.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.766] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0272.766] WriteFile (in: hFile=0x42c, lpBuffer=0x12aec000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aec000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.777] CloseHandle (hObject=0x42c) returned 1 [0272.778] CloseHandle (hObject=0x460) returned 1 [0272.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0272.778] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\#_THIS_FILE_IS_ENCRYPTED_[D2225DD91CD87D41]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\#_this_file_is_encrypted_[d2225dd91cd87d41]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.779] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0272.802] SetEvent (hEvent=0xfc) returned 1 [0272.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\file explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.803] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.803] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\file explorer.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x252988fc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x197)) returned 1 [0272.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0272.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0272.804] ReadFile (in: hFile=0x460, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12829d1c*=0x197, lpOverlapped=0x0) returned 1 [0272.805] GetFileType (hFile=0x460) returned 0x1 [0272.805] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.805] WriteFile (in: hFile=0x460, lpBuffer=0x12a48b60*, nNumberOfBytesToWrite=0x197, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a48b60*, lpNumberOfBytesWritten=0x12829d00*=0x197, lpOverlapped=0x12829d0c) returned 1 [0272.805] GetFileType (hFile=0x460) returned 0x1 [0272.806] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x197, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0272.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0272.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0272.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0272.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\file explorer.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.807] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.807] WriteFile (in: hFile=0x42c, lpBuffer=0x12aec500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aec500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.822] CloseHandle (hObject=0x42c) returned 1 [0272.839] CloseHandle (hObject=0x460) returned 1 [0272.904] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0272.904] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\file explorer.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\#_THIS_FILE_IS_ENCRYPTED_[C2F9161526CA40F0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\#_this_file_is_encrypted_[c2f9161526ca40f0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.109] SetEvent (hEvent=0x19c) returned 1 [0273.109] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.110] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\credhist"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa55c36e7, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1c8)) returned 1 [0273.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0273.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0273.111] ReadFile (in: hFile=0x450, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12829d1c*=0x1c8, lpOverlapped=0x0) returned 1 [0273.113] GetFileType (hFile=0x450) returned 0x1 [0273.113] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.113] WriteFile (in: hFile=0x450, lpBuffer=0x12ad21e0*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ad21e0*, lpNumberOfBytesWritten=0x12829d00*=0x1c8, lpOverlapped=0x12829d0c) returned 1 [0273.113] GetFileType (hFile=0x450) returned 0x1 [0273.113] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1c8, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0273.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0273.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0273.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0273.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.115] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.115] WriteFile (in: hFile=0x42c, lpBuffer=0x12a94500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.131] CloseHandle (hObject=0x42c) returned 1 [0273.132] CloseHandle (hObject=0x450) returned 1 [0273.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0273.132] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\#_THIS_FILE_IS_ENCRYPTED_[AA0079370C007CDD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\#_this_file_is_encrypted_[aa0079370c007cdd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.134] SetEvent (hEvent=0x19c) returned 1 [0273.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.135] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\preferred"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5627f2fe, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x18)) returned 1 [0273.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0273.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810298 | out: pbBuffer=0x12810298) returned 1 [0273.135] ReadFile (in: hFile=0x450, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12829d1c*=0x18, lpOverlapped=0x0) returned 1 [0273.137] GetFileType (hFile=0x450) returned 0x1 [0273.137] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.137] WriteFile (in: hFile=0x450, lpBuffer=0x12844900*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12844900*, lpNumberOfBytesWritten=0x12829d00*=0x18, lpOverlapped=0x12829d0c) returned 1 [0273.137] GetFileType (hFile=0x450) returned 0x1 [0273.137] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x18, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0273.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0273.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0273.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810350 | out: pbBuffer=0x12810350) returned 1 [0273.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\preferred"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.138] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.138] WriteFile (in: hFile=0x42c, lpBuffer=0x12a94a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.157] CloseHandle (hObject=0x42c) returned 1 [0273.157] CloseHandle (hObject=0x450) returned 1 [0273.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0273.158] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\preferred"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\#_THIS_FILE_IS_ENCRYPTED_[390F23F656823F91]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\#_this_file_is_encrypted_[390f23f656823f91]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.159] SetEvent (hEvent=0x19c) returned 1 [0273.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.160] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.160] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xde7dde0f, ftCreationTime.dwHighDateTime=0x1d7b055, ftLastAccessTime.dwLowDateTime=0xde7dde0f, ftLastAccessTime.dwHighDateTime=0x1d7b055, ftLastWriteTime.dwLowDateTime=0xde7dde0f, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d60 | out: pbBuffer=0x12844d60) returned 1 [0273.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103b0 | out: pbBuffer=0x128103b0) returned 1 [0273.161] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.164] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.164] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0273.164] SetEvent (hEvent=0x110) returned 1 [0273.164] SetEvent (hEvent=0x19c) returned 1 [0273.165] ReadFile (in: hFile=0x450, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12829d1c*=0x1d4, lpOverlapped=0x0) returned 1 [0273.166] GetFileType (hFile=0x450) returned 0x1 [0273.166] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.166] WriteFile (in: hFile=0x450, lpBuffer=0x12ad2b40*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ad2b40*, lpNumberOfBytesWritten=0x12829d00*=0x1d4, lpOverlapped=0x12829d0c) returned 1 [0273.167] GetFileType (hFile=0x450) returned 0x1 [0273.167] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1d4, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0273.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce81 | out: pbBuffer=0x12afce81) returned 1 [0273.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf81 | out: pbBuffer=0x12afcf81) returned 1 [0273.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0273.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.171] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.171] WriteFile (in: hFile=0x42c, lpBuffer=0x12a94f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.172] CloseHandle (hObject=0x42c) returned 1 [0273.172] CloseHandle (hObject=0x450) returned 1 [0273.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810480 | out: pbBuffer=0x12810480) returned 1 [0273.173] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\be39cc84-e9bf-4c2d-a3a5-e953c9f3df24"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\#_THIS_FILE_IS_ENCRYPTED_[7442C9E14781A561]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\#_this_file_is_encrypted_[7442c9e14781a561]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.176] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.185] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.185] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.193] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.193] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0273.195] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0273.195] SetEvent (hEvent=0x110) returned 1 [0273.195] SetEvent (hEvent=0xfc) returned 1 [0273.195] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.202] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0273.203] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa5626547, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1d4)) returned 1 [0273.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0273.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0273.204] ReadFile (in: hFile=0x460, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x1d4, lpOverlapped=0x0) returned 1 [0273.205] GetFileType (hFile=0x460) returned 0x1 [0273.205] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.205] WriteFile (in: hFile=0x460, lpBuffer=0x1286c1e0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1286c1e0*, lpNumberOfBytesWritten=0x12829d00*=0x1d4, lpOverlapped=0x12829d0c) returned 1 [0273.206] GetFileType (hFile=0x460) returned 0x1 [0273.206] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1d4, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0273.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0273.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0273.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0273.207] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.207] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.207] WriteFile (in: hFile=0x44c, lpBuffer=0x12b02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.226] CloseHandle (hObject=0x44c) returned 1 [0273.237] CloseHandle (hObject=0x460) returned 1 [0273.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0273.238] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\#_THIS_FILE_IS_ENCRYPTED_[D6B6DD69156C0503]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\#_this_file_is_encrypted_[d6b6dd69156c0503]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0273.241] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.acl"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x567d5b26, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2)) returned 1 [0273.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0273.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0273.241] ReadFile (in: hFile=0x460, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a5fd1c*=0x2, lpOverlapped=0x0) returned 1 [0273.243] GetFileType (hFile=0x460) returned 0x1 [0273.243] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.243] WriteFile (in: hFile=0x460, lpBuffer=0x12848428*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12848428*, lpNumberOfBytesWritten=0x12a5fd00*=0x2, lpOverlapped=0x12a5fd0c) returned 1 [0273.243] GetFileType (hFile=0x460) returned 0x1 [0273.243] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x2, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0273.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0273.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0273.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484f0 | out: pbBuffer=0x128484f0) returned 1 [0273.244] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.acl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0273.245] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.245] WriteFile (in: hFile=0x458, lpBuffer=0x12b02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02500*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.245] CloseHandle (hObject=0x458) returned 1 [0273.245] CloseHandle (hObject=0x460) returned 1 [0273.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848508 | out: pbBuffer=0x12848508) returned 1 [0273.245] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\default.acl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\#_THIS_FILE_IS_ENCRYPTED_[D3F4EAC91054B276]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\#_this_file_is_encrypted_[d3f4eac91054b276]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.497] SetEvent (hEvent=0xfc) returned 1 [0273.497] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.499] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988e757c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x988e757c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xbdc7df00, ftLastWriteTime.dwHighDateTime=0x1d43fda, nFileSizeHigh=0x0, nFileSizeLow=0x883d3)) returned 1 [0273.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b893e0 | out: pbBuffer=0x12b893e0) returned 1 [0273.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bd90 | out: pbBuffer=0x12a9bd90) returned 1 [0273.499] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0273.502] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.502] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0273.502] SetEvent (hEvent=0x110) returned 1 [0273.502] SetEvent (hEvent=0xfc) returned 1 [0273.503] ReadFile (in: hFile=0x450, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.514] GetFileType (hFile=0x450) returned 0x1 [0273.515] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.515] WriteFile (in: hFile=0x450, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0273.516] GetFileType (hFile=0x450) returned 0x1 [0273.516] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.516] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0273.516] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0273.517] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0273.517] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9be58 | out: pbBuffer=0x12a9be58) returned 1 [0273.517] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.517] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.517] WriteFile (in: hFile=0x42c, lpBuffer=0x12c22000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.523] CloseHandle (hObject=0x42c) returned 1 [0273.524] CloseHandle (hObject=0x450) returned 1 [0273.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8390 | out: pbBuffer=0x128e8390) returned 1 [0273.524] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[2F5E24F1DC2E459B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[2f5e24f1dc2e459b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.527] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98acf19f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98acf19f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xe42a5200, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x8b615)) returned 1 [0273.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a984a0 | out: pbBuffer=0x12a984a0) returned 1 [0273.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e83d8 | out: pbBuffer=0x128e83d8) returned 1 [0273.527] ReadFile (in: hFile=0x450, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.538] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.632] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0273.703] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.244] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.249] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.252] SetEvent (hEvent=0xf4) returned 1 [0274.252] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.257] SetEvent (hEvent=0xf4) returned 1 [0274.257] SetEvent (hEvent=0x19c) returned 1 [0274.257] SwitchToThread () returned 1 [0274.261] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.291] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.335] SetEvent (hEvent=0x19c) returned 1 [0274.335] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0274.336] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984c4fd2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984c4fd2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xdd034400, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x165552)) returned 1 [0274.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0274.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0274.336] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.348] GetFileType (hFile=0x458) returned 0x1 [0274.348] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.348] WriteFile (in: hFile=0x458, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0274.349] GetFileType (hFile=0x458) returned 0x1 [0274.349] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.349] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0274.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0274.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0274.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0274.350] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.350] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.350] WriteFile (in: hFile=0x44c, lpBuffer=0x12a94500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.356] CloseHandle (hObject=0x44c) returned 1 [0274.366] CloseHandle (hObject=0x458) returned 1 [0274.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0274.376] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[4B1C624883EF9626]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[4b1c624883ef9626]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.566] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.590] SetEvent (hEvent=0x19c) returned 1 [0274.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0274.591] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9852435b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9852435b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9cf09100, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x23f73b)) returned 1 [0274.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0274.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34220 | out: pbBuffer=0x12c34220) returned 1 [0274.592] ReadFile (in: hFile=0x450, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.602] GetFileType (hFile=0x450) returned 0x1 [0274.602] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.602] WriteFile (in: hFile=0x450, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0274.603] GetFileType (hFile=0x450) returned 0x1 [0274.603] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0274.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0274.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0274.603] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342d8 | out: pbBuffer=0x12c342d8) returned 1 [0274.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.604] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.604] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.611] CloseHandle (hObject=0x42c) returned 1 [0274.616] CloseHandle (hObject=0x450) returned 1 [0274.624] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342f0 | out: pbBuffer=0x12c342f0) returned 1 [0274.624] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[2ED757D0A528214E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[2ed757d0a528214e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.766] SetEvent (hEvent=0x104) returned 1 [0274.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.767] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.767] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97837aab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97837aab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97837aab, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1697)) returned 1 [0274.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e960 | out: pbBuffer=0x1280e960) returned 1 [0274.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a810 | out: pbBuffer=0x12a9a810) returned 1 [0274.767] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x1697, lpOverlapped=0x0) returned 1 [0274.774] GetFileType (hFile=0x42c) returned 0x1 [0274.774] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.774] WriteFile (in: hFile=0x42c, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x1697, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x12829d00*=0x1697, lpOverlapped=0x12829d0c) returned 1 [0274.775] GetFileType (hFile=0x42c) returned 0x1 [0274.775] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1697, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0274.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0274.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0274.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a8c8 | out: pbBuffer=0x12a9a8c8) returned 1 [0274.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.776] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.776] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.776] CloseHandle (hObject=0x45c) returned 1 [0274.776] CloseHandle (hObject=0x42c) returned 1 [0274.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8e0 | out: pbBuffer=0x12a9a8e0) returned 1 [0274.777] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[F37C0E3D48E5DE47]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[f37c0e3d48e5de47]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.779] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.780] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fe91ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fe91ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97fea554, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfba)) returned 1 [0274.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb60 | out: pbBuffer=0x1280eb60) returned 1 [0274.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a928 | out: pbBuffer=0x12a9a928) returned 1 [0274.780] ReadFile (in: hFile=0x42c, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12829d1c*=0xfba, lpOverlapped=0x0) returned 1 [0274.786] GetFileType (hFile=0x42c) returned 0x1 [0274.786] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.786] WriteFile (in: hFile=0x42c, lpBuffer=0x12aff000*, nNumberOfBytesToWrite=0xfba, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12aff000*, lpNumberOfBytesWritten=0x12829d00*=0xfba, lpOverlapped=0x12829d0c) returned 1 [0274.786] GetFileType (hFile=0x42c) returned 0x1 [0274.786] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfba, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0274.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0274.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0274.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a9e0 | out: pbBuffer=0x12a9a9e0) returned 1 [0274.787] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.787] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.787] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.788] CloseHandle (hObject=0x45c) returned 1 [0274.788] CloseHandle (hObject=0x42c) returned 1 [0274.788] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9f8 | out: pbBuffer=0x12a9a9f8) returned 1 [0274.788] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[EEEF9A6A1FC99482]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[eeef9a6a1fc99482]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.790] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9776d1cd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9776d1cd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9776d1cd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1093)) returned 1 [0274.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ed60 | out: pbBuffer=0x1280ed60) returned 1 [0274.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa40 | out: pbBuffer=0x12a9aa40) returned 1 [0274.791] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12829d1c*=0x1093, lpOverlapped=0x0) returned 1 [0274.796] GetFileType (hFile=0x42c) returned 0x1 [0274.796] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.796] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x1093, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12829d00*=0x1093, lpOverlapped=0x12829d0c) returned 1 [0274.796] GetFileType (hFile=0x42c) returned 0x1 [0274.796] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1093, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0274.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0274.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0274.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aaf8 | out: pbBuffer=0x12a9aaf8) returned 1 [0274.797] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0274.797] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.797] WriteFile (in: hFile=0x460, lpBuffer=0x12a76a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.798] CloseHandle (hObject=0x460) returned 1 [0274.798] CloseHandle (hObject=0x42c) returned 1 [0274.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ab10 | out: pbBuffer=0x12a9ab10) returned 1 [0274.798] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[FD1EFE56B4B79E1A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[fd1efe56b4b79e1a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.800] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97706a49, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97706a49, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97707caf, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41a6)) returned 1 [0274.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ef80 | out: pbBuffer=0x1280ef80) returned 1 [0274.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ab58 | out: pbBuffer=0x12a9ab58) returned 1 [0274.800] ReadFile (in: hFile=0x42c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12829d1c*=0x41a6, lpOverlapped=0x0) returned 1 [0274.805] GetFileType (hFile=0x42c) returned 0x1 [0274.805] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.805] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x41a6, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12829d00*=0x41a6, lpOverlapped=0x12829d0c) returned 1 [0274.806] GetFileType (hFile=0x42c) returned 0x1 [0274.806] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x41a6, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0274.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0274.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0274.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ac10 | out: pbBuffer=0x12a9ac10) returned 1 [0274.807] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0274.807] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.807] WriteFile (in: hFile=0x460, lpBuffer=0x12a76f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.807] CloseHandle (hObject=0x460) returned 1 [0274.807] CloseHandle (hObject=0x42c) returned 1 [0274.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac28 | out: pbBuffer=0x12a9ac28) returned 1 [0274.808] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[2E5BD8A6349A4CDE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[2e5bd8a6349a4cde]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.810] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de9b8d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97de9b8d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97deae93, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c74)) returned 1 [0274.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f180 | out: pbBuffer=0x1280f180) returned 1 [0274.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac70 | out: pbBuffer=0x12a9ac70) returned 1 [0274.810] ReadFile (in: hFile=0x42c, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12829d1c*=0x2c74, lpOverlapped=0x0) returned 1 [0274.816] GetFileType (hFile=0x42c) returned 0x1 [0274.816] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.816] WriteFile (in: hFile=0x42c, lpBuffer=0x12ad0000*, nNumberOfBytesToWrite=0x2c74, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ad0000*, lpNumberOfBytesWritten=0x12829d00*=0x2c74, lpOverlapped=0x12829d0c) returned 1 [0274.817] GetFileType (hFile=0x42c) returned 0x1 [0274.817] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2c74, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801801 | out: pbBuffer=0x12801801) returned 1 [0274.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0274.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a01 | out: pbBuffer=0x12801a01) returned 1 [0274.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ad28 | out: pbBuffer=0x12a9ad28) returned 1 [0274.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0274.821] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.821] WriteFile (in: hFile=0x460, lpBuffer=0x12a77400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.822] CloseHandle (hObject=0x460) returned 1 [0274.822] CloseHandle (hObject=0x42c) returned 1 [0274.822] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad40 | out: pbBuffer=0x12a9ad40) returned 1 [0274.822] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[DE2755B6795481F4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[de2755b6795481f4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.825] SetEvent (hEvent=0x3f8) returned 1 [0274.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.826] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98433dab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98433dab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98435131, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1788)) returned 1 [0274.827] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f380 | out: pbBuffer=0x1280f380) returned 1 [0274.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad88 | out: pbBuffer=0x12a9ad88) returned 1 [0274.828] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0274.834] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.834] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0274.834] SetEvent (hEvent=0x110) returned 1 [0274.834] SetEvent (hEvent=0x3f8) returned 1 [0274.834] ReadFile (in: hFile=0x42c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12829d1c*=0x1788, lpOverlapped=0x0) returned 1 [0274.851] GetFileType (hFile=0x42c) returned 0x1 [0274.851] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.851] WriteFile (in: hFile=0x42c, lpBuffer=0x12a67800*, nNumberOfBytesToWrite=0x1788, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a67800*, lpNumberOfBytesWritten=0x12829d00*=0x1788, lpOverlapped=0x12829d0c) returned 1 [0274.851] GetFileType (hFile=0x42c) returned 0x1 [0274.851] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1788, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0274.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801c81 | out: pbBuffer=0x12801c81) returned 1 [0274.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d81 | out: pbBuffer=0x12801d81) returned 1 [0274.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ae40 | out: pbBuffer=0x12a9ae40) returned 1 [0274.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.853] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0274.853] WriteFile (in: hFile=0x44c, lpBuffer=0x12a77900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.853] CloseHandle (hObject=0x44c) returned 1 [0274.853] CloseHandle (hObject=0x42c) returned 1 [0274.854] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae58 | out: pbBuffer=0x12a9ae58) returned 1 [0274.854] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[21C4F77670DAFA24]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[21c4f77670dafa24]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.967] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0274.977] SetEvent (hEvent=0x19c) returned 1 [0274.977] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0274.978] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980f6e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980f6e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980f6e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cca)) returned 1 [0274.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0274.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0274.979] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282bd1c*=0x1cca, lpOverlapped=0x0) returned 1 [0274.983] GetFileType (hFile=0x42c) returned 0x1 [0274.983] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.983] WriteFile (in: hFile=0x42c, lpBuffer=0x12a7c000*, nNumberOfBytesToWrite=0x1cca, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a7c000*, lpNumberOfBytesWritten=0x1282bd00*=0x1cca, lpOverlapped=0x1282bd0c) returned 1 [0274.983] GetFileType (hFile=0x42c) returned 0x1 [0274.984] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1cca, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0274.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0274.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0274.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0274.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.985] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.985] WriteFile (in: hFile=0x44c, lpBuffer=0x12b44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.985] CloseHandle (hObject=0x44c) returned 1 [0274.990] CloseHandle (hObject=0x42c) returned 1 [0274.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0274.994] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[A9CEE7B812EF1478]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[a9cee7b812ef1478]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.135] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0275.144] SetEvent (hEvent=0x19c) returned 1 [0275.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.145] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983aecac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983aecac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983affea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1318)) returned 1 [0275.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ba0 | out: pbBuffer=0x12928ba0) returned 1 [0275.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ef0 | out: pbBuffer=0x12c34ef0) returned 1 [0275.146] ReadFile (in: hFile=0x42c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a5fd1c*=0x1318, lpOverlapped=0x0) returned 1 [0275.150] GetFileType (hFile=0x42c) returned 0x1 [0275.150] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.150] WriteFile (in: hFile=0x42c, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x1318, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x12a5fd00*=0x1318, lpOverlapped=0x12a5fd0c) returned 1 [0275.151] GetFileType (hFile=0x42c) returned 0x1 [0275.151] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1318, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0275.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0275.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0275.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34fa8 | out: pbBuffer=0x12c34fa8) returned 1 [0275.152] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.152] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.152] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.152] CloseHandle (hObject=0x44c) returned 1 [0275.154] CloseHandle (hObject=0x42c) returned 1 [0275.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34fc0 | out: pbBuffer=0x12c34fc0) returned 1 [0275.159] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[264D9C9503D37F10]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[264d9c9503d37f10]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.246] SetEvent (hEvent=0x110) returned 1 [0275.246] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0275.249] SetEvent (hEvent=0x19c) returned 1 [0275.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.250] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9879b688, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9879b688, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9879b688, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1831)) returned 1 [0275.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a20 | out: pbBuffer=0x12a98a20) returned 1 [0275.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128490d0 | out: pbBuffer=0x128490d0) returned 1 [0275.251] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12853d1c*=0x1831, lpOverlapped=0x0) returned 1 [0275.255] GetFileType (hFile=0x42c) returned 0x1 [0275.255] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.255] WriteFile (in: hFile=0x42c, lpBuffer=0x12b7a000*, nNumberOfBytesToWrite=0x1831, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b7a000*, lpNumberOfBytesWritten=0x12853d00*=0x1831, lpOverlapped=0x12853d0c) returned 1 [0275.255] GetFileType (hFile=0x42c) returned 0x1 [0275.256] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1831, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0275.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0275.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0275.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849198 | out: pbBuffer=0x12849198) returned 1 [0275.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.257] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.257] WriteFile (in: hFile=0x44c, lpBuffer=0x12a76a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.257] CloseHandle (hObject=0x44c) returned 1 [0275.259] CloseHandle (hObject=0x42c) returned 1 [0275.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128491b0 | out: pbBuffer=0x128491b0) returned 1 [0275.267] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\#_THIS_FILE_IS_ENCRYPTED_[D0105963E0287ED0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\#_this_file_is_encrypted_[d0105963e0287ed0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851220[[fn=gosttitle]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976cbe5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x976cbe5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x976d0c4a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d498)) returned 1 [0275.425] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851221[[fn=harvardanglia2008officeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983d213f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d213f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d4a29, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x456ff)) returned 1 [0275.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851220[[fn=gosttitle]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.426] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851220[[fn=gosttitle]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976cbe5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x976cbe5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x976d0c4a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d498)) returned 1 [0275.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b898c0 | out: pbBuffer=0x12b898c0) returned 1 [0275.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9610 | out: pbBuffer=0x128e9610) returned 1 [0275.426] ReadFile (in: hFile=0x42c, lpBuffer=0x12d44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d44000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.444] GetFileType (hFile=0x42c) returned 0x1 [0275.444] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.445] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0275.446] GetFileType (hFile=0x42c) returned 0x1 [0275.446] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835681 | out: pbBuffer=0x12835681) returned 1 [0275.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835781 | out: pbBuffer=0x12835781) returned 1 [0275.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835881 | out: pbBuffer=0x12835881) returned 1 [0275.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e97d0 | out: pbBuffer=0x128e97d0) returned 1 [0275.447] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851220[[fn=gosttitle]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.448] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0275.448] WriteFile (in: hFile=0x45c, lpBuffer=0x12b13900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b13900*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.448] CloseHandle (hObject=0x45c) returned 1 [0275.452] CloseHandle (hObject=0x42c) returned 1 [0275.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e97e8 | out: pbBuffer=0x128e97e8) returned 1 [0275.455] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851220[[fn=gosttitle]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[1282B118AD5FC15F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[1282b118ad5fc15f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.502] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0275.958] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0276.049] SetEvent (hEvent=0x19c) returned 1 [0276.049] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0276.106] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0276.122] SetEvent (hEvent=0x19c) returned 1 [0276.122] SetEvent (hEvent=0x104) returned 1 [0277.235] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.334] SetEvent (hEvent=0x1d0) returned 1 [0277.364] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x210, buf=0x12bec6c0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x210, lpOverlapped=0x128e6088) returned 0 [0277.429] SetEvent (hEvent=0x420) returned 1 [0277.444] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.537] SetEvent (hEvent=0x420) returned 1 [0277.537] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.540] SetEvent (hEvent=0x420) returned 1 [0277.540] SetEvent (hEvent=0x3f4) returned 1 [0277.540] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cd, buf=0x12bec6c0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cd, lpOverlapped=0x128e6088) returned 0 [0277.560] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x401d, buf=0x12bee000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x401d, lpOverlapped=0x128e6088) returned 0 [0277.563] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x401d, buf=0x12bee000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x401d, lpOverlapped=0x128e6088) returned 0 [0277.565] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x3a19, buf=0x12bee000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x3a19, lpOverlapped=0x128e6088) returned 0 [0277.565] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x26, buf=0x12bee000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x26, lpOverlapped=0x128e6088) returned 0 [0277.565] ReadFile (in: hFile=0x42c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x1282bd1c*=0x5cd3, lpOverlapped=0x0) returned 1 [0277.567] GetFileType (hFile=0x42c) returned 0x1 [0277.567] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.568] WriteFile (in: hFile=0x42c, lpBuffer=0x12adc000*, nNumberOfBytesToWrite=0x5cd3, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12adc000*, lpNumberOfBytesWritten=0x1282bd00*=0x5cd3, lpOverlapped=0x1282bd0c) returned 1 [0277.568] GetFileType (hFile=0x42c) returned 0x1 [0277.568] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x5cd3, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0277.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0277.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0277.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2f8 | out: pbBuffer=0x12a9a2f8) returned 1 [0277.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\bvR3SJZBn0Eg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\bvr3sjzbn0eg.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.570] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.570] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.570] CloseHandle (hObject=0x45c) returned 1 [0277.571] CloseHandle (hObject=0x42c) returned 1 [0277.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a310 | out: pbBuffer=0x12a9a310) returned 1 [0277.571] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\bvR3SJZBn0Eg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\bvr3sjzbn0eg.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[97961EEE87724ACB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[97961eee87724acb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.573] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\n5m8aNivzz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\n5m8anivzz.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.574] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.574] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\n5m8aNivzz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\n5m8anivzz.mkv"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3e02490, ftCreationTime.dwHighDateTime=0x1d82962, ftLastAccessTime.dwLowDateTime=0x1aa1aa50, ftLastAccessTime.dwHighDateTime=0x1d82973, ftLastWriteTime.dwLowDateTime=0x1aa1aa50, ftLastWriteTime.dwHighDateTime=0x1d82973, nFileSizeHigh=0x0, nFileSizeLow=0x38f2)) returned 1 [0277.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0277.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a358 | out: pbBuffer=0x12a9a358) returned 1 [0277.574] ReadFile (in: hFile=0x42c, lpBuffer=0x12cf8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf8000*, lpNumberOfBytesRead=0x1282bd1c*=0x38f2, lpOverlapped=0x0) returned 1 [0277.576] GetFileType (hFile=0x42c) returned 0x1 [0277.576] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.576] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x38f2, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282bd00*=0x38f2, lpOverlapped=0x1282bd0c) returned 1 [0277.576] GetFileType (hFile=0x42c) returned 0x1 [0277.576] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x38f2, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.576] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0277.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0277.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0277.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a430 | out: pbBuffer=0x12a9a430) returned 1 [0277.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\n5m8aNivzz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\n5m8anivzz.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.589] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.590] WriteFile (in: hFile=0x45c, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.590] CloseHandle (hObject=0x45c) returned 1 [0277.600] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.626] SetEvent (hEvent=0x3f4) returned 1 [0277.626] CloseHandle (hObject=0x42c) returned 1 [0277.627] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810168 | out: pbBuffer=0x12810168) returned 1 [0277.627] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\n5m8aNivzz.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\n5m8anivzz.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[38224C10F1384F01]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[38224c10f1384f01]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.629] SwitchToThread () returned 1 [0277.665] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.851] SetEvent (hEvent=0x1d0) returned 1 [0277.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oAgMN9U_p8BUTqAW1.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oagmn9u_p8butqaw1.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.854] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.854] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oAgMN9U_p8BUTqAW1.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oagmn9u_p8butqaw1.flv"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3beba0, ftCreationTime.dwHighDateTime=0x1d82026, ftLastAccessTime.dwLowDateTime=0xdcf2c8d0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xdcf2c8d0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x17aa4)) returned 1 [0277.854] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0277.854] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0277.854] ReadFile (in: hFile=0x1a4, lpBuffer=0x12d38000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d38000*, lpNumberOfBytesRead=0x1282fd1c*=0x17aa4, lpOverlapped=0x0) returned 1 [0277.857] GetFileType (hFile=0x1a4) returned 0x1 [0277.857] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.857] WriteFile (in: hFile=0x1a4, lpBuffer=0x12d78000*, nNumberOfBytesToWrite=0x17aa4, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12d78000*, lpNumberOfBytesWritten=0x1282fd00*=0x17aa4, lpOverlapped=0x1282fd0c) returned 1 [0277.858] GetFileType (hFile=0x1a4) returned 0x1 [0277.858] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x17aa4, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0277.858] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0277.862] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.862] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0277.862] SetEvent (hEvent=0x110) returned 1 [0277.862] SetEvent (hEvent=0x1d0) returned 1 [0277.862] SetEvent (hEvent=0x104) returned 1 [0277.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0277.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0277.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0277.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oAgMN9U_p8BUTqAW1.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oagmn9u_p8butqaw1.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.864] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.864] WriteFile (in: hFile=0x42c, lpBuffer=0x12a3a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3a000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.865] CloseHandle (hObject=0x42c) returned 1 [0277.865] CloseHandle (hObject=0x1a4) returned 1 [0277.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0277.865] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oAgMN9U_p8BUTqAW1.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oagmn9u_p8butqaw1.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[051410BE76B9E3E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[051410be76b9e3e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v1Mp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v1mp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.867] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v1Mp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v1mp.docx"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d00b810, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0x2d3de490, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x2d3de490, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x5f35)) returned 1 [0277.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0277.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34150 | out: pbBuffer=0x12c34150) returned 1 [0277.868] ReadFile (in: hFile=0x1a4, lpBuffer=0x12d90000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d90000*, lpNumberOfBytesRead=0x1282fd1c*=0x5f35, lpOverlapped=0x0) returned 1 [0277.869] GetFileType (hFile=0x1a4) returned 0x1 [0277.870] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.870] WriteFile (in: hFile=0x1a4, lpBuffer=0x12e68000*, nNumberOfBytesToWrite=0x5f35, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12e68000*, lpNumberOfBytesWritten=0x1282fd00*=0x5f35, lpOverlapped=0x1282fd0c) returned 1 [0277.870] GetFileType (hFile=0x1a4) returned 0x1 [0277.870] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5f35, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0277.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0277.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0277.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34208 | out: pbBuffer=0x12c34208) returned 1 [0277.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v1Mp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v1mp.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.871] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.871] WriteFile (in: hFile=0x42c, lpBuffer=0x12a3a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3a500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.872] CloseHandle (hObject=0x42c) returned 1 [0277.872] CloseHandle (hObject=0x1a4) returned 1 [0277.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34220 | out: pbBuffer=0x12c34220) returned 1 [0277.872] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v1Mp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v1mp.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[89B1CEA21315B864]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[89b1cea21315b864]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.875] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0277.890] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.890] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0277.892] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0277.892] SetEvent (hEvent=0x3f4) returned 1 [0277.892] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0277.913] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\x8AKx9IC.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\x8akx9ic.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.914] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\x8AKx9IC.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\x8akx9ic.mp4"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b55e300, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0x9f180a0, ftLastAccessTime.dwHighDateTime=0x1d824cc, ftLastWriteTime.dwLowDateTime=0x9f180a0, ftLastWriteTime.dwHighDateTime=0x1d824cc, nFileSizeHigh=0x0, nFileSizeLow=0x179f2)) returned 1 [0277.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0277.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0277.914] ReadFile (in: hFile=0x45c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282fd1c*=0x179f2, lpOverlapped=0x0) returned 1 [0277.916] GetFileType (hFile=0x45c) returned 0x1 [0277.917] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.917] WriteFile (in: hFile=0x45c, lpBuffer=0x12dc8000*, nNumberOfBytesToWrite=0x179f2, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12dc8000*, lpNumberOfBytesWritten=0x1282fd00*=0x179f2, lpOverlapped=0x1282fd0c) returned 1 [0277.917] GetFileType (hFile=0x45c) returned 0x1 [0277.917] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x179f2, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0277.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0277.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0277.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0277.918] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\x8AKx9IC.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\x8akx9ic.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.918] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.918] WriteFile (in: hFile=0x44c, lpBuffer=0x12a3aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3aa00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.918] CloseHandle (hObject=0x44c) returned 1 [0277.918] CloseHandle (hObject=0x45c) returned 1 [0277.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0277.918] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\x8AKx9IC.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\x8akx9ic.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[8D88FA9CC6B2C148]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[8d88fa9cc6b2c148]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.919] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\vBuf95Nf11PMfowkk0S.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\vbuf95nf11pmfowkk0s.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.920] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0277.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\vBuf95Nf11PMfowkk0S.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\vbuf95nf11pmfowkk0s.gif"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19174ec0, ftCreationTime.dwHighDateTime=0x1d819e6, ftLastAccessTime.dwLowDateTime=0x39057a30, ftLastAccessTime.dwHighDateTime=0x1d826c6, ftLastWriteTime.dwLowDateTime=0x39057a30, ftLastWriteTime.dwHighDateTime=0x1d826c6, nFileSizeHigh=0x0, nFileSizeLow=0x86b8)) returned 1 [0277.920] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844400 | out: pbBuffer=0x12844400) returned 1 [0277.920] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0277.920] ReadFile (in: hFile=0x45c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12855d1c*=0x86b8, lpOverlapped=0x0) returned 1 [0277.921] GetFileType (hFile=0x45c) returned 0x1 [0277.922] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.922] WriteFile (in: hFile=0x45c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x86b8, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12855d00*=0x86b8, lpOverlapped=0x12855d0c) returned 1 [0277.922] GetFileType (hFile=0x45c) returned 0x1 [0277.922] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x86b8, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0277.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0277.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0277.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2c8 | out: pbBuffer=0x12a9a2c8) returned 1 [0277.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\vBuf95Nf11PMfowkk0S.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\vbuf95nf11pmfowkk0s.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.923] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0277.923] WriteFile (in: hFile=0x44c, lpBuffer=0x12a3af00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3af00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0277.923] CloseHandle (hObject=0x44c) returned 1 [0277.923] CloseHandle (hObject=0x45c) returned 1 [0277.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2e0 | out: pbBuffer=0x12a9a2e0) returned 1 [0277.923] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\vBuf95Nf11PMfowkk0S.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\vbuf95nf11pmfowkk0s.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[40EB541B75E3D59A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[40eb541b75e3d59a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.924] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ywbUJcs-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ywbujcs-.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.925] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ywbUJcs-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ywbujcs-.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1165b80, ftCreationTime.dwHighDateTime=0x1d81b93, ftLastAccessTime.dwLowDateTime=0xf54b6fc0, ftLastAccessTime.dwHighDateTime=0x1d81e23, ftLastWriteTime.dwLowDateTime=0xf54b6fc0, ftLastWriteTime.dwHighDateTime=0x1d81e23, nFileSizeHigh=0x0, nFileSizeLow=0x1169d)) returned 1 [0277.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844640 | out: pbBuffer=0x12844640) returned 1 [0277.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a328 | out: pbBuffer=0x12a9a328) returned 1 [0277.925] ReadFile (in: hFile=0x45c, lpBuffer=0x12e40000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e40000*, lpNumberOfBytesRead=0x12a5dd1c*=0x1169d, lpOverlapped=0x0) returned 1 [0277.927] GetFileType (hFile=0x45c) returned 0x1 [0277.927] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.927] WriteFile (in: hFile=0x45c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x1169d, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a5dd00*=0x1169d, lpOverlapped=0x12a5dd0c) returned 1 [0277.927] GetFileType (hFile=0x45c) returned 0x1 [0277.927] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x1169d, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.927] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0277.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0277.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0277.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a400 | out: pbBuffer=0x12a9a400) returned 1 [0277.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ywbUJcs-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ywbujcs-.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.928] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.928] WriteFile (in: hFile=0x44c, lpBuffer=0x12a3b400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3b400*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.928] CloseHandle (hObject=0x44c) returned 1 [0277.928] CloseHandle (hObject=0x45c) returned 1 [0277.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a418 | out: pbBuffer=0x12a9a418) returned 1 [0277.928] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ywbUJcs-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ywbujcs-.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[F8E15189218AC332]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[f8e15189218ac332]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.960] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies" (normalized: "c:\\users\\rdhj0cnfevzx\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0277.960] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0277.961] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.989] SetEvent (hEvent=0x1d0) returned 1 [0277.990] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0277.994] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\54xbrlNLIF.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\54xbrlnlif.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0277.994] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.994] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\54xbrlNLIF.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\54xbrlnlif.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56380190, ftCreationTime.dwHighDateTime=0x1d8240f, ftLastAccessTime.dwLowDateTime=0x6013a2a0, ftLastAccessTime.dwHighDateTime=0x1d8297d, ftLastWriteTime.dwLowDateTime=0x6013a2a0, ftLastWriteTime.dwHighDateTime=0x1d8297d, nFileSizeHigh=0x0, nFileSizeLow=0x180ed)) returned 1 [0277.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a991c0 | out: pbBuffer=0x12a991c0) returned 1 [0277.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849af0 | out: pbBuffer=0x12849af0) returned 1 [0277.995] ReadFile (in: hFile=0x460, lpBuffer=0x12c90000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c90000*, lpNumberOfBytesRead=0x12a5dd1c*=0x180ed, lpOverlapped=0x0) returned 1 [0277.998] GetFileType (hFile=0x460) returned 0x1 [0277.998] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.998] WriteFile (in: hFile=0x460, lpBuffer=0x129f2000*, nNumberOfBytesToWrite=0x180ed, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x129f2000*, lpNumberOfBytesWritten=0x12a5dd00*=0x180ed, lpOverlapped=0x12a5dd0c) returned 1 [0277.998] GetFileType (hFile=0x460) returned 0x1 [0277.998] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x180ed, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0277.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0277.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0277.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849ba8 | out: pbBuffer=0x12849ba8) returned 1 [0277.999] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\54xbrlNLIF.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\54xbrlnlif.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0277.999] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.999] WriteFile (in: hFile=0x458, lpBuffer=0x12e72500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72500*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.000] CloseHandle (hObject=0x458) returned 1 [0278.003] CloseHandle (hObject=0x460) returned 1 [0278.006] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.008] SetEvent (hEvent=0x19c) returned 1 [0278.008] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34278 | out: pbBuffer=0x12c34278) returned 1 [0278.009] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\54xbrlNLIF.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\54xbrlnlif.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[8C80451DA579BF7E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[8c80451da579bf7e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.056] SetEvent (hEvent=0x19c) returned 1 [0278.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\OWWkE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\owwke.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.057] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.057] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\OWWkE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\owwke.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb26a9d10, ftCreationTime.dwHighDateTime=0x1d82310, ftLastAccessTime.dwLowDateTime=0x208b8480, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x208b8480, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0xe7ef)) returned 1 [0278.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0278.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0278.057] ReadFile (in: hFile=0x45c, lpBuffer=0x12e30000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e30000*, lpNumberOfBytesRead=0x12a5dd1c*=0xe7ef, lpOverlapped=0x0) returned 1 [0278.059] GetFileType (hFile=0x45c) returned 0x1 [0278.059] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.059] WriteFile (in: hFile=0x45c, lpBuffer=0x12b9e000*, nNumberOfBytesToWrite=0xe7ef, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12b9e000*, lpNumberOfBytesWritten=0x12a5dd00*=0xe7ef, lpOverlapped=0x12a5dd0c) returned 1 [0278.060] GetFileType (hFile=0x45c) returned 0x1 [0278.060] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xe7ef, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0278.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0278.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0278.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0278.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\OWWkE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\owwke.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0278.061] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.061] WriteFile (in: hFile=0x458, lpBuffer=0x12bde500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bde500*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.061] CloseHandle (hObject=0x458) returned 1 [0278.063] CloseHandle (hObject=0x45c) returned 1 [0278.066] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0278.066] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\OWWkE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\owwke.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[87A420E983CE35E2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[87a420e983ce35e2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.321] SetEvent (hEvent=0x19c) returned 1 [0278.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\m1C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\m1c.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.333] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\m1C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\m1c.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a2df0, ftCreationTime.dwHighDateTime=0x1d819c0, ftLastAccessTime.dwLowDateTime=0xa946e310, ftLastAccessTime.dwHighDateTime=0x1d8204f, ftLastWriteTime.dwLowDateTime=0xa946e310, ftLastWriteTime.dwHighDateTime=0x1d8204f, nFileSizeHigh=0x0, nFileSizeLow=0xad1)) returned 1 [0278.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928320 | out: pbBuffer=0x12928320) returned 1 [0278.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a58 | out: pbBuffer=0x12848a58) returned 1 [0278.342] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a5dd1c*=0xad1, lpOverlapped=0x0) returned 1 [0278.343] GetFileType (hFile=0x44c) returned 0x1 [0278.343] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.343] WriteFile (in: hFile=0x44c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0xad1, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12a5dd00*=0xad1, lpOverlapped=0x12a5dd0c) returned 1 [0278.344] GetFileType (hFile=0x44c) returned 0x1 [0278.344] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xad1, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0278.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0278.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0278.353] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848b10 | out: pbBuffer=0x12848b10) returned 1 [0278.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\m1C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\m1c.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.353] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.353] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdea00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.353] CloseHandle (hObject=0x42c) returned 1 [0278.365] CloseHandle (hObject=0x44c) returned 1 [0278.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b28 | out: pbBuffer=0x12848b28) returned 1 [0278.369] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\m1C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\m1c.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[A6DC3E3E8090A994]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[a6dc3e3e8090a994]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8s2al1KhTG563o.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8s2al1khtg563o.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd08daae0, ftCreationTime.dwHighDateTime=0x1d8257b, ftLastAccessTime.dwLowDateTime=0xb6ec1f40, ftLastAccessTime.dwHighDateTime=0x1d829ef, ftLastWriteTime.dwLowDateTime=0xb6ec1f40, ftLastWriteTime.dwHighDateTime=0x1d829ef, nFileSizeHigh=0x0, nFileSizeLow=0x4ef5)) returned 1 [0278.609] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8yIiPY3PM2qXZ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8yiipy3pm2qxz.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2f00b0, ftCreationTime.dwHighDateTime=0x1d81ad8, ftLastAccessTime.dwLowDateTime=0xaeee07d0, ftLastAccessTime.dwHighDateTime=0x1d82a13, ftLastWriteTime.dwLowDateTime=0xaeee07d0, ftLastWriteTime.dwHighDateTime=0x1d82a13, nFileSizeHigh=0x0, nFileSizeLow=0xa04b)) returned 1 [0278.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8s2al1KhTG563o.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8s2al1khtg563o.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.610] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8s2al1KhTG563o.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8s2al1khtg563o.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd08daae0, ftCreationTime.dwHighDateTime=0x1d8257b, ftLastAccessTime.dwLowDateTime=0xb6ec1f40, ftLastAccessTime.dwHighDateTime=0x1d829ef, ftLastWriteTime.dwLowDateTime=0xb6ec1f40, ftLastWriteTime.dwHighDateTime=0x1d829ef, nFileSizeHigh=0x0, nFileSizeLow=0x4ef5)) returned 1 [0278.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98ea0 | out: pbBuffer=0x12a98ea0) returned 1 [0278.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5c0 | out: pbBuffer=0x12a9a5c0) returned 1 [0278.610] ReadFile (in: hFile=0x44c, lpBuffer=0x12ba6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba6000*, lpNumberOfBytesRead=0x12a5dd1c*=0x4ef5, lpOverlapped=0x0) returned 1 [0278.612] GetFileType (hFile=0x44c) returned 0x1 [0278.612] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.612] WriteFile (in: hFile=0x44c, lpBuffer=0x12e64000*, nNumberOfBytesToWrite=0x4ef5, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e64000*, lpNumberOfBytesWritten=0x12a5dd00*=0x4ef5, lpOverlapped=0x12a5dd0c) returned 1 [0278.613] GetFileType (hFile=0x44c) returned 0x1 [0278.613] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x4ef5, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0278.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0278.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0278.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a678 | out: pbBuffer=0x12a9a678) returned 1 [0278.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8s2al1KhTG563o.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8s2al1khtg563o.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.614] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.614] WriteFile (in: hFile=0x42c, lpBuffer=0x12e72000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72000*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.614] CloseHandle (hObject=0x42c) returned 1 [0278.618] CloseHandle (hObject=0x44c) returned 1 [0278.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a690 | out: pbBuffer=0x12a9a690) returned 1 [0278.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\8s2al1KhTG563o.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\8s2al1khtg563o.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[510D97D65DB49E60]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[510d97d65db49e60]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.697] SetEvent (hEvent=0xf4) returned 1 [0278.697] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\KudpMCK-wvfm_.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\kudpmck-wvfm_.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.698] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.698] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\KudpMCK-wvfm_.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\kudpmck-wvfm_.flv"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350e8f50, ftCreationTime.dwHighDateTime=0x1d829ac, ftLastAccessTime.dwLowDateTime=0xd8cc7e00, ftLastAccessTime.dwHighDateTime=0x1d829fb, ftLastWriteTime.dwLowDateTime=0xd8cc7e00, ftLastWriteTime.dwHighDateTime=0x1d829fb, nFileSizeHigh=0x0, nFileSizeLow=0xac40)) returned 1 [0278.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0278.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9af38 | out: pbBuffer=0x12a9af38) returned 1 [0278.699] ReadFile (in: hFile=0x44c, lpBuffer=0x12de2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12de2000*, lpNumberOfBytesRead=0x12a5dd1c*=0xac40, lpOverlapped=0x0) returned 1 [0278.703] GetFileType (hFile=0x44c) returned 0x1 [0278.703] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.704] WriteFile (in: hFile=0x44c, lpBuffer=0x12e02000*, nNumberOfBytesToWrite=0xac40, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e02000*, lpNumberOfBytesWritten=0x12a5dd00*=0xac40, lpOverlapped=0x12a5dd0c) returned 1 [0278.704] GetFileType (hFile=0x44c) returned 0x1 [0278.704] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xac40, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0278.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0278.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0278.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aff0 | out: pbBuffer=0x12a9aff0) returned 1 [0278.705] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\KudpMCK-wvfm_.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\kudpmck-wvfm_.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.706] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.706] WriteFile (in: hFile=0x460, lpBuffer=0x12e73400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12e73400*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.706] CloseHandle (hObject=0x460) returned 1 [0278.714] CloseHandle (hObject=0x44c) returned 1 [0278.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b048 | out: pbBuffer=0x12a9b048) returned 1 [0278.733] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\KudpMCK-wvfm_.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\kudpmck-wvfm_.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[5DE2FB349B35F91F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[5de2fb349b35f91f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.828] SetEvent (hEvent=0xf4) returned 1 [0278.828] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpScI-7TEgyIuDUZNpN.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upsci-7tegyiuduznpn.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.829] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpScI-7TEgyIuDUZNpN.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upsci-7tegyiuduznpn.png"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33445370, ftCreationTime.dwHighDateTime=0x1d81b02, ftLastAccessTime.dwLowDateTime=0x53e41800, ftLastAccessTime.dwHighDateTime=0x1d82105, ftLastWriteTime.dwLowDateTime=0x53e41800, ftLastWriteTime.dwHighDateTime=0x1d82105, nFileSizeHigh=0x0, nFileSizeLow=0xe56e)) returned 1 [0278.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ede0 | out: pbBuffer=0x1280ede0) returned 1 [0278.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b3d8 | out: pbBuffer=0x12a9b3d8) returned 1 [0278.829] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0278.832] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0278.832] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0278.832] SetEvent (hEvent=0x110) returned 1 [0278.832] SetEvent (hEvent=0xf4) returned 1 [0278.833] ReadFile (in: hFile=0x460, lpBuffer=0x12d70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d70000*, lpNumberOfBytesRead=0x12a5dd1c*=0xe56e, lpOverlapped=0x0) returned 1 [0278.835] GetFileType (hFile=0x460) returned 0x1 [0278.835] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.835] WriteFile (in: hFile=0x460, lpBuffer=0x12bc6000*, nNumberOfBytesToWrite=0xe56e, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12bc6000*, lpNumberOfBytesWritten=0x12a5dd00*=0xe56e, lpOverlapped=0x12a5dd0c) returned 1 [0278.836] GetFileType (hFile=0x460) returned 0x1 [0278.836] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xe56e, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0278.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0278.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0278.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0278.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b490 | out: pbBuffer=0x12a9b490) returned 1 [0278.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpScI-7TEgyIuDUZNpN.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upsci-7tegyiuduznpn.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.836] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0278.837] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4a00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0278.837] CloseHandle (hObject=0x42c) returned 1 [0278.844] CloseHandle (hObject=0x460) returned 1 [0278.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34000 | out: pbBuffer=0x12c34000) returned 1 [0278.847] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpScI-7TEgyIuDUZNpN.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upsci-7tegyiuduznpn.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[1856EE32C1217161]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[1856ee32c1217161]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0279.108] SetEvent (hEvent=0x19c) returned 1 [0279.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2SKrQAol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2skrqaol.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0279.110] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0279.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2SKrQAol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2skrqaol.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5e2e70, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xaf72ba0, ftLastAccessTime.dwHighDateTime=0x1d829c0, ftLastWriteTime.dwLowDateTime=0xaf72ba0, ftLastWriteTime.dwHighDateTime=0x1d829c0, nFileSizeHigh=0x0, nFileSizeLow=0x6e6c)) returned 1 [0279.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e940 | out: pbBuffer=0x1280e940) returned 1 [0279.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34390 | out: pbBuffer=0x12c34390) returned 1 [0279.111] ReadFile (in: hFile=0x460, lpBuffer=0x12df0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12df0000*, lpNumberOfBytesRead=0x12a5dd1c*=0x6e6c, lpOverlapped=0x0) returned 1 [0279.112] GetFileType (hFile=0x460) returned 0x1 [0279.113] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0279.113] WriteFile (in: hFile=0x460, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x6e6c, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12a5dd00*=0x6e6c, lpOverlapped=0x12a5dd0c) returned 1 [0279.113] GetFileType (hFile=0x460) returned 0x1 [0279.113] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x6e6c, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0279.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf81 | out: pbBuffer=0x12afcf81) returned 1 [0279.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd081 | out: pbBuffer=0x12afd081) returned 1 [0279.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd181 | out: pbBuffer=0x12afd181) returned 1 [0279.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34448 | out: pbBuffer=0x12c34448) returned 1 [0279.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2SKrQAol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2skrqaol.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0279.114] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0279.114] WriteFile (in: hFile=0x42c, lpBuffer=0x128e5400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x128e5400*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0279.115] CloseHandle (hObject=0x42c) returned 1 [0279.118] CloseHandle (hObject=0x460) returned 1 [0279.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34460 | out: pbBuffer=0x12c34460) returned 1 [0279.128] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2SKrQAol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2skrqaol.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[314259E130E49224]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[314259e130e49224]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0279.441] SetEvent (hEvent=0x110) returned 1 [0279.441] SetEvent (hEvent=0x3f8) returned 1 [0279.441] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\e30J.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e30j.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0279.443] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0279.456] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\e30J.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e30j.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bc5b20, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0xfa0b5f80, ftLastAccessTime.dwHighDateTime=0x1d8273c, ftLastWriteTime.dwLowDateTime=0xfa0b5f80, ftLastWriteTime.dwHighDateTime=0x1d8273c, nFileSizeHigh=0x0, nFileSizeLow=0x5a97)) returned 1 [0279.467] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f3a0 | out: pbBuffer=0x1280f3a0) returned 1 [0279.467] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34f08 | out: pbBuffer=0x12c34f08) returned 1 [0279.467] ReadFile (in: hFile=0x460, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12a5dd1c*=0x5a97, lpOverlapped=0x0) returned 1 [0279.468] GetFileType (hFile=0x460) returned 0x1 [0279.468] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0279.469] WriteFile (in: hFile=0x460, lpBuffer=0x12e5a000*, nNumberOfBytesToWrite=0x5a97, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e5a000*, lpNumberOfBytesWritten=0x12a5dd00*=0x5a97, lpOverlapped=0x12a5dd0c) returned 1 [0279.469] GetFileType (hFile=0x460) returned 0x1 [0279.469] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5a97, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0279.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdd81 | out: pbBuffer=0x12afdd81) returned 1 [0279.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afde81 | out: pbBuffer=0x12afde81) returned 1 [0279.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdf81 | out: pbBuffer=0x12afdf81) returned 1 [0280.204] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0280.355] SwitchToThread () returned 1 [0280.395] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0280.721] SetEvent (hEvent=0x3f4) returned 1 [0280.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34000 | out: pbBuffer=0x12c34000) returned 1 [0280.722] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ed3OEBOHI5YM1zXSFg m.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ed3oebohi5ym1zxsfg m.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[8AFEB7567FE3F274]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[8afeb7567fe3f274]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0282.668] SetEvent (hEvent=0x3f4) returned 1 [0282.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uDGO5JU.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\udgo5ju.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0282.669] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0282.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uDGO5JU.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\udgo5ju.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0f7a80, ftCreationTime.dwHighDateTime=0x1d827df, ftLastAccessTime.dwLowDateTime=0x52660710, ftLastAccessTime.dwHighDateTime=0x1d828a6, ftLastWriteTime.dwLowDateTime=0x52660710, ftLastWriteTime.dwHighDateTime=0x1d828a6, nFileSizeHigh=0x0, nFileSizeLow=0xd3ae)) returned 1 [0282.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0282.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128488a0 | out: pbBuffer=0x128488a0) returned 1 [0282.670] ReadFile (in: hFile=0x44c, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x12853d1c*=0xd3ae, lpOverlapped=0x0) returned 1 [0282.672] GetFileType (hFile=0x44c) returned 0x1 [0282.672] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0282.672] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xd3ae, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0xd3ae, lpOverlapped=0x12853d0c) returned 1 [0282.673] GetFileType (hFile=0x44c) returned 0x1 [0282.673] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xd3ae, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0282.758] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vUti7rOBpW80TdxP8cY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vuti7robpw80tdxp8cy.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85694180, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0x8a488980, ftLastAccessTime.dwHighDateTime=0x1d829a2, ftLastWriteTime.dwLowDateTime=0x8a488980, ftLastWriteTime.dwHighDateTime=0x1d829a2, nFileSizeHigh=0x0, nFileSizeLow=0xa5e8)) returned 1 [0283.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0283.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0283.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0283.666] SetEvent (hEvent=0x1d0) returned 1 [0283.666] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0283.795] SwitchToThread () returned 1 [0283.814] SetEvent (hEvent=0x104) returned 1 [0283.815] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0283.940] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0283.941] SetEvent (hEvent=0x19c) returned 1 [0283.941] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0283.960] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0283.960] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0284.022] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0284.022] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0284.040] SetEvent (hEvent=0x1d0) returned 1 [0284.041] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0284.058] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0284.058] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uDGO5JU.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\udgo5ju.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[727387F89C96A05B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[727387f89c96a05b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.463] GetFileType (hFile=0x45c) returned 0x1 [0284.464] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.464] WriteFile (in: hFile=0x45c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x16318, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x16318, lpOverlapped=0x12855d0c) returned 1 [0284.465] GetFileType (hFile=0x45c) returned 0x1 [0284.465] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x16318, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.580] ReadFile (in: hFile=0x460, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0xa400, lpOverlapped=0x0) returned 1 [0284.582] GetFileType (hFile=0x460) returned 0x1 [0284.582] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.582] WriteFile (in: hFile=0x460, lpBuffer=0x128a8000*, nNumberOfBytesToWrite=0xa400, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x128a8000*, lpNumberOfBytesWritten=0x12853d00*=0xa400, lpOverlapped=0x12853d0c) returned 1 [0284.583] GetFileType (hFile=0x460) returned 0x1 [0284.583] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa400, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0284.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0284.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0284.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0284.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\H0wX0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h0wx0.doc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0284.639] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0284.639] WriteFile (in: hFile=0x44c, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0284.640] CloseHandle (hObject=0x44c) returned 1 [0284.640] CloseHandle (hObject=0x460) returned 1 [0284.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0284.640] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\H0wX0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h0wx0.doc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[DA12207623939CC2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[da12207623939cc2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.658] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0287.926] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0288.856] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.185] SetEvent (hEvent=0x19c) returned 1 [0289.185] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Oy1La6ngv.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oy1la6ngv.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0289.186] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.186] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Oy1La6ngv.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oy1la6ngv.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x739f1480, ftCreationTime.dwHighDateTime=0x1d81d89, ftLastAccessTime.dwLowDateTime=0x357dc3f0, ftLastAccessTime.dwHighDateTime=0x1d821ed, ftLastWriteTime.dwLowDateTime=0x357dc3f0, ftLastWriteTime.dwHighDateTime=0x1d821ed, nFileSizeHigh=0x0, nFileSizeLow=0xb2ce)) returned 1 [0289.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844660 | out: pbBuffer=0x12844660) returned 1 [0289.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915428 | out: pbBuffer=0x12915428) returned 1 [0289.187] ReadFile (in: hFile=0x460, lpBuffer=0x12bbe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bbe000*, lpNumberOfBytesRead=0x12855d1c*=0xb2ce, lpOverlapped=0x0) returned 1 [0289.188] GetFileType (hFile=0x460) returned 0x1 [0289.189] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.189] WriteFile (in: hFile=0x460, lpBuffer=0x12bfe000*, nNumberOfBytesToWrite=0xb2ce, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12bfe000*, lpNumberOfBytesWritten=0x12855d00*=0xb2ce, lpOverlapped=0x12855d0c) returned 1 [0289.189] GetFileType (hFile=0x460) returned 0x1 [0289.189] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xb2ce, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0289.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0289.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0289.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129154e0 | out: pbBuffer=0x129154e0) returned 1 [0289.190] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Oy1La6ngv.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oy1la6ngv.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0289.190] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.190] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2f400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2f400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.190] CloseHandle (hObject=0x44c) returned 1 [0289.191] CloseHandle (hObject=0x460) returned 1 [0289.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129154f8 | out: pbBuffer=0x129154f8) returned 1 [0289.192] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Oy1La6ngv.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oy1la6ngv.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[48CAA76A66FEB903]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[48caa76a66feb903]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0289.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Yak2nzyz8-XQrO0Xk7Kp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yak2nzyz8-xqro0xk7kp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0289.197] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.197] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Yak2nzyz8-XQrO0Xk7Kp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yak2nzyz8-xqro0xk7kp.docx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfbeae10, ftCreationTime.dwHighDateTime=0x1d7a0d4, ftLastAccessTime.dwLowDateTime=0xeba003c0, ftLastAccessTime.dwHighDateTime=0x1d7e42e, ftLastWriteTime.dwLowDateTime=0xeba003c0, ftLastWriteTime.dwHighDateTime=0x1d7e42e, nFileSizeHigh=0x0, nFileSizeLow=0x5018)) returned 1 [0289.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844880 | out: pbBuffer=0x12844880) returned 1 [0289.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915540 | out: pbBuffer=0x12915540) returned 1 [0289.198] ReadFile (in: hFile=0x460, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12855d1c*=0x5018, lpOverlapped=0x0) returned 1 [0289.199] GetFileType (hFile=0x460) returned 0x1 [0289.199] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.200] WriteFile (in: hFile=0x460, lpBuffer=0x1289d500*, nNumberOfBytesToWrite=0x5018, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1289d500*, lpNumberOfBytesWritten=0x12855d00*=0x5018, lpOverlapped=0x12855d0c) returned 1 [0289.200] GetFileType (hFile=0x460) returned 0x1 [0289.200] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5018, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0289.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0289.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0289.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129155f8 | out: pbBuffer=0x129155f8) returned 1 [0289.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Yak2nzyz8-XQrO0Xk7Kp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yak2nzyz8-xqro0xk7kp.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0289.201] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.201] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2f900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2f900*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.201] CloseHandle (hObject=0x44c) returned 1 [0289.201] CloseHandle (hObject=0x460) returned 1 [0289.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915610 | out: pbBuffer=0x12915610) returned 1 [0289.201] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Yak2nzyz8-XQrO0Xk7Kp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yak2nzyz8-xqro0xk7kp.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[9ABC533475EAD84C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[9abc533475ead84c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0289.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZTOm-.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ztom-.pps"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa711560, ftCreationTime.dwHighDateTime=0x1d8233a, ftLastAccessTime.dwLowDateTime=0xb06b2300, ftLastAccessTime.dwHighDateTime=0x1d82512, ftLastWriteTime.dwLowDateTime=0xb06b2300, ftLastWriteTime.dwHighDateTime=0x1d82512, nFileSizeHigh=0x0, nFileSizeLow=0xb33d)) returned 1 [0289.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oMXb5UvMe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_omxb5uvme.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3958c00, ftCreationTime.dwHighDateTime=0x1d821d8, ftLastAccessTime.dwLowDateTime=0x3af9a3e0, ftLastAccessTime.dwHighDateTime=0x1d821f6, ftLastWriteTime.dwLowDateTime=0x3af9a3e0, ftLastWriteTime.dwHighDateTime=0x1d821f6, nFileSizeHigh=0x0, nFileSizeLow=0xc70c)) returned 1 [0289.203] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZTOm-.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ztom-.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0289.204] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZTOm-.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ztom-.pps"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa711560, ftCreationTime.dwHighDateTime=0x1d8233a, ftLastAccessTime.dwLowDateTime=0xb06b2300, ftLastAccessTime.dwHighDateTime=0x1d82512, ftLastWriteTime.dwLowDateTime=0xb06b2300, ftLastWriteTime.dwHighDateTime=0x1d82512, nFileSizeHigh=0x0, nFileSizeLow=0xb33d)) returned 1 [0289.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844aa0 | out: pbBuffer=0x12844aa0) returned 1 [0289.204] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0289.204] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0289.212] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0289.234] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb20, ulCount=0x10, ulNumEntriesRemoved=0x3307fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb20, ulNumEntriesRemoved=0x3307fb04) returned 0 [0289.234] SetEvent (hEvent=0x110) returned 1 [0289.234] SetEvent (hEvent=0x19c) returned 1 [0289.234] SetEvent (hEvent=0x420) returned 1 [0289.235] ReadFile (in: hFile=0x460, lpBuffer=0x12e20000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12e20000*, lpNumberOfBytesRead=0x12855d1c*=0xb33d, lpOverlapped=0x0) returned 1 [0289.237] GetFileType (hFile=0x460) returned 0x1 [0289.237] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.237] WriteFile (in: hFile=0x460, lpBuffer=0x12e64000*, nNumberOfBytesToWrite=0xb33d, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e64000*, lpNumberOfBytesWritten=0x12855d00*=0xb33d, lpOverlapped=0x12855d0c) returned 1 [0289.237] GetFileType (hFile=0x460) returned 0x1 [0289.237] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xb33d, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0289.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0289.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0289.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102a8 | out: pbBuffer=0x128102a8) returned 1 [0289.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZTOm-.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ztom-.pps"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0289.239] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.239] WriteFile (in: hFile=0x44c, lpBuffer=0x12b72000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b72000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.239] CloseHandle (hObject=0x44c) returned 1 [0289.239] CloseHandle (hObject=0x460) returned 1 [0289.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102c0 | out: pbBuffer=0x128102c0) returned 1 [0289.239] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZTOm-.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ztom-.pps"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[A96B18019A003BB0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[a96b18019a003bb0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0289.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oMXb5UvMe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_omxb5uvme.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0289.242] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.242] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oMXb5UvMe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_omxb5uvme.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3958c00, ftCreationTime.dwHighDateTime=0x1d821d8, ftLastAccessTime.dwLowDateTime=0x3af9a3e0, ftLastAccessTime.dwHighDateTime=0x1d821f6, ftLastWriteTime.dwLowDateTime=0x3af9a3e0, ftLastWriteTime.dwHighDateTime=0x1d821f6, nFileSizeHigh=0x0, nFileSizeLow=0xc70c)) returned 1 [0289.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ce0 | out: pbBuffer=0x12844ce0) returned 1 [0289.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810308 | out: pbBuffer=0x12810308) returned 1 [0289.243] ReadFile (in: hFile=0x460, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12855d1c*=0xc70c, lpOverlapped=0x0) returned 1 [0289.244] GetFileType (hFile=0x460) returned 0x1 [0289.244] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.244] WriteFile (in: hFile=0x460, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0xc70c, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12855d00*=0xc70c, lpOverlapped=0x12855d0c) returned 1 [0289.245] GetFileType (hFile=0x460) returned 0x1 [0289.245] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xc70c, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0289.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a01 | out: pbBuffer=0x12801a01) returned 1 [0289.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b01 | out: pbBuffer=0x12801b01) returned 1 [0289.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c0 | out: pbBuffer=0x128103c0) returned 1 [0289.245] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oMXb5UvMe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_omxb5uvme.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0289.246] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0289.246] WriteFile (in: hFile=0x44c, lpBuffer=0x12b72500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b72500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.246] CloseHandle (hObject=0x44c) returned 1 [0289.246] CloseHandle (hObject=0x460) returned 1 [0289.246] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103d8 | out: pbBuffer=0x128103d8) returned 1 [0289.246] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oMXb5UvMe.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_omxb5uvme.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[B9B3BC64EFAED3C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[b9b3bc64efaed3c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0290.074] SetEvent (hEvent=0x3f8) returned 1 [0290.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\1F4nJWJ0P5y.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\1f4njwj0p5y.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0290.075] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0290.075] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\1F4nJWJ0P5y.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\1f4njwj0p5y.docx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dcc8e40, ftCreationTime.dwHighDateTime=0x1d824e8, ftLastAccessTime.dwLowDateTime=0x6d7dd090, ftLastAccessTime.dwHighDateTime=0x1d827b7, ftLastWriteTime.dwLowDateTime=0x6d7dd090, ftLastWriteTime.dwHighDateTime=0x1d827b7, nFileSizeHigh=0x0, nFileSizeLow=0x3382)) returned 1 [0290.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6260 | out: pbBuffer=0x12ac6260) returned 1 [0290.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0290.076] ReadFile (in: hFile=0x460, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12855d1c*=0x3382, lpOverlapped=0x0) returned 1 [0290.077] GetFileType (hFile=0x460) returned 0x1 [0290.077] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0290.077] WriteFile (in: hFile=0x460, lpBuffer=0x128a8000*, nNumberOfBytesToWrite=0x3382, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x128a8000*, lpNumberOfBytesWritten=0x12855d00*=0x3382, lpOverlapped=0x12855d0c) returned 1 [0290.078] GetFileType (hFile=0x460) returned 0x1 [0290.078] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x3382, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0290.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0290.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0290.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0290.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0290.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\1F4nJWJ0P5y.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\1f4njwj0p5y.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0290.078] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0290.079] WriteFile (in: hFile=0x468, lpBuffer=0x12b72f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b72f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0290.079] CloseHandle (hObject=0x468) returned 1 [0290.079] CloseHandle (hObject=0x460) returned 1 [0290.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d0 | out: pbBuffer=0x128484d0) returned 1 [0290.079] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\1F4nJWJ0P5y.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\1f4njwj0p5y.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[EC3B7E343D0646AB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[ec3b7e343d0646ab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0291.257] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0291.590] SetEvent (hEvent=0x1d0) returned 1 [0291.625] SetEvent (hEvent=0x1d0) returned 1 [0291.682] SetEvent (hEvent=0x1d0) returned 1 [0291.682] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0291.778] SetEvent (hEvent=0x1d0) returned 1 [0291.778] SetEvent (hEvent=0x19c) returned 1 [0291.915] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0x5d, buf=0x12dbe000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0x5d, lpOverlapped=0x12c2e088) returned 0 [0291.945] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x18a3, buf=0x12afe000)), lpNumberOfBytesRecvd=0x12c2e034*=0x13d3, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0xffffffff [0291.945] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0292.109] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0292.343] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0292.636] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0292.956] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.005] SetEvent (hEvent=0x454) returned 1 [0293.005] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VhGbFhvbri9alcaNeITl.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vhgbfhvbri9alcaneitl.ots"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef17480, ftCreationTime.dwHighDateTime=0x1d81fb8, ftLastAccessTime.dwLowDateTime=0x72f0ffc0, ftLastAccessTime.dwHighDateTime=0x1d82032, ftLastWriteTime.dwLowDateTime=0x72f0ffc0, ftLastWriteTime.dwHighDateTime=0x1d82032, nFileSizeHigh=0x0, nFileSizeLow=0x104c6)) returned 1 [0293.008] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.109] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.125] SetEvent (hEvent=0x454) returned 1 [0293.125] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.134] SetEvent (hEvent=0x19c) returned 1 [0293.135] SetEvent (hEvent=0x420) returned 1 [0293.136] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0293.138] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.138] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x0 [0293.141] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0293.141] SetEvent (hEvent=0x19c) returned 1 [0293.142] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0293.144] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0293.144] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0294.519] SetEvent (hEvent=0x420) returned 1 [0294.563] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0294.569] SetEvent (hEvent=0x420) returned 1 [0294.569] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0294.578] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0294.632] SetEvent (hEvent=0x420) returned 1 [0294.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VUqCu1k65i0E.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vuqcu1k65i0e.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.633] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VUqCu1k65i0E.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vuqcu1k65i0e.png"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f52bc70, ftCreationTime.dwHighDateTime=0x1d82930, ftLastAccessTime.dwLowDateTime=0xc6320790, ftLastAccessTime.dwHighDateTime=0x1d829d5, ftLastWriteTime.dwLowDateTime=0xc6320790, ftLastWriteTime.dwHighDateTime=0x1d829d5, nFileSizeHigh=0x0, nFileSizeLow=0x8a13)) returned 1 [0294.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0294.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0294.634] ReadFile (in: hFile=0x474, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a2dd1c*=0x8a13, lpOverlapped=0x0) returned 1 [0294.635] GetFileType (hFile=0x474) returned 0x1 [0294.635] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.635] WriteFile (in: hFile=0x474, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x8a13, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a2dd00*=0x8a13, lpOverlapped=0x12a2dd0c) returned 1 [0294.636] GetFileType (hFile=0x474) returned 0x1 [0294.636] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x8a13, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0294.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0294.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.636] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0294.636] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VUqCu1k65i0E.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vuqcu1k65i0e.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0294.637] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.637] WriteFile (in: hFile=0x45c, lpBuffer=0x12a66500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a66500*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.637] CloseHandle (hObject=0x45c) returned 1 [0294.648] CloseHandle (hObject=0x474) returned 1 [0294.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0294.650] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VUqCu1k65i0E.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vuqcu1k65i0e.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[3424198C593AF3A3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[3424198c593af3a3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.745] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\O9fHKNinOZ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\o9fhkninoz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.746] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.746] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\O9fHKNinOZ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\o9fhkninoz.png"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19eb5fd0, ftCreationTime.dwHighDateTime=0x1d81f45, ftLastAccessTime.dwLowDateTime=0xcc5e3650, ftLastAccessTime.dwHighDateTime=0x1d823ec, ftLastWriteTime.dwLowDateTime=0xcc5e3650, ftLastWriteTime.dwHighDateTime=0x1d823ec, nFileSizeHigh=0x0, nFileSizeLow=0x18c35)) returned 1 [0294.747] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0294.747] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10be0 | out: pbBuffer=0x12b10be0) returned 1 [0294.747] ReadFile (in: hFile=0x474, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x12a2dd1c*=0x18c35, lpOverlapped=0x0) returned 1 [0294.749] GetFileType (hFile=0x474) returned 0x1 [0294.749] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.750] WriteFile (in: hFile=0x474, lpBuffer=0x12bde000*, nNumberOfBytesToWrite=0x18c35, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12bde000*, lpNumberOfBytesWritten=0x12a2dd00*=0x18c35, lpOverlapped=0x12a2dd0c) returned 1 [0294.750] GetFileType (hFile=0x474) returned 0x1 [0294.750] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x18c35, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0294.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0294.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0294.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b10c98 | out: pbBuffer=0x12b10c98) returned 1 [0294.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\O9fHKNinOZ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\o9fhkninoz.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.751] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.751] WriteFile (in: hFile=0x468, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.751] CloseHandle (hObject=0x468) returned 1 [0294.758] CloseHandle (hObject=0x474) returned 1 [0294.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10cb0 | out: pbBuffer=0x12b10cb0) returned 1 [0294.764] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\O9fHKNinOZ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\o9fhkninoz.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[75B2DDE941A529B9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[75b2dde941a529b9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.836] SetEvent (hEvent=0x420) returned 1 [0294.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\TqX2LJia.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\tqx2ljia.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.837] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\TqX2LJia.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\tqx2ljia.png"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b383240, ftCreationTime.dwHighDateTime=0x1d8207d, ftLastAccessTime.dwLowDateTime=0xd2e450f0, ftLastAccessTime.dwHighDateTime=0x1d828f0, ftLastWriteTime.dwLowDateTime=0xd2e450f0, ftLastWriteTime.dwHighDateTime=0x1d828f0, nFileSizeHigh=0x0, nFileSizeLow=0x14ab3)) returned 1 [0294.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6960 | out: pbBuffer=0x12ac6960) returned 1 [0294.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b102b0 | out: pbBuffer=0x12b102b0) returned 1 [0294.837] ReadFile (in: hFile=0x474, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a2dd1c*=0x14ab3, lpOverlapped=0x0) returned 1 [0294.839] GetFileType (hFile=0x474) returned 0x1 [0294.839] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.840] WriteFile (in: hFile=0x474, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x14ab3, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12a2dd00*=0x14ab3, lpOverlapped=0x12a2dd0c) returned 1 [0294.840] GetFileType (hFile=0x474) returned 0x1 [0294.840] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x14ab3, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0294.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0294.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0294.841] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b10368 | out: pbBuffer=0x12b10368) returned 1 [0294.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\TqX2LJia.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\tqx2ljia.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.841] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.841] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.841] CloseHandle (hObject=0x470) returned 1 [0294.860] CloseHandle (hObject=0x474) returned 1 [0294.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10380 | out: pbBuffer=0x12b10380) returned 1 [0294.863] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\TqX2LJia.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\tqx2ljia.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[AD69C79EFDE7EB08]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[ad69c79efde7eb08]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\zZX7A-L 6x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\zzx7a-l 6x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.937] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\zZX7A-L 6x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\zzx7a-l 6x.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23db91e0, ftCreationTime.dwHighDateTime=0x1d82314, ftLastAccessTime.dwLowDateTime=0xe0d32230, ftLastAccessTime.dwHighDateTime=0x1d8244b, ftLastWriteTime.dwLowDateTime=0xe0d32230, ftLastWriteTime.dwHighDateTime=0x1d8244b, nFileSizeHigh=0x0, nFileSizeLow=0x5c97)) returned 1 [0294.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929640 | out: pbBuffer=0x12929640) returned 1 [0294.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849e50 | out: pbBuffer=0x12849e50) returned 1 [0294.937] ReadFile (in: hFile=0x470, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a2dd1c*=0x5c97, lpOverlapped=0x0) returned 1 [0294.939] GetFileType (hFile=0x470) returned 0x1 [0294.939] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.939] WriteFile (in: hFile=0x470, lpBuffer=0x12e58000*, nNumberOfBytesToWrite=0x5c97, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12e58000*, lpNumberOfBytesWritten=0x12a2dd00*=0x5c97, lpOverlapped=0x12a2dd0c) returned 1 [0294.940] GetFileType (hFile=0x470) returned 0x1 [0294.940] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x5c97, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.940] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0294.940] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0294.940] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0294.940] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849f08 | out: pbBuffer=0x12849f08) returned 1 [0294.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\zZX7A-L 6x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\zzx7a-l 6x.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.941] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.941] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac3400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac3400*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.941] CloseHandle (hObject=0x44c) returned 1 [0294.950] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0294.963] SetEvent (hEvent=0xfc) returned 1 [0294.963] CloseHandle (hObject=0x470) returned 1 [0294.963] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae28 | out: pbBuffer=0x12a9ae28) returned 1 [0294.964] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\zZX7A-L 6x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\zzx7a-l 6x.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[5677A74951E118D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[5677a74951e118d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.966] SetEvent (hEvent=0x1d0) returned 1 [0294.966] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.080] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.284] SetEvent (hEvent=0xf4) returned 1 [0295.284] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.285] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0295.285] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0295.285] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0295.285] CloseHandle (hObject=0x470) returned 1 [0295.286] SetEvent (hEvent=0x19c) returned 1 [0295.286] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0295.289] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.289] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0295.313] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.313] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0295.321] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.322] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0295.328] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.328] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3307fb28, ulCount=0x10, ulNumEntriesRemoved=0x3307fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3307fb28, ulNumEntriesRemoved=0x3307fb0c) returned 0 [0295.328] SetEvent (hEvent=0x110) returned 1 [0295.329] SetEvent (hEvent=0x19c) returned 1 [0295.329] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0x1) returned 0x102 [0295.337] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood" (normalized: "c:\\users\\rdhj0cnfevzx\\printhood"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.337] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0295.338] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0295.338] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0295.338] CloseHandle (hObject=0x470) returned 1 [0295.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0295.339] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0295.339] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0295.339] CloseHandle (hObject=0x470) returned 1 [0295.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo" (normalized: "c:\\users\\rdhj0cnfevzx\\sendto"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.339] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu" (normalized: "c:\\users\\rdhj0cnfevzx\\start menu"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.340] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates" (normalized: "c:\\users\\rdhj0cnfevzx\\templates"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates" (normalized: "c:\\users\\rdhj0cnfevzx\\templates"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0295.340] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0295.340] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0295.340] CloseHandle (hObject=0x470) returned 1 [0295.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\videos"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5346139, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf5346139, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0295.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos" (normalized: "c:\\users\\rdhj0cnfevzx\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.341] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5346139, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf5346139, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbef938 [0295.341] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf5346139, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf5346139, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.341] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eb2fe0, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0xf6f5c010, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf6f5c010, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0xce8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Tqc-F0pW6OZVj3_KOs.mp4", cAlternateFileName="3TQC-F~1.MP4")) returned 1 [0295.341] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf631bf50, ftCreationTime.dwHighDateTime=0x1d821cc, ftLastAccessTime.dwLowDateTime=0xa7277900, ftLastAccessTime.dwHighDateTime=0x1d82964, ftLastWriteTime.dwLowDateTime=0xa7277900, ftLastWriteTime.dwHighDateTime=0x1d82964, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8wexVd_7SxK-e-as26h", cAlternateFileName="8WEXVD~1")) returned 1 [0295.341] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xace5f7b0, ftCreationTime.dwHighDateTime=0x1d829a3, ftLastAccessTime.dwLowDateTime=0x57eb2100, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x57eb2100, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x17d40, dwReserved0=0x0, dwReserved1=0x0, cFileName="C-Td6BoJlGSuvc9.swf", cAlternateFileName="C-TD6B~1.SWF")) returned 1 [0295.341] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf446eb0, ftCreationTime.dwHighDateTime=0x1d828e7, ftLastAccessTime.dwLowDateTime=0xa7ba4480, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xa7ba4480, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EwSKEl0EKP4l", cAlternateFileName="EWSKEL~1")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab5f3760, ftCreationTime.dwHighDateTime=0x1d81b4f, ftLastAccessTime.dwLowDateTime=0x8cc2d380, ftLastAccessTime.dwHighDateTime=0x1d8251c, ftLastWriteTime.dwLowDateTime=0x8cc2d380, ftLastWriteTime.dwHighDateTime=0x1d8251c, nFileSizeHigh=0x0, nFileSizeLow=0x4626, dwReserved0=0x0, dwReserved1=0x0, cFileName="FH3bzmgXz4C.mkv", cAlternateFileName="FH3BZM~1.MKV")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbcffec0, ftCreationTime.dwHighDateTime=0x1d82581, ftLastAccessTime.dwLowDateTime=0x518ef540, ftLastAccessTime.dwHighDateTime=0x1d828d8, ftLastWriteTime.dwLowDateTime=0x518ef540, ftLastWriteTime.dwHighDateTime=0x1d828d8, nFileSizeHigh=0x0, nFileSizeLow=0x16a63, dwReserved0=0x0, dwReserved1=0x0, cFileName="HXYDrWyAqkC7.mkv", cAlternateFileName="HXYDRW~1.MKV")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d8e570, ftCreationTime.dwHighDateTime=0x1d81a12, ftLastAccessTime.dwLowDateTime=0x57e1f730, ftLastAccessTime.dwHighDateTime=0x1d825b3, ftLastWriteTime.dwLowDateTime=0x57e1f730, ftLastWriteTime.dwHighDateTime=0x1d825b3, nFileSizeHigh=0x0, nFileSizeLow=0x36c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MLyhukKzoWAepx.avi", cAlternateFileName="MLYHUK~1.AVI")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7017eb0, ftCreationTime.dwHighDateTime=0x1d82984, ftLastAccessTime.dwLowDateTime=0xb9e762e0, ftLastAccessTime.dwHighDateTime=0x1d829b8, ftLastWriteTime.dwLowDateTime=0xb9e762e0, ftLastWriteTime.dwHighDateTime=0x1d829b8, nFileSizeHigh=0x0, nFileSizeLow=0x169b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="R- yMEn8xMS5Z0vnIX0M.flv", cAlternateFileName="R-YMEN~1.FLV")) returned 1 [0295.342] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.342] FindClose (in: hFindFile=0xbef938 | out: hFindFile=0xbef938) returned 1 [0295.342] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.342] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.342] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.343] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0295.343] WriteFile (in: hFile=0x470, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0295.345] CloseHandle (hObject=0x470) returned 1 [0295.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\3Tqc-F0pW6OZVj3_KOs.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\3tqc-f0pw6ozvj3_kos.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eb2fe0, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0xf6f5c010, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf6f5c010, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0xce8f)) returned 1 [0295.345] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates" (normalized: "c:\\users\\rdhj0cnfevzx\\templates"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.346] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\3Tqc-F0pW6OZVj3_KOs.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\3tqc-f0pw6ozvj3_kos.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.346] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\3Tqc-F0pW6OZVj3_KOs.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\3tqc-f0pw6ozvj3_kos.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eb2fe0, ftCreationTime.dwHighDateTime=0x1d82906, ftLastAccessTime.dwLowDateTime=0xf6f5c010, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf6f5c010, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0xce8f)) returned 1 [0295.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7340 | out: pbBuffer=0x12ac7340) returned 1 [0295.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b11468 | out: pbBuffer=0x12b11468) returned 1 [0295.347] ReadFile (in: hFile=0x470, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a2bd1c*=0xce8f, lpOverlapped=0x0) returned 1 [0295.349] GetFileType (hFile=0x470) returned 0x1 [0295.349] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.349] WriteFile (in: hFile=0x470, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0xce8f, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a2bd00*=0xce8f, lpOverlapped=0x12a2bd0c) returned 1 [0295.350] GetFileType (hFile=0x470) returned 0x1 [0295.350] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xce8f, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0295.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0295.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0295.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b11520 | out: pbBuffer=0x12b11520) returned 1 [0295.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\3Tqc-F0pW6OZVj3_KOs.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\3tqc-f0pw6ozvj3_kos.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.351] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.351] WriteFile (in: hFile=0x468, lpBuffer=0x12a6a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6a500*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.352] CloseHandle (hObject=0x468) returned 1 [0295.352] CloseHandle (hObject=0x470) returned 1 [0295.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b11538 | out: pbBuffer=0x12b11538) returned 1 [0295.352] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\3Tqc-F0pW6OZVj3_KOs.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\3tqc-f0pw6ozvj3_kos.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[22E46146F6075907]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[22e46146f6075907]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.354] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf631bf50, ftCreationTime.dwHighDateTime=0x1d821cc, ftLastAccessTime.dwLowDateTime=0xa7277900, ftLastAccessTime.dwHighDateTime=0x1d82964, ftLastWriteTime.dwLowDateTime=0xa7277900, ftLastWriteTime.dwHighDateTime=0x1d82964, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0295.354] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.354] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf631bf50, ftCreationTime.dwHighDateTime=0x1d821cc, ftLastAccessTime.dwLowDateTime=0xa7277900, ftLastAccessTime.dwHighDateTime=0x1d82964, ftLastWriteTime.dwLowDateTime=0xa7277900, ftLastWriteTime.dwHighDateTime=0x1d82964, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf631bf50, ftCreationTime.dwHighDateTime=0x1d821cc, ftLastAccessTime.dwLowDateTime=0xa7277900, ftLastAccessTime.dwHighDateTime=0x1d82964, ftLastWriteTime.dwLowDateTime=0xa7277900, ftLastWriteTime.dwHighDateTime=0x1d82964, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc846030, ftCreationTime.dwHighDateTime=0x1d82125, ftLastAccessTime.dwLowDateTime=0xc32f7990, ftLastAccessTime.dwHighDateTime=0x1d8247d, ftLastWriteTime.dwLowDateTime=0xc32f7990, ftLastWriteTime.dwHighDateTime=0x1d8247d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="D4qc7P", cAlternateFileName="")) returned 1 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824c8360, ftCreationTime.dwHighDateTime=0x1d81b6c, ftLastAccessTime.dwLowDateTime=0x722864f0, ftLastAccessTime.dwHighDateTime=0x1d8274b, ftLastWriteTime.dwLowDateTime=0x722864f0, ftLastWriteTime.dwHighDateTime=0x1d8274b, nFileSizeHigh=0x0, nFileSizeLow=0x159d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="fYzIaG IKDN5QJud404V.avi", cAlternateFileName="FYZIAG~1.AVI")) returned 1 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b89a100, ftCreationTime.dwHighDateTime=0x1d82463, ftLastAccessTime.dwLowDateTime=0xba75a9b0, ftLastAccessTime.dwHighDateTime=0x1d82495, ftLastWriteTime.dwLowDateTime=0xba75a9b0, ftLastWriteTime.dwHighDateTime=0x1d82495, nFileSizeHigh=0x0, nFileSizeLow=0x9b7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="hb3lLJEau DoZzoV_lZ0.mkv", cAlternateFileName="HB3LLJ~1.MKV")) returned 1 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6f8a900, ftCreationTime.dwHighDateTime=0x1d82783, ftLastAccessTime.dwLowDateTime=0x7566e300, ftLastAccessTime.dwHighDateTime=0x1d8294c, ftLastWriteTime.dwLowDateTime=0x7566e300, ftLastWriteTime.dwHighDateTime=0x1d8294c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oE8eH2ULzb", cAlternateFileName="OE8EH2~1")) returned 1 [0295.354] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc338e250, ftCreationTime.dwHighDateTime=0x1d81f41, ftLastAccessTime.dwLowDateTime=0x5f3ca8d0, ftLastAccessTime.dwHighDateTime=0x1d828a7, ftLastWriteTime.dwLowDateTime=0x5f3ca8d0, ftLastWriteTime.dwHighDateTime=0x1d828a7, nFileSizeHigh=0x0, nFileSizeLow=0x183a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="WU3RCvcI 3_paA2c.mp4", cAlternateFileName="WU3RCV~1.MP4")) returned 1 [0295.355] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.355] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0295.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.356] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0295.356] WriteFile (in: hFile=0x470, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0295.358] CloseHandle (hObject=0x470) returned 1 [0295.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc846030, ftCreationTime.dwHighDateTime=0x1d82125, ftLastAccessTime.dwLowDateTime=0xc32f7990, ftLastAccessTime.dwHighDateTime=0x1d8247d, ftLastWriteTime.dwLowDateTime=0xc32f7990, ftLastWriteTime.dwHighDateTime=0x1d8247d, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0295.358] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.358] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc846030, ftCreationTime.dwHighDateTime=0x1d82125, ftLastAccessTime.dwLowDateTime=0xc32f7990, ftLastAccessTime.dwHighDateTime=0x1d8247d, ftLastWriteTime.dwLowDateTime=0xc32f7990, ftLastWriteTime.dwHighDateTime=0x1d8247d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefb38 [0295.358] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc846030, ftCreationTime.dwHighDateTime=0x1d82125, ftLastAccessTime.dwLowDateTime=0xc32f7990, ftLastAccessTime.dwHighDateTime=0x1d8247d, ftLastWriteTime.dwLowDateTime=0xc32f7990, ftLastWriteTime.dwHighDateTime=0x1d8247d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.358] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d50e890, ftCreationTime.dwHighDateTime=0x1d81bdb, ftLastAccessTime.dwLowDateTime=0x24d13b10, ftLastAccessTime.dwHighDateTime=0x1d8260a, ftLastWriteTime.dwLowDateTime=0x24d13b10, ftLastWriteTime.dwHighDateTime=0x1d8260a, nFileSizeHigh=0x0, nFileSizeLow=0xfcf, dwReserved0=0x0, dwReserved1=0x0, cFileName="2rsKy_BL.swf", cAlternateFileName="")) returned 1 [0295.359] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe7b8d0, ftCreationTime.dwHighDateTime=0x1d82308, ftLastAccessTime.dwLowDateTime=0x71e690d0, ftLastAccessTime.dwHighDateTime=0x1d827d6, ftLastWriteTime.dwLowDateTime=0x71e690d0, ftLastWriteTime.dwHighDateTime=0x1d827d6, nFileSizeHigh=0x0, nFileSizeLow=0x12aeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="9IXWiaXsXL3wWUddS.flv", cAlternateFileName="9IXWIA~1.FLV")) returned 1 [0295.359] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a37800, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0xcb7db2d0, ftLastAccessTime.dwHighDateTime=0x1d82688, ftLastWriteTime.dwLowDateTime=0xcb7db2d0, ftLastWriteTime.dwHighDateTime=0x1d82688, nFileSizeHigh=0x0, nFileSizeLow=0x50b, dwReserved0=0x0, dwReserved1=0x0, cFileName="N9DS8B65_.swf", cAlternateFileName="N9DS8B~1.SWF")) returned 1 [0295.359] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf7776c0, ftCreationTime.dwHighDateTime=0x1d81e3f, ftLastAccessTime.dwLowDateTime=0x8f4d5780, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0x8f4d5780, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qGjg", cAlternateFileName="")) returned 1 [0295.359] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5116540, ftCreationTime.dwHighDateTime=0x1d81e29, ftLastAccessTime.dwLowDateTime=0x979dca50, ftLastAccessTime.dwHighDateTime=0x1d82051, ftLastWriteTime.dwLowDateTime=0x979dca50, ftLastWriteTime.dwHighDateTime=0x1d82051, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qMxUAz dkUsN0xXlyTcs", cAlternateFileName="QMXUAZ~1")) returned 1 [0295.359] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.359] FindClose (in: hFindFile=0xbefb38 | out: hFindFile=0xbefb38) returned 1 [0295.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.359] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.360] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0295.361] WriteFile (in: hFile=0x470, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0295.362] CloseHandle (hObject=0x470) returned 1 [0295.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\2rsKy_BL.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\2rsky_bl.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d50e890, ftCreationTime.dwHighDateTime=0x1d81bdb, ftLastAccessTime.dwLowDateTime=0x24d13b10, ftLastAccessTime.dwHighDateTime=0x1d8260a, ftLastWriteTime.dwLowDateTime=0x24d13b10, ftLastWriteTime.dwHighDateTime=0x1d8260a, nFileSizeHigh=0x0, nFileSizeLow=0xfcf)) returned 1 [0295.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\9IXWiaXsXL3wWUddS.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\9ixwiaxsxl3wwudds.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfe7b8d0, ftCreationTime.dwHighDateTime=0x1d82308, ftLastAccessTime.dwLowDateTime=0x71e690d0, ftLastAccessTime.dwHighDateTime=0x1d827d6, ftLastWriteTime.dwLowDateTime=0x71e690d0, ftLastWriteTime.dwHighDateTime=0x1d827d6, nFileSizeHigh=0x0, nFileSizeLow=0x12aeb)) returned 1 [0295.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\2rsKy_BL.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\2rsky_bl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.364] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.364] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\2rsKy_BL.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\2rsky_bl.swf"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d50e890, ftCreationTime.dwHighDateTime=0x1d81bdb, ftLastAccessTime.dwLowDateTime=0x24d13b10, ftLastAccessTime.dwHighDateTime=0x1d8260a, ftLastWriteTime.dwLowDateTime=0x24d13b10, ftLastWriteTime.dwHighDateTime=0x1d8260a, nFileSizeHigh=0x0, nFileSizeLow=0xfcf)) returned 1 [0295.364] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7c00 | out: pbBuffer=0x12ac7c00) returned 1 [0295.364] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b11e60 | out: pbBuffer=0x12b11e60) returned 1 [0295.364] ReadFile (in: hFile=0x470, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a2bd1c*=0xfcf, lpOverlapped=0x0) returned 1 [0295.365] GetFileType (hFile=0x470) returned 0x1 [0295.365] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.366] WriteFile (in: hFile=0x470, lpBuffer=0x128b2000*, nNumberOfBytesToWrite=0xfcf, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x128b2000*, lpNumberOfBytesWritten=0x12a2bd00*=0xfcf, lpOverlapped=0x12a2bd0c) returned 1 [0295.366] GetFileType (hFile=0x470) returned 0x1 [0295.366] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfcf, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.366] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0295.366] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0295.366] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0295.367] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b11f18 | out: pbBuffer=0x12b11f18) returned 1 [0295.367] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\2rsKy_BL.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\2rsky_bl.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.367] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.367] WriteFile (in: hFile=0x468, lpBuffer=0x12a6aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6aa00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.367] CloseHandle (hObject=0x468) returned 1 [0295.368] CloseHandle (hObject=0x470) returned 1 [0295.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b11f30 | out: pbBuffer=0x12b11f30) returned 1 [0295.368] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\2rsKy_BL.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\2rsky_bl.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\#_THIS_FILE_IS_ENCRYPTED_[3FA36A674B9D0476]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\#_this_file_is_encrypted_[3fa36a674b9d0476]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.408] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.454] SetEvent (hEvent=0xfc) returned 1 [0295.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\ZeqlJkWcoM.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\zeqljkwcom.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.455] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.455] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\ZeqlJkWcoM.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\zeqljkwcom.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57b12a60, ftCreationTime.dwHighDateTime=0x1d827fc, ftLastAccessTime.dwLowDateTime=0x18571200, ftLastAccessTime.dwHighDateTime=0x1d8284a, ftLastWriteTime.dwLowDateTime=0x18571200, ftLastWriteTime.dwHighDateTime=0x1d8284a, nFileSizeHigh=0x0, nFileSizeLow=0xa8db)) returned 1 [0295.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7e00 | out: pbBuffer=0x12ac7e00) returned 1 [0295.456] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b11f78 | out: pbBuffer=0x12b11f78) returned 1 [0295.456] ReadFile (in: hFile=0x474, lpBuffer=0x12d1e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d1e000*, lpNumberOfBytesRead=0x12855d1c*=0xa8db, lpOverlapped=0x0) returned 1 [0295.458] GetFileType (hFile=0x474) returned 0x1 [0295.458] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.458] WriteFile (in: hFile=0x474, lpBuffer=0x12e68000*, nNumberOfBytesToWrite=0xa8db, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e68000*, lpNumberOfBytesWritten=0x12855d00*=0xa8db, lpOverlapped=0x12855d0c) returned 1 [0295.459] GetFileType (hFile=0x474) returned 0x1 [0295.459] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xa8db, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.459] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0295.459] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0295.460] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0295.460] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914080 | out: pbBuffer=0x12914080) returned 1 [0295.460] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\ZeqlJkWcoM.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\zeqljkwcom.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.460] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0295.461] WriteFile (in: hFile=0x470, lpBuffer=0x12a6af00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6af00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.461] CloseHandle (hObject=0x470) returned 1 [0295.461] CloseHandle (hObject=0x474) returned 1 [0295.461] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914118 | out: pbBuffer=0x12914118) returned 1 [0295.461] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\ZeqlJkWcoM.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\zeqljkwcom.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\#_THIS_FILE_IS_ENCRYPTED_[08C6B8969747BEC6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\#_this_file_is_encrypted_[08c6b8969747bec6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.463] SwitchToThread () returned 1 [0295.500] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.560] SetEvent (hEvent=0xf4) returned 1 [0295.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\BK3xwjlr1PV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\bk3xwjlr1pv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.561] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\BK3xwjlr1PV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\bk3xwjlr1pv.avi"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cd482f0, ftCreationTime.dwHighDateTime=0x1d81a98, ftLastAccessTime.dwLowDateTime=0x9d3699a0, ftLastAccessTime.dwHighDateTime=0x1d81adf, ftLastWriteTime.dwLowDateTime=0x9d3699a0, ftLastWriteTime.dwHighDateTime=0x1d81adf, nFileSizeHigh=0x0, nFileSizeLow=0x47ca)) returned 1 [0295.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0295.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129141d8 | out: pbBuffer=0x129141d8) returned 1 [0295.562] ReadFile (in: hFile=0x464, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a31d1c*=0x47ca, lpOverlapped=0x0) returned 1 [0295.563] GetFileType (hFile=0x464) returned 0x1 [0295.563] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.564] WriteFile (in: hFile=0x464, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x47ca, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a31d00*=0x47ca, lpOverlapped=0x12a31d0c) returned 1 [0295.585] GetFileType (hFile=0x464) returned 0x1 [0295.585] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x47ca, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0295.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0295.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0295.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129144e0 | out: pbBuffer=0x129144e0) returned 1 [0295.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\BK3xwjlr1PV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\bk3xwjlr1pv.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.586] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.587] WriteFile (in: hFile=0x44c, lpBuffer=0x12a34a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a34a00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.606] CloseHandle (hObject=0x44c) returned 1 [0295.606] CloseHandle (hObject=0x464) returned 1 [0295.624] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914558 | out: pbBuffer=0x12914558) returned 1 [0295.624] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\BK3xwjlr1PV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\bk3xwjlr1pv.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\#_THIS_FILE_IS_ENCRYPTED_[BBF3B051CC182B68]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\#_this_file_is_encrypted_[bbf3b051cc182b68]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.651] SetEvent (hEvent=0x19c) returned 1 [0295.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\kpjPYFy.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\kpjpyfy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x624c8150, ftCreationTime.dwHighDateTime=0x1d81e69, ftLastAccessTime.dwLowDateTime=0x1ad0b220, ftLastAccessTime.dwHighDateTime=0x1d82719, ftLastWriteTime.dwLowDateTime=0x1ad0b220, ftLastWriteTime.dwHighDateTime=0x1d82719, nFileSizeHigh=0x0, nFileSizeLow=0xe90c)) returned 1 [0295.652] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.667] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\FH3bzmgXz4C.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fh3bzmgxz4c.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab5f3760, ftCreationTime.dwHighDateTime=0x1d81b4f, ftLastAccessTime.dwLowDateTime=0x8cc2d380, ftLastAccessTime.dwHighDateTime=0x1d8251c, ftLastWriteTime.dwLowDateTime=0x8cc2d380, ftLastWriteTime.dwHighDateTime=0x1d8251c, nFileSizeHigh=0x0, nFileSizeLow=0x4626)) returned 1 [0295.711] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.748] SetEvent (hEvent=0xfc) returned 1 [0295.748] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.760] SetEvent (hEvent=0xfc) returned 1 [0295.760] SetEvent (hEvent=0x454) returned 1 [0295.760] SetEvent (hEvent=0xf4) returned 1 [0295.760] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0295.829] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0xfbc [0115.787] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x334fff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x334fff30*=0x1c0) returned 1 [0115.787] VirtualQuery (in: lpAddress=0x334fff40, lpBuffer=0x334fff40, dwLength=0x1c | out: lpBuffer=0x334fff40*(BaseAddress=0x334ff000, AllocationBase=0x33400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0115.787] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d0 [0115.787] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0122.985] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0123.132] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0123.292] SetEvent (hEvent=0x104) returned 1 [0123.318] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000*)), lpNumberOfBytesRecvd=0x128e6034*=0x6b, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0 [0123.687] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x26, buf=0x128f4000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x26, lpOverlapped=0x128e6088) returned 0 [0123.759] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x6b, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0123.759] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0124.124] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0124.477] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0125.541] SetEvent (hEvent=0x104) returned 1 [0125.675] SetEvent (hEvent=0x104) returned 1 [0126.096] GetAddrInfoW (in: pNodeName="extreme-ip-lookup.com", pServiceName=0x0, pHints=0x1281ff94*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1281ff50 | out: ppResult=0x1281ff50*=0x33665618*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366de20*(sa_family=2, sin_port=0x0, sin_addr="37.48.65.182"), ai_next=0x33665870*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366dd60*(sa_family=2, sin_port=0x0, sin_addr="109.236.91.3"), ai_next=0x0))) returned 0 [0126.225] FreeAddrInfoW (pAddrInfo=0x33665618*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366de20*(sa_family=2, sin_port=0x0, sin_addr="37.48.65.182"), ai_next=0x33665870*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366dd60*(sa_family=2, sin_port=0x0, sin_addr="109.236.91.3"), ai_next=0x0))) [0126.234] SetEvent (hEvent=0x3cc) returned 1 [0126.656] WSASocketW (af=2, type=1, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x81) returned 0x3e4 [0126.666] setsockopt (s=0x3e4, level=65535, optname=32, optval="\x01", optlen=4) returned -1 [0127.086] CreateIoCompletionPort (FileHandle=0x3e4, ExistingCompletionPort=0x1a8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a8 [0127.198] SetFileCompletionNotificationModes (FileHandle=0x3e4, Flags=0x3) returned 1 [0127.501] bind (s=0x3e4, addr=0x12928068*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0127.514] SetEvent (hEvent=0x104) returned 1 [0127.530] ConnectEx (in: s=0x3e4, name=0x12928048*(sa_family=2, sin_port=0x50, sin_addr="37.48.65.182"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x0, lpOverlapped=0x12b1c088 | out: lpdwBytesSent=0x0) returned 0 [0127.734] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.755] FindFirstFileW (in: lpFileName="C:\\Boot\\BCD\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0127.755] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0127.756] GetConsoleMode (in: hConsoleHandle=0x3f0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0127.756] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0127.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129280c0 | out: pbBuffer=0x129280c0) returned 1 [0127.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8108 | out: pbBuffer=0x128e8108) returned 1 [0127.757] ReadFile (in: hFile=0x3f0, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12923d1c*=0x0, lpOverlapped=0x0) returned 1 [0127.758] CloseHandle (hObject=0x3f0) returned 1 [0127.759] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0127.880] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts" (normalized: "c:\\boot\\fonts"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0127.984] CreateFileW (lpFileName="C:\\Boot\\Fonts" (normalized: "c:\\boot\\fonts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0127.985] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0128.364] SwitchToThread () returned 1 [0128.490] VirtualAlloc (lpAddress=0x12bf4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bf4000 [0128.490] VirtualFree (lpAddress=0x12c10000, dwSize=0x3f0000, dwFreeType=0x4000) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x28784, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0128.647] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29114, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20718, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20d6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2553c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x22b2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x23b34, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8cb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d20, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0128.648] VirtualAlloc (lpAddress=0x12bf6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bf6000 [0128.648] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae62bb5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12e5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0128.649] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0128.649] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0128.649] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0128.788] VirtualAlloc (lpAddress=0x12bfa000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bfa000 [0128.788] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fonts\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.790] CreateFileW (lpFileName="C:\\Boot\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fonts\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0128.790] VirtualAlloc (lpAddress=0x12c10000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c10000 [0128.791] CreateFileW (lpFileName="C:\\Boot\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fonts\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e0 [0128.791] GetConsoleMode (in: hConsoleHandle=0x3e0, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0128.791] WriteFile (in: hFile=0x3e0, lpBuffer=0x12c10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c10000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0128.793] CloseHandle (hObject=0x3e0) returned 1 [0128.793] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x385e00)) returned 1 [0128.979] SetEvent (hEvent=0x104) returned 1 [0128.979] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4)) returned 1 [0129.128] SetEvent (hEvent=0x104) returned 1 [0129.128] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4)) returned 1 [0129.220] SetEvent (hEvent=0x104) returned 1 [0129.220] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x242f20)) returned 1 [0129.303] SetEvent (hEvent=0x104) returned 1 [0129.303] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29114)) returned 1 [0129.496] SetEvent (hEvent=0x104) returned 1 [0129.496] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x28784)) returned 1 [0129.499] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20d6c)) returned 1 [0129.691] SetEvent (hEvent=0x104) returned 1 [0129.691] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20718)) returned 1 [0129.890] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25d10)) returned 1 [0130.171] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2553c)) returned 1 [0130.359] SetEvent (hEvent=0x10c) returned 1 [0130.359] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x23b34)) returned 1 [0130.440] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x22b2c)) returned 1 [0130.673] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8cb4)) returned 1 [0130.780] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae62bb5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12e5c)) returned 1 [0130.781] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d20)) returned 1 [0130.781] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c)) returned 1 [0130.782] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources" (normalized: "c:\\boot\\resources"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.849] CreateFileW (lpFileName="C:\\Boot\\Resources" (normalized: "c:\\boot\\resources"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.850] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0130.850] VirtualAlloc (lpAddress=0x12c28000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c28000 [0130.850] VirtualAlloc (lpAddress=0x12c2a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c2a000 [0130.851] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.851] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0130.851] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0130.851] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.851] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0130.851] VirtualAlloc (lpAddress=0x12c2c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c2c000 [0130.851] VirtualAlloc (lpAddress=0x12c2e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c2e000 [0130.852] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.852] CreateFileW (lpFileName="C:\\Boot\\Resources\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.852] VirtualAlloc (lpAddress=0x12c30000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c30000 [0130.852] CreateFileW (lpFileName="C:\\Boot\\Resources\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0130.853] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0130.853] WriteFile (in: hFile=0x3d8, lpBuffer=0x12c30000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c30000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0130.855] CloseHandle (hObject=0x3d8) returned 1 [0130.856] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b60)) returned 1 [0130.856] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\en-US" (normalized: "c:\\boot\\resources\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.856] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US" (normalized: "c:\\boot\\resources\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.856] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x12829a94 | out: lpFindFileData=0x12829a94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0130.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.857] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0130.857] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829ad8 | out: lpFindFileData=0x12829ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.857] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0130.857] VirtualAlloc (lpAddress=0x12c36000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c36000 [0130.857] VirtualAlloc (lpAddress=0x12c38000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c38000 [0130.858] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282975c | out: lpFileInformation=0x1282975c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.858] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.858] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\resources\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0130.858] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x1282996c | out: lpMode=0x1282996c) returned 0 [0130.858] WriteFile (in: hFile=0x3d8, lpBuffer=0x12c31300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282996c, lpOverlapped=0x0 | out: lpBuffer=0x12c31300*, lpNumberOfBytesWritten=0x1282996c*=0x118a, lpOverlapped=0x0) returned 1 [0130.859] CloseHandle (hObject=0x3d8) returned 1 [0130.860] GetFileAttributesExW (in: lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829b58 | out: lpFileInformation=0x12829b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160)) returned 1 [0130.860] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bg-BG" (normalized: "c:\\boot\\bg-bg"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.860] CreateFileW (lpFileName="C:\\Boot\\bg-BG" (normalized: "c:\\boot\\bg-bg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.860] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0130.860] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.860] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0130.860] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.860] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0130.861] VirtualAlloc (lpAddress=0x12c3a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c3a000 [0130.861] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bg-BG\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\bg-bg\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.861] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\bg-bg\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.861] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\bg-bg\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0130.861] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0130.861] WriteFile (in: hFile=0x3d8, lpBuffer=0x12c32600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c32600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0130.863] CloseHandle (hObject=0x3d8) returned 1 [0130.863] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0130.863] GetFileAttributesExW (in: lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60)) returned 1 [0130.863] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ" (normalized: "c:\\boot\\cs-cz"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.863] CreateFileW (lpFileName="C:\\Boot\\cs-CZ" (normalized: "c:\\boot\\cs-cz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.863] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0130.864] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.864] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0130.864] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0130.864] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.864] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0130.864] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\cs-cz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.864] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\cs-cz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.865] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\cs-cz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0130.904] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0130.904] WriteFile (in: hFile=0x3d8, lpBuffer=0x12c33900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c33900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0130.931] CloseHandle (hObject=0x3d8) returned 1 [0130.932] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58)) returned 1 [0130.937] GetFileAttributesExW (in: lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160)) returned 1 [0130.937] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK" (normalized: "c:\\boot\\da-dk"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.938] CreateFileW (lpFileName="C:\\Boot\\da-DK" (normalized: "c:\\boot\\da-dk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.938] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0130.938] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.938] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0130.938] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0130.939] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.939] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0130.939] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\da-dk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.939] CreateFileW (lpFileName="C:\\Boot\\da-DK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\da-dk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.939] CreateFileW (lpFileName="C:\\Boot\\da-DK\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\da-dk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0130.947] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0130.947] WriteFile (in: hFile=0x3fc, lpBuffer=0x12c34c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c34c00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0130.948] CloseHandle (hObject=0x3fc) returned 1 [0130.948] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0130.949] GetFileAttributesExW (in: lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160)) returned 1 [0130.953] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE" (normalized: "c:\\boot\\de-de"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0130.953] CreateFileW (lpFileName="C:\\Boot\\de-DE" (normalized: "c:\\boot\\de-de"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.954] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0130.954] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0130.954] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0130.954] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0130.954] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0130.954] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0130.954] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\de-de\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0130.954] CreateFileW (lpFileName="C:\\Boot\\de-DE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\de-de\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0130.954] VirtualAlloc (lpAddress=0x12c44000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c44000 [0130.970] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.971] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.971] SetEvent (hEvent=0x1b8) returned 1 [0130.971] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0130.986] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0131.060] SwitchToThread () returned 1 [0131.071] SetEvent (hEvent=0x3f4) returned 1 [0131.072] SetEvent (hEvent=0x3f8) returned 1 [0131.072] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0131.111] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0131.111] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0131.120] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0131.120] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0131.129] SetEvent (hEvent=0x3f4) returned 1 [0131.129] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0131.137] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0131.137] CreateFileW (lpFileName="C:\\Boot\\de-DE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\de-de\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0131.153] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.153] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.154] CloseHandle (hObject=0x3c4) returned 1 [0131.154] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560)) returned 1 [0131.154] SetEvent (hEvent=0x3f4) returned 1 [0131.154] GetFileAttributesExW (in: lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358)) returned 1 [0131.154] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR" (normalized: "c:\\boot\\el-gr"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.155] CreateFileW (lpFileName="C:\\Boot\\el-GR" (normalized: "c:\\boot\\el-gr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.155] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0131.155] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.156] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.156] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.156] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.156] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0131.156] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\el-gr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.156] CreateFileW (lpFileName="C:\\Boot\\el-GR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\el-gr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.156] CreateFileW (lpFileName="C:\\Boot\\el-GR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\el-gr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0131.167] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.167] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.168] CloseHandle (hObject=0x3c4) returned 1 [0131.168] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960)) returned 1 [0131.168] GetFileAttributesExW (in: lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560)) returned 1 [0131.169] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-GB" (normalized: "c:\\boot\\en-gb"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.169] CreateFileW (lpFileName="C:\\Boot\\en-GB" (normalized: "c:\\boot\\en-gb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.169] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0131.169] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.169] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.169] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.169] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0131.169] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-GB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-gb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.170] CreateFileW (lpFileName="C:\\Boot\\en-GB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.170] CreateFileW (lpFileName="C:\\Boot\\en-GB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0131.170] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.170] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.172] CloseHandle (hObject=0x3c4) returned 1 [0131.172] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158)) returned 1 [0131.176] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US" (normalized: "c:\\boot\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.177] CreateFileW (lpFileName="C:\\Boot\\en-US" (normalized: "c:\\boot\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.177] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0131.178] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.178] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.178] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.178] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.178] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0131.178] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.178] CreateFileW (lpFileName="C:\\Boot\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.178] CreateFileW (lpFileName="C:\\Boot\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.588] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.588] WriteFile (in: hFile=0x438, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.589] CloseHandle (hObject=0x438) returned 1 [0131.590] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160)) returned 1 [0131.590] GetFileAttributesExW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58)) returned 1 [0131.590] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES" (normalized: "c:\\boot\\es-es"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.602] CreateFileW (lpFileName="C:\\Boot\\es-ES" (normalized: "c:\\boot\\es-es"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.603] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0131.603] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.603] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.603] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.603] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.603] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0131.603] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-es\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.603] CreateFileW (lpFileName="C:\\Boot\\es-ES\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-es\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.604] CreateFileW (lpFileName="C:\\Boot\\es-ES\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-es\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.606] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.606] WriteFile (in: hFile=0x438, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.614] CloseHandle (hObject=0x438) returned 1 [0131.615] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0131.615] SetEvent (hEvent=0x3f4) returned 1 [0131.615] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358)) returned 1 [0131.616] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-MX" (normalized: "c:\\boot\\es-mx"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.616] CreateFileW (lpFileName="C:\\Boot\\es-MX" (normalized: "c:\\boot\\es-mx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.616] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0131.616] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.616] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.616] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.616] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0131.617] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-MX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-mx\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.617] CreateFileW (lpFileName="C:\\Boot\\es-MX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-mx\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.617] CreateFileW (lpFileName="C:\\Boot\\es-MX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\es-mx\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.617] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.617] WriteFile (in: hFile=0x438, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.619] CloseHandle (hObject=0x438) returned 1 [0131.619] GetFileAttributesExW (in: lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60)) returned 1 [0131.691] GetFileAttributesExW (in: lpFileName="C:\\Boot\\et-EE" (normalized: "c:\\boot\\et-ee"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.691] CreateFileW (lpFileName="C:\\Boot\\et-EE" (normalized: "c:\\boot\\et-ee"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.692] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0131.692] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.693] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.693] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0131.693] GetFileAttributesExW (in: lpFileName="C:\\Boot\\et-EE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\et-ee\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.693] CreateFileW (lpFileName="C:\\Boot\\et-EE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\et-ee\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.694] CreateFileW (lpFileName="C:\\Boot\\et-EE\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\et-ee\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.694] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.695] WriteFile (in: hFile=0x438, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.696] CloseHandle (hObject=0x438) returned 1 [0131.697] GetFileAttributesExW (in: lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560)) returned 1 [0131.697] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI" (normalized: "c:\\boot\\fi-fi"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.698] CreateFileW (lpFileName="C:\\Boot\\fi-FI" (normalized: "c:\\boot\\fi-fi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.698] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0131.698] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.698] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.698] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.698] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.698] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0131.698] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fi-fi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.699] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fi-fi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.699] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fi-fi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.712] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.712] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.713] CloseHandle (hObject=0x438) returned 1 [0131.714] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0131.720] SetEvent (hEvent=0x3f4) returned 1 [0131.720] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158)) returned 1 [0131.721] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-CA" (normalized: "c:\\boot\\fr-ca"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.721] CreateFileW (lpFileName="C:\\Boot\\fr-CA" (normalized: "c:\\boot\\fr-ca"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.721] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0131.721] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.721] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.721] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.721] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0131.722] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-CA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-ca\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.722] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-ca\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.722] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-ca\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0131.722] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.722] WriteFile (in: hFile=0x438, lpBuffer=0x12c45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c45300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.724] CloseHandle (hObject=0x438) returned 1 [0131.724] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560)) returned 1 [0131.724] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR" (normalized: "c:\\boot\\fr-fr"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.827] CreateFileW (lpFileName="C:\\Boot\\fr-FR" (normalized: "c:\\boot\\fr-fr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.827] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0131.827] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.827] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.827] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0131.836] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-fr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.837] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-fr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.837] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\fr-fr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x414 [0131.880] GetConsoleMode (in: hConsoleHandle=0x414, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.880] WriteFile (in: hFile=0x414, lpBuffer=0x12c46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c46600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.881] CloseHandle (hObject=0x414) returned 1 [0131.881] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558)) returned 1 [0131.882] GetFileAttributesExW (in: lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360)) returned 1 [0131.882] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hr-HR" (normalized: "c:\\boot\\hr-hr"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.888] CreateFileW (lpFileName="C:\\Boot\\hr-HR" (normalized: "c:\\boot\\hr-hr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.888] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0131.888] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.888] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.888] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.888] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0131.889] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hr-HR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hr-hr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.889] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hr-hr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.889] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hr-hr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x414 [0131.889] GetConsoleMode (in: hConsoleHandle=0x414, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.889] WriteFile (in: hFile=0x414, lpBuffer=0x12c47900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c47900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.891] CloseHandle (hObject=0x414) returned 1 [0131.891] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60)) returned 1 [0131.938] SetEvent (hEvent=0x10c) returned 1 [0131.938] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU" (normalized: "c:\\boot\\hu-hu"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0131.939] CreateFileW (lpFileName="C:\\Boot\\hu-HU" (normalized: "c:\\boot\\hu-hu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.939] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0131.939] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.939] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0131.940] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0131.940] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0131.940] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0131.940] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hu-hu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0131.940] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hu-hu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0131.940] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\hu-hu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x414 [0131.996] GetConsoleMode (in: hConsoleHandle=0x414, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0131.996] WriteFile (in: hFile=0x414, lpBuffer=0x12c48c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12c48c00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0131.997] CloseHandle (hObject=0x414) returned 1 [0131.998] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360)) returned 1 [0131.998] GetFileAttributesExW (in: lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360)) returned 1 [0131.998] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT" (normalized: "c:\\boot\\it-it"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.009] CreateFileW (lpFileName="C:\\Boot\\it-IT" (normalized: "c:\\boot\\it-it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.009] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0132.010] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.010] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.010] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0132.010] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.010] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0132.010] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\it-it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.010] CreateFileW (lpFileName="C:\\Boot\\it-IT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\it-it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.011] CreateFileW (lpFileName="C:\\Boot\\it-IT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\it-it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.013] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.013] WriteFile (in: hFile=0x3fc, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.024] CloseHandle (hObject=0x3fc) returned 1 [0132.025] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58)) returned 1 [0132.025] SetEvent (hEvent=0x10c) returned 1 [0132.025] GetFileAttributesExW (in: lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158)) returned 1 [0132.026] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP" (normalized: "c:\\boot\\ja-jp"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.026] CreateFileW (lpFileName="C:\\Boot\\ja-JP" (normalized: "c:\\boot\\ja-jp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.026] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0132.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0132.026] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.026] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0132.027] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ja-jp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.027] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ja-jp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.027] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ja-jp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.067] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.067] WriteFile (in: hFile=0x3fc, lpBuffer=0x12917300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12917300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.068] CloseHandle (hObject=0x3fc) returned 1 [0132.074] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760)) returned 1 [0132.102] SetEvent (hEvent=0x40c) returned 1 [0132.102] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760)) returned 1 [0132.103] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR" (normalized: "c:\\boot\\ko-kr"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.103] CreateFileW (lpFileName="C:\\Boot\\ko-KR" (normalized: "c:\\boot\\ko-kr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.103] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0132.104] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.104] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.104] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0132.104] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.104] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0132.104] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ko-kr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.104] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ko-kr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.104] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\ko-kr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.114] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.114] WriteFile (in: hFile=0x3fc, lpBuffer=0x12918600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12918600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.116] CloseHandle (hObject=0x3fc) returned 1 [0132.116] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560)) returned 1 [0132.117] GetFileAttributesExW (in: lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760)) returned 1 [0132.134] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lt-LT" (normalized: "c:\\boot\\lt-lt"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.134] CreateFileW (lpFileName="C:\\Boot\\lt-LT" (normalized: "c:\\boot\\lt-lt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.134] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0132.135] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.135] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.135] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.135] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0132.135] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lt-LT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lt-lt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.135] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lt-lt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.136] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lt-lt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.136] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.136] WriteFile (in: hFile=0x3fc, lpBuffer=0x12919900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12919900*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.138] CloseHandle (hObject=0x3fc) returned 1 [0132.138] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0132.138] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lv-LV" (normalized: "c:\\boot\\lv-lv"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.138] CreateFileW (lpFileName="C:\\Boot\\lv-LV" (normalized: "c:\\boot\\lv-lv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.139] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0132.139] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.139] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.139] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.139] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0132.139] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lv-LV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lv-lv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.139] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lv-lv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.139] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\lv-lv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.140] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.140] WriteFile (in: hFile=0x3fc, lpBuffer=0x1291ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x1291ac00*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.141] CloseHandle (hObject=0x3fc) returned 1 [0132.142] GetFileAttributesExW (in: lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758)) returned 1 [0132.212] GetFileAttributesExW (in: lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960)) returned 1 [0132.212] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO" (normalized: "c:\\boot\\nb-no"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.213] CreateFileW (lpFileName="C:\\Boot\\nb-NO" (normalized: "c:\\boot\\nb-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.213] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0132.213] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.213] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.213] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0132.213] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.213] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0132.214] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nb-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.214] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.214] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.290] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.290] WriteFile (in: hFile=0x3fc, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.291] CloseHandle (hObject=0x3fc) returned 1 [0132.291] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760)) returned 1 [0132.292] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160)) returned 1 [0132.320] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL" (normalized: "c:\\boot\\nl-nl"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0132.320] CreateFileW (lpFileName="C:\\Boot\\nl-NL" (normalized: "c:\\boot\\nl-nl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.320] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0132.320] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.321] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0132.321] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0132.321] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0132.321] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0132.321] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nl-nl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.321] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nl-nl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0132.321] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\nl-nl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0132.367] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0132.367] WriteFile (in: hFile=0x3fc, lpBuffer=0x12a91300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a91300*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0132.368] CloseHandle (hObject=0x3fc) returned 1 [0132.369] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160)) returned 1 [0132.369] SetEvent (hEvent=0x40c) returned 1 [0132.369] GetFileAttributesExW (in: lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158)) returned 1 [0132.369] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL" (normalized: "c:\\boot\\pl-pl"), fInfoLevelId=0x0, lpFileInformation=0x12829c20 | out: lpFileInformation=0x12829c20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0133.212] CreateFileW (lpFileName="C:\\Boot\\pl-PL" (normalized: "c:\\boot\\pl-pl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0133.212] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x12829af8 | out: lpFindFileData=0x12829af8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0133.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0133.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0133.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0133.212] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12829b3c | out: lpFindFileData=0x12829b3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0133.213] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0133.213] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pl-pl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128297c0 | out: lpFileInformation=0x128297c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.213] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pl-pl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0133.213] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\# SATAN CRYPTOR #.hta" (normalized: "c:\\boot\\pl-pl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3fc [0134.542] GetConsoleMode (in: hConsoleHandle=0x3fc, lpMode=0x128299d0 | out: lpMode=0x128299d0) returned 0 [0134.561] WriteFile (in: hFile=0x3fc, lpBuffer=0x12a92600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128299d0, lpOverlapped=0x0 | out: lpBuffer=0x12a92600*, lpNumberOfBytesWritten=0x128299d0*=0x118a, lpOverlapped=0x0) returned 1 [0134.563] CloseHandle (hObject=0x3fc) returned 1 [0148.424] GetFileAttributesExW (in: lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829bbc | out: lpFileInformation=0x12829bbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58)) returned 1 [0150.654] SetEvent (hEvent=0xfc) returned 1 [0152.491] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.637] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0152.638] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0156.526] SwitchToThread () returned 1 [0157.341] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0157.342] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0157.355] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0157.864] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0158.603] SetEvent (hEvent=0x3f4) returned 1 [0158.603] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.604] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.604] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.605] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.605] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0158.787] SetEvent (hEvent=0x3f4) returned 1 [0158.787] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.787] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.787] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0158.881] SetEvent (hEvent=0x3f4) returned 1 [0158.881] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.881] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.881] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.054] SetEvent (hEvent=0x3f4) returned 1 [0159.054] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.054] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.054] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.054] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.055] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.331] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.434] SetEvent (hEvent=0x3f4) returned 1 [0159.435] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.435] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.435] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.435] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.435] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.678] SetEvent (hEvent=0x3f4) returned 1 [0159.678] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.679] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.679] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.799] SetEvent (hEvent=0x3f4) returned 1 [0159.799] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.799] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.799] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0159.899] SetEvent (hEvent=0x3f4) returned 1 [0159.899] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.899] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.900] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0160.060] SetEvent (hEvent=0x3f4) returned 1 [0160.061] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.061] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0160.061] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.061] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0160.061] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.061] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0160.062] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0160.399] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x410 [0160.400] GetConsoleMode (in: hConsoleHandle=0x410, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0160.400] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765)) returned 1 [0160.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0160.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914108 | out: pbBuffer=0x12914108) returned 1 [0160.403] ReadFile (in: hFile=0x410, lpBuffer=0x12bd0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bd0000*, lpNumberOfBytesRead=0x1282bd1c*=0x5765, lpOverlapped=0x0) returned 1 [0160.405] GetFileType (hFile=0x410) returned 0x1 [0160.405] SetFilePointerEx (in: hFile=0x410, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0160.405] WriteFile (in: hFile=0x410, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x5765, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x1282bd00*=0x5765, lpOverlapped=0x1282bd0c) returned 1 [0160.406] GetFileType (hFile=0x410) returned 0x1 [0160.406] SetFilePointerEx (in: hFile=0x410, liDistanceToMove=0x5765, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0162.161] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0162.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0162.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0162.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0162.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129141f0 | out: pbBuffer=0x129141f0) returned 1 [0162.669] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x420 [0162.669] GetConsoleMode (in: hConsoleHandle=0x420, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0162.669] WriteFile (in: hFile=0x420, lpBuffer=0x12bac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bac000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0162.670] CloseHandle (hObject=0x420) returned 1 [0162.672] CloseHandle (hObject=0x410) returned 1 [0162.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914208 | out: pbBuffer=0x12914208) returned 1 [0162.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914248 | out: pbBuffer=0x12914248) returned 1 [0162.755] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x410 [0162.756] GetConsoleMode (in: hConsoleHandle=0x410, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0162.756] WriteFile (in: hFile=0x410, lpBuffer=0x12bac500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bac500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0162.756] CloseHandle (hObject=0x410) returned 1 [0162.759] CloseHandle (hObject=0x408) returned 1 [0162.759] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914260 | out: pbBuffer=0x12914260) returned 1 [0162.960] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\#_THIS_FILE_IS_ENCRYPTED_[CA0401F040336915]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\#_this_file_is_encrypted_[ca0401f040336915]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0162.963] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0162.964] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0162.964] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66)) returned 1 [0162.964] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0162.964] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129142c8 | out: pbBuffer=0x129142c8) returned 1 [0163.069] ReadFile (in: hFile=0x41c, lpBuffer=0x1297c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1297c000*, lpNumberOfBytesRead=0x1282fd1c*=0x66, lpOverlapped=0x0) returned 1 [0163.072] GetFileType (hFile=0x41c) returned 0x1 [0163.072] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0163.073] WriteFile (in: hFile=0x41c, lpBuffer=0x12868460*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12868460*, lpNumberOfBytesWritten=0x1282fd00*=0x66, lpOverlapped=0x1282fd0c) returned 1 [0163.073] GetFileType (hFile=0x41c) returned 0x1 [0163.073] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x66, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0163.073] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0163.074] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0163.074] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0163.074] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129143f0 | out: pbBuffer=0x129143f0) returned 1 [0163.074] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0163.076] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0163.076] WriteFile (in: hFile=0x424, lpBuffer=0x12baca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12baca00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0163.175] CloseHandle (hObject=0x424) returned 1 [0163.177] CloseHandle (hObject=0x41c) returned 1 [0163.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914418 | out: pbBuffer=0x12914418) returned 1 [0163.177] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\s320.hash"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\#_THIS_FILE_IS_ENCRYPTED_[5A36FD5309D3E894]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\#_this_file_is_encrypted_[5a36fd5309d3e894]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0163.179] SwitchToThread () returned 1 [0163.263] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0163.263] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0163.263] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce)) returned 1 [0163.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6a0 | out: pbBuffer=0x1280e6a0) returned 1 [0163.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914490 | out: pbBuffer=0x12914490) returned 1 [0163.264] ReadFile (in: hFile=0x41c, lpBuffer=0x129ca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129ca000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0163.268] GetFileType (hFile=0x41c) returned 0x1 [0163.268] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0163.268] WriteFile (in: hFile=0x41c, lpBuffer=0x12a0a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a0a000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0163.269] GetFileType (hFile=0x41c) returned 0x1 [0163.269] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0163.269] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0163.269] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0163.269] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0163.270] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129145a8 | out: pbBuffer=0x129145a8) returned 1 [0163.270] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0163.270] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0163.270] WriteFile (in: hFile=0x424, lpBuffer=0x12bacf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bacf00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0163.272] CloseHandle (hObject=0x424) returned 1 [0163.896] CloseHandle (hObject=0x41c) returned 1 [0163.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bf30 | out: pbBuffer=0x12a9bf30) returned 1 [0163.899] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\#_THIS_FILE_IS_ENCRYPTED_[DC72749AF4B85390]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\#_this_file_is_encrypted_[dc72749af4b85390]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0164.111] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0164.335] SetEvent (hEvent=0x3f8) returned 1 [0164.335] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0164.335] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0164.335] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d04153d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7b6)) returned 1 [0164.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0164.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0164.339] ReadFile (in: hFile=0x424, lpBuffer=0x12c8e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c8e000*, lpNumberOfBytesRead=0x12925d1c*=0x7b6, lpOverlapped=0x0) returned 1 [0164.461] GetFileType (hFile=0x424) returned 0x1 [0164.461] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.462] WriteFile (in: hFile=0x424, lpBuffer=0x128f4000*, nNumberOfBytesToWrite=0x7b6, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x128f4000*, lpNumberOfBytesWritten=0x12925d00*=0x7b6, lpOverlapped=0x12925d0c) returned 1 [0164.462] GetFileType (hFile=0x424) returned 0x1 [0164.462] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x7b6, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0164.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0164.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0164.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2b8 | out: pbBuffer=0x12a9a2b8) returned 1 [0164.463] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0164.463] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0164.463] WriteFile (in: hFile=0x41c, lpBuffer=0x12bac500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bac500*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.463] CloseHandle (hObject=0x41c) returned 1 [0164.464] CloseHandle (hObject=0x424) returned 1 [0164.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2d0 | out: pbBuffer=0x12a9a2d0) returned 1 [0164.465] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\#_THIS_FILE_IS_ENCRYPTED_[386AF2CB4C6D1CE7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\#_this_file_is_encrypted_[386af2cb4c6d1ce7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0164.466] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0167.619] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0167.681] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0167.875] SetEvent (hEvent=0xfc) returned 1 [0167.876] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0167.929] SetEvent (hEvent=0x40c) returned 1 [0167.929] SetEvent (hEvent=0xfc) returned 1 [0167.929] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.011] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.186] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.228] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.262] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.321] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.362] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.559] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.610] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.642] SetEvent (hEvent=0x420) returned 1 [0168.642] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.649] SetEvent (hEvent=0x40c) returned 1 [0168.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12826fc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0168.661] CloseHandle (hObject=0x19c) returned 1 [0168.661] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0168.669] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.669] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0168.669] SetEvent (hEvent=0x19c) returned 1 [0168.669] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0168.674] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0168.674] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0169.376] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0169.395] SetEvent (hEvent=0xfc) returned 1 [0169.395] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0169.474] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0169.474] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.475] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4d28a, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4d28a, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6593d93a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2698)) returned 1 [0169.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0169.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0169.475] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12923d1c*=0x2698, lpOverlapped=0x0) returned 1 [0169.481] GetFileType (hFile=0x1a0) returned 0x1 [0169.481] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.481] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x2698, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12923d00*=0x2698, lpOverlapped=0x12923d0c) returned 1 [0169.481] GetFileType (hFile=0x1a0) returned 0x1 [0169.481] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2698, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0169.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0169.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0169.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0169.482] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.483] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.483] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.483] CloseHandle (hObject=0x42c) returned 1 [0169.490] CloseHandle (hObject=0x1a0) returned 1 [0169.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0169.501] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[E51544CF19972E72]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[e51544cf19972e72]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.608] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0169.681] SetEvent (hEvent=0x1b8) returned 1 [0169.681] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0169.681] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.681] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b2cf46, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b2cf46, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65acff84, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3708)) returned 1 [0169.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0169.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a428 | out: pbBuffer=0x12a9a428) returned 1 [0169.682] ReadFile (in: hFile=0x408, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12923d1c*=0x3708, lpOverlapped=0x0) returned 1 [0169.693] GetFileType (hFile=0x408) returned 0x1 [0169.693] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.693] WriteFile (in: hFile=0x408, lpBuffer=0x12c7a000*, nNumberOfBytesToWrite=0x3708, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12c7a000*, lpNumberOfBytesWritten=0x12923d00*=0x3708, lpOverlapped=0x12923d0c) returned 1 [0169.693] GetFileType (hFile=0x408) returned 0x1 [0169.694] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x3708, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0169.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0169.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0169.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4e0 | out: pbBuffer=0x12a9a4e0) returned 1 [0169.694] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0169.695] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0169.695] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e500*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.695] CloseHandle (hObject=0x1a0) returned 1 [0169.708] SetEvent (hEvent=0x110) returned 1 [0169.708] CloseHandle (hObject=0x408) returned 1 [0169.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4f8 | out: pbBuffer=0x12a9a4f8) returned 1 [0169.710] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[4B4A0953BA7E82D5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[4b4a0953ba7e82d5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.183] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0170.197] SetEvent (hEvent=0x40c) returned 1 [0170.197] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0170.197] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0170.197] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e727d9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4e727d9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4e727d9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcb2)) returned 1 [0170.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0170.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0170.198] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c4e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c4e000*, lpNumberOfBytesRead=0x12923d1c*=0xcb2, lpOverlapped=0x0) returned 1 [0170.206] GetFileType (hFile=0x3c4) returned 0x1 [0170.206] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.206] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c10d80*, nNumberOfBytesToWrite=0xcb2, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12c10d80*, lpNumberOfBytesWritten=0x12923d00*=0xcb2, lpOverlapped=0x12923d0c) returned 1 [0170.206] GetFileType (hFile=0x3c4) returned 0x1 [0170.206] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xcb2, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0170.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0170.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0170.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0170.207] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0170.207] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0170.207] WriteFile (in: hFile=0x42c, lpBuffer=0x12b66500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b66500*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0170.208] CloseHandle (hObject=0x42c) returned 1 [0170.227] CloseHandle (hObject=0x3c4) returned 1 [0170.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0170.232] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[A77C5FD0DBED5CA2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[a77c5fd0dbed5ca2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.528] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0170.597] SetEvent (hEvent=0x40c) returned 1 [0170.597] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0170.598] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0170.598] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38)) returned 1 [0170.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4e0 | out: pbBuffer=0x1280e4e0) returned 1 [0170.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0170.598] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c8e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c8e000*, lpNumberOfBytesRead=0x12923d1c*=0x38, lpOverlapped=0x0) returned 1 [0170.599] GetFileType (hFile=0x1a0) returned 0x1 [0170.599] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.600] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ae2080*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12ae2080*, lpNumberOfBytesWritten=0x12923d00*=0x38, lpOverlapped=0x12923d0c) returned 1 [0170.601] GetFileType (hFile=0x1a0) returned 0x1 [0170.601] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x38, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0170.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0170.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0170.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0170.601] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.601] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0170.601] WriteFile (in: hFile=0x41c, lpBuffer=0x12b42500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b42500*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0170.607] CloseHandle (hObject=0x41c) returned 1 [0170.619] CloseHandle (hObject=0x1a0) returned 1 [0170.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0170.620] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"), lpNewFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\#_THIS_FILE_IS_ENCRYPTED_[0E8E0993DFD63943]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\#_this_file_is_encrypted_[0e8e0993dfd63943]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.629] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM" (normalized: "c:\\programdata\\microsoft\\drm"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.629] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM" (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.630] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.630] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.630] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1 [0170.630] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.630] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.631] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.631] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.631] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0170.631] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0170.632] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c08000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c08000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0170.633] CloseHandle (hObject=0x1a0) returned 1 [0170.633] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server" (normalized: "c:\\programdata\\microsoft\\drm\\server"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.634] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server" (normalized: "c:\\programdata\\microsoft\\drm\\server"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.634] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0170.634] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.634] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.634] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0170.634] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\server\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.634] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\server\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.635] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DRM\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\drm\\server\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0170.635] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.635] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c09300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12c09300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.637] CloseHandle (hObject=0x1a0) returned 1 [0170.637] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart" (normalized: "c:\\programdata\\microsoft\\datamart"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.713] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart" (normalized: "c:\\programdata\\microsoft\\datamart"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.713] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0170.713] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.714] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.714] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.714] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.714] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.722] SetEvent (hEvent=0x110) returned 1 [0170.722] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0170.722] WriteFile (in: hFile=0x41c, lpBuffer=0x12c0a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c0a600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0170.723] CloseHandle (hObject=0x41c) returned 1 [0170.724] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.726] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.726] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.726] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.726] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.727] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0171.054] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0171.194] WriteFile (in: hFile=0x408, lpBuffer=0x12c0b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12c0b900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0171.196] CloseHandle (hObject=0x408) returned 1 [0171.403] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage" (normalized: "c:\\programdata\\microsoft\\device stage"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0171.417] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage" (normalized: "c:\\programdata\\microsoft\\device stage"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0171.417] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0171.447] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.447] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1 [0171.447] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1 [0171.447] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.447] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0171.578] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.579] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.579] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0171.580] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0171.580] WriteFile (in: hFile=0x408, lpBuffer=0x12c0cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c0cc00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0171.582] CloseHandle (hObject=0x408) returned 1 [0171.582] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device" (normalized: "c:\\programdata\\microsoft\\device stage\\device"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0171.582] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device" (normalized: "c:\\programdata\\microsoft\\device stage\\device"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0171.583] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0171.583] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.583] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0171.583] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0171.583] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.584] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0171.584] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.584] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.664] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0171.669] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0171.669] WriteFile (in: hFile=0x408, lpBuffer=0x12be8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12be8000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0171.671] CloseHandle (hObject=0x408) returned 1 [0171.671] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0171.676] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0171.676] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="device.png", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.690] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0171.691] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0171.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0171.693] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0171.693] WriteFile (in: hFile=0x408, lpBuffer=0x12be9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12be9300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0171.695] CloseHandle (hObject=0x408) returned 1 [0171.695] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1)) returned 1 [0171.745] SetEvent (hEvent=0x10c) returned 1 [0171.745] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61)) returned 1 [0171.781] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8)) returned 1 [0171.781] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1)) returned 1 [0171.781] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3)) returned 1 [0172.038] SwitchToThread () returned 1 [0172.056] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.057] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.057] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0172.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0172.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0172.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0172.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.058] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0172.071] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.071] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.071] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.293] SetEvent (hEvent=0x110) returned 1 [0172.294] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0172.303] WriteFile (in: hFile=0x15c, lpBuffer=0x12bea600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12bea600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0172.305] CloseHandle (hObject=0x15c) returned 1 [0172.316] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1)) returned 1 [0172.317] SetEvent (hEvent=0x10c) returned 1 [0172.317] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf)) returned 1 [0172.331] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1)) returned 1 [0172.332] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task" (normalized: "c:\\programdata\\microsoft\\device stage\\task"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.332] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task" (normalized: "c:\\programdata\\microsoft\\device stage\\task"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.332] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0172.341] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.342] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0172.342] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0172.342] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.342] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0172.378] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.378] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.379] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.379] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.379] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.382] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0172.382] WriteFile (in: hFile=0x15c, lpBuffer=0x12beb900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12beb900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0172.384] CloseHandle (hObject=0x15c) returned 1 [0172.384] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.385] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.385] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0172.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0172.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0172.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x0, dwReserved1=0x0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x0, dwReserved1=0x0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0172.484] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.484] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0172.486] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.487] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.487] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.488] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0172.488] WriteFile (in: hFile=0x15c, lpBuffer=0x12becc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12becc00*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0172.489] CloseHandle (hObject=0x15c) returned 1 [0172.490] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.494] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.495] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0172.495] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.495] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0172.495] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.495] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0172.495] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.496] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.496] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.497] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0172.497] WriteFile (in: hFile=0x15c, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0172.498] CloseHandle (hObject=0x15c) returned 1 [0172.499] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536)) returned 1 [0172.502] SetEvent (hEvent=0x10c) returned 1 [0172.502] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3)) returned 1 [0172.508] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee)) returned 1 [0172.509] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668)) returned 1 [0172.509] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536)) returned 1 [0172.509] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9)) returned 1 [0172.509] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.510] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.510] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.510] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.510] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850)) returned 1 [0172.511] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b)) returned 1 [0172.514] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff)) returned 1 [0172.515] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4)) returned 1 [0172.515] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.515] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.515] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x0, dwReserved1=0x0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0172.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.528] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0172.529] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.531] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.531] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.532] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0172.532] WriteFile (in: hFile=0x15c, lpBuffer=0x12d0f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d0f300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0172.533] CloseHandle (hObject=0x15c) returned 1 [0172.534] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.534] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.534] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0172.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0172.537] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.537] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0172.537] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.537] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.538] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.538] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0172.538] WriteFile (in: hFile=0x15c, lpBuffer=0x12d10600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12d10600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0172.540] CloseHandle (hObject=0x15c) returned 1 [0172.541] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8)) returned 1 [0172.544] SetEvent (hEvent=0x420) returned 1 [0172.544] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3)) returned 1 [0172.545] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8)) returned 1 [0172.545] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8)) returned 1 [0172.546] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5)) returned 1 [0172.635] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75)) returned 1 [0172.677] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654)) returned 1 [0172.677] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2)) returned 1 [0172.677] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64)) returned 1 [0172.678] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync" (normalized: "c:\\programdata\\microsoft\\devicesync"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.678] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync" (normalized: "c:\\programdata\\microsoft\\devicesync"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.678] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0172.679] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.679] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.679] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0172.679] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\devicesync\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.679] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\devicesync\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.679] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\DeviceSync\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\devicesync\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.680] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0172.680] WriteFile (in: hFile=0x15c, lpBuffer=0x12d11900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d11900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0172.682] CloseHandle (hObject=0x15c) returned 1 [0172.682] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis" (normalized: "c:\\programdata\\microsoft\\diagnosis"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0172.683] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis" (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.683] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0172.683] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.683] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0172.683] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0172.683] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0172.683] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="events00.rbs", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="events01.rbs", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28, dwReserved0=0x0, dwReserved1=0x0, cFileName="events10.rbs", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a, dwReserved0=0x0, dwReserved1=0x0, cFileName="events11.rbs", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sideload", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0172.684] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.684] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0172.684] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.685] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.685] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.685] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0172.685] WriteFile (in: hFile=0x15c, lpBuffer=0x12d12c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d12c00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0172.695] CloseHandle (hObject=0x15c) returned 1 [0172.696] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.696] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.696] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0172.696] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.696] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.697] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0172.697] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.697] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.697] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.698] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0172.698] WriteFile (in: hFile=0x15c, lpBuffer=0x12d16000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d16000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0172.700] CloseHandle (hObject=0x15c) returned 1 [0172.700] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0172.701] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.701] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.DIAGNOSTICS.xml", cAlternateFileName="WINDOW~1.XML")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKESCALATIONS.xml", cAlternateFileName="WINDOW~3.XML")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.PERFTRACKPOINTDATA.xml", cAlternateFileName="WINDOW~4.XML")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.SIUF.xml", cAlternateFileName="WINDOW~2.XML")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.Uif.static", cAlternateFileName="WINDOW~1.STA")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 1 [0172.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0172.705] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0172.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.750] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0172.750] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.751] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0172.751] WriteFile (in: hFile=0x15c, lpBuffer=0x12d17300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d17300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0172.752] CloseHandle (hObject=0x15c) returned 1 [0172.753] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55)) returned 1 [0172.754] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55)) returned 1 [0172.766] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55)) returned 1 [0172.767] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55)) returned 1 [0172.767] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55)) returned 1 [0172.767] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a)) returned 1 [0172.768] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.768] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.768] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0172.768] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0172.768] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a)) returned 1 [0172.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fba0 | out: pbBuffer=0x1280fba0) returned 1 [0172.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9bdb8 | out: pbBuffer=0x12a9bdb8) returned 1 [0172.796] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0172.799] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0172.854] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0172.854] SetEvent (hEvent=0x110) returned 1 [0172.854] SetEvent (hEvent=0x420) returned 1 [0172.867] ReadFile (in: hFile=0x15c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a67d1c*=0xa3a, lpOverlapped=0x0) returned 1 [0172.979] SetEvent (hEvent=0x420) returned 1 [0172.979] GetFileType (hFile=0x15c) returned 0x1 [0172.979] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0172.979] WriteFile (in: hFile=0x15c, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0xa3a, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12a67d00*=0xa3a, lpOverlapped=0x12a67d0c) returned 1 [0172.979] GetFileType (hFile=0x15c) returned 0x1 [0172.979] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xa3a, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.026] SetEvent (hEvent=0x420) returned 1 [0173.069] SetEvent (hEvent=0x420) returned 1 [0173.069] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0173.083] SetEvent (hEvent=0x420) returned 1 [0173.083] SetEvent (hEvent=0x10c) returned 1 [0173.717] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0173.774] SetEvent (hEvent=0x3f8) returned 1 [0173.774] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.222] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.530] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.536] SetEvent (hEvent=0x19c) returned 1 [0174.537] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.604] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.649] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0174.650] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0174.650] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168)) returned 1 [0174.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0174.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0174.650] ReadFile (in: hFile=0x438, lpBuffer=0x12b70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b70000*, lpNumberOfBytesRead=0x12925d1c*=0x168, lpOverlapped=0x0) returned 1 [0174.651] GetFileType (hFile=0x438) returned 0x1 [0174.651] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.651] WriteFile (in: hFile=0x438, lpBuffer=0x12c8a780*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12c8a780*, lpNumberOfBytesWritten=0x12925d00*=0x168, lpOverlapped=0x12925d0c) returned 1 [0174.652] GetFileType (hFile=0x438) returned 0x1 [0174.652] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x168, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0174.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0174.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0174.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0174.652] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0174.653] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0174.653] WriteFile (in: hFile=0x43c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.702] CloseHandle (hObject=0x43c) returned 1 [0174.865] CloseHandle (hObject=0x438) returned 1 [0174.964] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0174.990] SetEvent (hEvent=0x3f8) returned 1 [0174.990] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.990] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0174.990] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd)) returned 1 [0174.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0174.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0174.991] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c00000*, lpNumberOfBytesRead=0x12a63d1c*=0xcdd, lpOverlapped=0x0) returned 1 [0175.090] SetEvent (hEvent=0x110) returned 1 [0175.090] GetFileType (hFile=0x1a0) returned 0x1 [0175.090] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.090] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0xcdd, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a63d00*=0xcdd, lpOverlapped=0x12a63d0c) returned 1 [0175.135] GetFileType (hFile=0x1a0) returned 0x1 [0175.135] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcdd, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0175.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0175.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0175.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0175.136] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0175.136] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0175.136] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.153] CloseHandle (hObject=0x3c4) returned 1 [0175.157] CloseHandle (hObject=0x1a0) returned 1 [0175.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810300 | out: pbBuffer=0x12810300) returned 1 [0175.258] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[40C518819DD948AA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\#_this_file_is_encrypted_[40c518819dd948aa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.296] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243)) returned 1 [0175.297] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2389ec8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1988)) returned 1 [0175.297] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.297] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0175.297] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243)) returned 1 [0175.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d60 | out: pbBuffer=0x12844d60) returned 1 [0175.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810398 | out: pbBuffer=0x12810398) returned 1 [0175.298] ReadFile (in: hFile=0x42c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12a63d1c*=0x243, lpOverlapped=0x0) returned 1 [0175.299] GetFileType (hFile=0x42c) returned 0x1 [0175.299] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.299] WriteFile (in: hFile=0x42c, lpBuffer=0x1285d680*, nNumberOfBytesToWrite=0x243, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1285d680*, lpNumberOfBytesWritten=0x12a63d00*=0x243, lpOverlapped=0x12a63d0c) returned 1 [0175.299] GetFileType (hFile=0x42c) returned 0x1 [0175.299] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x243, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0175.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0175.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0175.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810460 | out: pbBuffer=0x12810460) returned 1 [0175.301] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0175.301] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0175.301] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b02f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02f00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.330] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0175.349] SetEvent (hEvent=0xfc) returned 1 [0175.349] CloseHandle (hObject=0x1a0) returned 1 [0175.351] CloseHandle (hObject=0x42c) returned 1 [0175.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145d8 | out: pbBuffer=0x129145d8) returned 1 [0175.351] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[6E89216E8A2CA142]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\#_this_file_is_encrypted_[6e89216e8a2ca142]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.427] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0175.493] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0175.701] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0175.814] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.815] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0175.815] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716)) returned 1 [0175.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0175.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0175.815] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a63d1c*=0x716, lpOverlapped=0x0) returned 1 [0175.868] GetFileType (hFile=0x42c) returned 0x1 [0175.868] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.868] WriteFile (in: hFile=0x42c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x716, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12a63d00*=0x716, lpOverlapped=0x12a63d0c) returned 1 [0175.868] GetFileType (hFile=0x42c) returned 0x1 [0175.868] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x716, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0175.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0175.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0175.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0175.869] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0175.869] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0175.869] WriteFile (in: hFile=0x438, lpBuffer=0x12d62000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d62000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.870] CloseHandle (hObject=0x438) returned 1 [0175.921] CloseHandle (hObject=0x42c) returned 1 [0176.028] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0176.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0176.225] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_2.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[3F4A8BD7E54A9530]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\#_this_file_is_encrypted_[3f4a8bd7e54a9530]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0176.279] SetEvent (hEvent=0xfc) returned 1 [0176.279] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0176.556] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0176.557] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0176.557] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb)) returned 1 [0176.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0176.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0176.557] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0176.563] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0176.563] SetEvent (hEvent=0x110) returned 1 [0176.563] SetEvent (hEvent=0xf4) returned 1 [0176.563] SetEvent (hEvent=0x10c) returned 1 [0176.563] ReadFile (in: hFile=0x43c, lpBuffer=0x12cea000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cea000*, lpNumberOfBytesRead=0x12a67d1c*=0xcb, lpOverlapped=0x0) returned 1 [0176.565] GetFileType (hFile=0x43c) returned 0x1 [0176.565] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.565] WriteFile (in: hFile=0x43c, lpBuffer=0x12a50270*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a50270*, lpNumberOfBytesWritten=0x12a67d00*=0xcb, lpOverlapped=0x12a67d0c) returned 1 [0176.566] GetFileType (hFile=0x43c) returned 0x1 [0176.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xcb, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0176.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0176.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0176.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102e8 | out: pbBuffer=0x128102e8) returned 1 [0176.567] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0176.567] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0176.567] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d62a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d62a00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0176.922] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0177.349] CloseHandle (hObject=0x3c4) returned 1 [0177.362] CloseHandle (hObject=0x43c) returned 1 [0177.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0177.713] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[31A02EEADB9403E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\#_this_file_is_encrypted_[31a02eeadb9403e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0177.715] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0177.716] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.716] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0177.834] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0177.834] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0177.834] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0177.834] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0177.834] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0177.845] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0177.845] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0177.846] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0177.858] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0177.858] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0177.860] CloseHandle (hObject=0x15c) returned 1 [0177.860] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0177.860] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.861] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0177.861] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0177.861] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0177.861] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0177.861] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0177.861] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0177.861] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0177.861] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0177.862] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0177.862] WriteFile (in: hFile=0x15c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0177.864] CloseHandle (hObject=0x15c) returned 1 [0177.864] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670)) returned 1 [0178.062] SetEvent (hEvent=0xf4) returned 1 [0178.073] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0178.085] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ce2cc2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8b2)) returned 1 [0178.096] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0178.180] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.180] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0178.638] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0178.639] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0178.639] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ce2cc2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8b2)) returned 1 [0178.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98060 | out: pbBuffer=0x12a98060) returned 1 [0178.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0178.654] ReadFile (in: hFile=0x438, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12927d1c*=0x8b2, lpOverlapped=0x0) returned 1 [0178.819] GetFileType (hFile=0x438) returned 0x1 [0178.819] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0178.819] WriteFile (in: hFile=0x438, lpBuffer=0x1286e000*, nNumberOfBytesToWrite=0x8b2, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x1286e000*, lpNumberOfBytesWritten=0x12927d00*=0x8b2, lpOverlapped=0x12927d0c) returned 1 [0178.820] GetFileType (hFile=0x438) returned 0x1 [0178.820] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x8b2, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.109] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0179.110] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0179.110] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0179.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98100 | out: pbBuffer=0x12a98100) returned 1 [0179.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0179.111] SwitchToThread () returned 1 [0179.316] ReadFile (in: hFile=0x15c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a61d1c*=0x15c, lpOverlapped=0x0) returned 1 [0179.317] GetFileType (hFile=0x15c) returned 0x1 [0179.317] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.317] WriteFile (in: hFile=0x15c, lpBuffer=0x128849a0*, nNumberOfBytesToWrite=0x15c, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x128849a0*, lpNumberOfBytesWritten=0x12a61d00*=0x15c, lpOverlapped=0x12a61d0c) returned 1 [0179.317] GetFileType (hFile=0x15c) returned 0x1 [0179.317] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15c, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0179.563] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0179.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0179.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0179.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0180.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484a8 | out: pbBuffer=0x128484a8) returned 1 [0180.168] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0180.168] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0180.168] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.168] CloseHandle (hObject=0x42c) returned 1 [0180.170] CloseHandle (hObject=0x438) returned 1 [0180.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484c0 | out: pbBuffer=0x128484c0) returned 1 [0180.171] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\#_THIS_FILE_IS_ENCRYPTED_[238A8FB6E257506A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\#_this_file_is_encrypted_[238a8fb6e257506a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.172] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0180.172] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0180.172] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae)) returned 1 [0180.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a982e0 | out: pbBuffer=0x12a982e0) returned 1 [0180.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848508 | out: pbBuffer=0x12848508) returned 1 [0180.173] ReadFile (in: hFile=0x438, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12927d1c*=0x1bae, lpOverlapped=0x0) returned 1 [0180.460] GetFileType (hFile=0x438) returned 0x1 [0180.460] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.460] WriteFile (in: hFile=0x438, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x1bae, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12927d00*=0x1bae, lpOverlapped=0x12927d0c) returned 1 [0180.461] GetFileType (hFile=0x438) returned 0x1 [0180.461] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1bae, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.461] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0180.461] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0180.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0180.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4e0 | out: pbBuffer=0x12a9a4e0) returned 1 [0180.462] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0180.462] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0180.463] WriteFile (in: hFile=0x428, lpBuffer=0x12d63900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d63900*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.463] CloseHandle (hObject=0x428) returned 1 [0180.465] CloseHandle (hObject=0x438) returned 1 [0180.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4f8 | out: pbBuffer=0x12a9a4f8) returned 1 [0180.465] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[CF08CE4BC45C39DD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\#_this_file_is_encrypted_[cf08ce4bc45c39dd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.612] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0180.626] SetEvent (hEvent=0x19c) returned 1 [0180.626] SwitchToThread () returned 1 [0180.627] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0180.955] SetEvent (hEvent=0x19c) returned 1 [0180.956] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0180.956] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0180.956] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710)) returned 1 [0180.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0180.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0180.957] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a67d1c*=0x710, lpOverlapped=0x0) returned 1 [0181.104] GetFileType (hFile=0x438) returned 0x1 [0181.105] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.105] WriteFile (in: hFile=0x438, lpBuffer=0x12a6c000*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a6c000*, lpNumberOfBytesWritten=0x12a67d00*=0x710, lpOverlapped=0x12a67d0c) returned 1 [0181.105] GetFileType (hFile=0x438) returned 0x1 [0181.105] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x710, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0181.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0181.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0181.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0181.106] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.106] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.106] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a5e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a5e500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.111] CloseHandle (hObject=0x3c4) returned 1 [0181.113] CloseHandle (hObject=0x438) returned 1 [0181.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0181.113] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[5C2EF1372C232590]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\#_this_file_is_encrypted_[5c2ef1372c232590]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.155] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.175] SetEvent (hEvent=0x19c) returned 1 [0181.175] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.175] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.175] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98680 | out: pbBuffer=0x12a98680) returned 1 [0181.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848528 | out: pbBuffer=0x12848528) returned 1 [0181.177] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0181.183] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.183] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0181.183] SetEvent (hEvent=0x110) returned 1 [0181.183] SetEvent (hEvent=0x19c) returned 1 [0181.183] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a2a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a2a000*, lpNumberOfBytesRead=0x12a67d1c*=0x10f, lpOverlapped=0x0) returned 1 [0181.186] GetFileType (hFile=0x3c4) returned 0x1 [0181.186] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.186] WriteFile (in: hFile=0x3c4, lpBuffer=0x129a4c60*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x129a4c60*, lpNumberOfBytesWritten=0x12a67d00*=0x10f, lpOverlapped=0x12a67d0c) returned 1 [0181.186] GetFileType (hFile=0x3c4) returned 0x1 [0181.186] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0181.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0181.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce81 | out: pbBuffer=0x12afce81) returned 1 [0181.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128487b0 | out: pbBuffer=0x128487b0) returned 1 [0181.187] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.187] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.187] WriteFile (in: hFile=0x428, lpBuffer=0x12b12f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12f00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.202] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.205] CloseHandle (hObject=0x428) returned 1 [0181.206] CloseHandle (hObject=0x3c4) returned 1 [0181.207] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a0 | out: pbBuffer=0x129146a0) returned 1 [0181.207] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\#_THIS_FILE_IS_ENCRYPTED_[E531B94A16023A6D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\#_this_file_is_encrypted_[e531b94a16023a6d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.208] SetEvent (hEvent=0xf4) returned 1 [0181.208] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.208] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.209] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2)) returned 1 [0181.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0181.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146f8 | out: pbBuffer=0x129146f8) returned 1 [0181.210] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c6c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c6c000*, lpNumberOfBytesRead=0x12a67d1c*=0x1b2, lpOverlapped=0x0) returned 1 [0181.211] GetFileType (hFile=0x3c4) returned 0x1 [0181.211] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.212] WriteFile (in: hFile=0x3c4, lpBuffer=0x12af0e00*, nNumberOfBytesToWrite=0x1b2, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12af0e00*, lpNumberOfBytesWritten=0x12a67d00*=0x1b2, lpOverlapped=0x12a67d0c) returned 1 [0181.212] GetFileType (hFile=0x3c4) returned 0x1 [0181.212] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x1b2, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0181.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0181.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0181.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914800 | out: pbBuffer=0x12914800) returned 1 [0181.213] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.213] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0181.213] WriteFile (in: hFile=0x428, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.220] CloseHandle (hObject=0x428) returned 1 [0181.221] CloseHandle (hObject=0x3c4) returned 1 [0181.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0181.221] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[F9EF34A2968C1A01]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\#_this_file_is_encrypted_[f9ef34a2968c1a01]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.276] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.276] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.277] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xebc2ab1, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x666)) returned 1 [0181.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0181.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848048 | out: pbBuffer=0x12848048) returned 1 [0181.277] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a65d1c*=0x666, lpOverlapped=0x0) returned 1 [0181.306] GetFileType (hFile=0x3c4) returned 0x1 [0181.306] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.306] WriteFile (in: hFile=0x3c4, lpBuffer=0x1290c700*, nNumberOfBytesToWrite=0x666, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x1290c700*, lpNumberOfBytesWritten=0x12a65d00*=0x666, lpOverlapped=0x12a65d0c) returned 1 [0181.306] GetFileType (hFile=0x3c4) returned 0x1 [0181.306] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x666, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc081 | out: pbBuffer=0x12afc081) returned 1 [0181.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0181.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0181.322] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483d0 | out: pbBuffer=0x128483d0) returned 1 [0181.322] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0181.354] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.354] WriteFile (in: hFile=0x43c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.394] CloseHandle (hObject=0x43c) returned 1 [0181.395] CloseHandle (hObject=0x3c4) returned 1 [0181.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0181.404] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\#_THIS_FILE_IS_ENCRYPTED_[7CCD322E9112C470]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\#_this_file_is_encrypted_[7ccd322e9112c470]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.426] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.430] SetEvent (hEvent=0x3f4) returned 1 [0181.431] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.431] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.431] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.431] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6a0 | out: pbBuffer=0x1280e6a0) returned 1 [0181.431] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2b8 | out: pbBuffer=0x12a9a2b8) returned 1 [0181.431] ReadFile (in: hFile=0x1a0, lpBuffer=0x12cd0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd0000*, lpNumberOfBytesRead=0x12a65d1c*=0x10f, lpOverlapped=0x0) returned 1 [0181.433] GetFileType (hFile=0x1a0) returned 0x1 [0181.433] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.433] WriteFile (in: hFile=0x1a0, lpBuffer=0x1299a5a0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x1299a5a0*, lpNumberOfBytesWritten=0x12a65d00*=0x10f, lpOverlapped=0x12a65d0c) returned 1 [0181.443] GetFileType (hFile=0x1a0) returned 0x1 [0181.443] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0181.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0181.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0181.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a3e0 | out: pbBuffer=0x12a9a3e0) returned 1 [0181.444] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.445] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.445] WriteFile (in: hFile=0x438, lpBuffer=0x12b12a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12a00*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.499] CloseHandle (hObject=0x438) returned 1 [0181.501] CloseHandle (hObject=0x1a0) returned 1 [0181.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3f8 | out: pbBuffer=0x12a9a3f8) returned 1 [0181.501] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\#_THIS_FILE_IS_ENCRYPTED_[44B30B2D549F86E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\#_this_file_is_encrypted_[44b30b2d549f86e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.503] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.514] SetEvent (hEvent=0x3f4) returned 1 [0181.514] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.515] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.515] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734)) returned 1 [0181.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e8e0 | out: pbBuffer=0x1280e8e0) returned 1 [0181.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a440 | out: pbBuffer=0x12a9a440) returned 1 [0181.515] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a65d1c*=0x734, lpOverlapped=0x0) returned 1 [0181.529] GetFileType (hFile=0x1a0) returned 0x1 [0181.530] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.530] WriteFile (in: hFile=0x1a0, lpBuffer=0x12996800*, nNumberOfBytesToWrite=0x734, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12996800*, lpNumberOfBytesWritten=0x12a65d00*=0x734, lpOverlapped=0x12a65d0c) returned 1 [0181.530] GetFileType (hFile=0x1a0) returned 0x1 [0181.530] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x734, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0181.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835101 | out: pbBuffer=0x12835101) returned 1 [0181.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0181.543] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0181.548] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.548] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0181.548] SetEvent (hEvent=0x110) returned 1 [0181.548] SetEvent (hEvent=0x3f8) returned 1 [0181.549] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a508 | out: pbBuffer=0x12a9a508) returned 1 [0181.549] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.549] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.549] WriteFile (in: hFile=0x438, lpBuffer=0x12b13400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b13400*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.549] CloseHandle (hObject=0x438) returned 1 [0181.720] CloseHandle (hObject=0x1a0) returned 1 [0181.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a520 | out: pbBuffer=0x12a9a520) returned 1 [0181.720] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[9C335B53DFB25ABB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\#_this_file_is_encrypted_[9c335b53dfb25abb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.722] SetEvent (hEvent=0x3f8) returned 1 [0181.722] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0181.728] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.729] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0181.750] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.751] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0181.751] SetEvent (hEvent=0x420) returned 1 [0181.751] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0181.766] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0181.767] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0fddd6c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xda6)) returned 1 [0181.767] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.768] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.768] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.770] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.770] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaa9d106f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0181.770] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0181.770] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0181.770] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.770] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.773] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.775] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.775] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0181.807] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0181.807] WriteFile (in: hFile=0x43c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0181.976] CloseHandle (hObject=0x43c) returned 1 [0181.989] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0182.007] SetEvent (hEvent=0xf4) returned 1 [0182.008] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.051] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.052] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0182.052] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.052] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0182.052] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0182.052] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.052] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0182.053] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.053] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.053] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.054] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0182.054] WriteFile (in: hFile=0x43c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0182.055] CloseHandle (hObject=0x43c) returned 1 [0182.056] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.056] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.057] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0182.066] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_3.provxml", cAlternateFileName="POWER_~4.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_4.provxml", cAlternateFileName="PO21B6~1.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_5.provxml", cAlternateFileName="PO5EBD~1.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_6.provxml", cAlternateFileName="PO805B~1.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 1 [0182.067] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.067] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0182.076] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.077] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.077] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.078] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0182.078] WriteFile (in: hFile=0x43c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0182.079] CloseHandle (hObject=0x43c) returned 1 [0182.080] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa)) returned 1 [0182.080] SetEvent (hEvent=0x420) returned 1 [0182.080] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586)) returned 1 [0182.085] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018)) returned 1 [0182.086] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939)) returned 1 [0182.086] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939)) returned 1 [0182.086] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.087] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0182.087] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939)) returned 1 [0182.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3a0 | out: pbBuffer=0x1280e3a0) returned 1 [0182.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0182.087] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12927d1c*=0x1939, lpOverlapped=0x0) returned 1 [0182.107] GetFileType (hFile=0x42c) returned 0x1 [0182.108] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.108] WriteFile (in: hFile=0x42c, lpBuffer=0x128f9980*, nNumberOfBytesToWrite=0x1939, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x128f9980*, lpNumberOfBytesWritten=0x12927d00*=0x1939, lpOverlapped=0x12927d0c) returned 1 [0182.108] GetFileType (hFile=0x42c) returned 0x1 [0182.108] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1939, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0182.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0182.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0182.109] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1b8 | out: pbBuffer=0x12a9a1b8) returned 1 [0182.109] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.109] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0182.109] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.109] CloseHandle (hObject=0x3c4) returned 1 [0182.149] CloseHandle (hObject=0x42c) returned 1 [0182.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914570 | out: pbBuffer=0x12914570) returned 1 [0182.150] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_3.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[EA203CC84D717986]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[ea203cc84d717986]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.152] SetEvent (hEvent=0x3f4) returned 1 [0182.152] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0182.163] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0182.163] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0182.163] SetEvent (hEvent=0x3f4) returned 1 [0182.163] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0182.217] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0182.218] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.218] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.218] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3)) returned 1 [0182.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0182.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0182.218] ReadFile (in: hFile=0x43c, lpBuffer=0x12c68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c68000*, lpNumberOfBytesRead=0x12a67d1c*=0x5d3, lpOverlapped=0x0) returned 1 [0182.246] GetFileType (hFile=0x43c) returned 0x1 [0182.247] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.247] WriteFile (in: hFile=0x43c, lpBuffer=0x12b0c000*, nNumberOfBytesToWrite=0x5d3, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b0c000*, lpNumberOfBytesWritten=0x12a67d00*=0x5d3, lpOverlapped=0x12a67d0c) returned 1 [0182.247] GetFileType (hFile=0x43c) returned 0x1 [0182.247] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x5d3, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0182.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0182.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0182.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0182.248] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.248] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.248] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.248] CloseHandle (hObject=0x42c) returned 1 [0182.249] CloseHandle (hObject=0x43c) returned 1 [0182.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0182.250] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[1AECF2C8878FAFC5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\#_this_file_is_encrypted_[1aecf2c8878fafc5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.384] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.384] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.384] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038)) returned 1 [0182.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0182.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0182.385] ReadFile (in: hFile=0x43c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0182.566] GetFileType (hFile=0x43c) returned 0x1 [0182.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.566] WriteFile (in: hFile=0x43c, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0182.567] GetFileType (hFile=0x43c) returned 0x1 [0182.567] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0182.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0182.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0182.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914540 | out: pbBuffer=0x12914540) returned 1 [0182.569] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0182.569] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.569] WriteFile (in: hFile=0x15c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.624] CloseHandle (hObject=0x15c) returned 1 [0182.716] CloseHandle (hObject=0x43c) returned 1 [0182.717] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914fb0 | out: pbBuffer=0x12914fb0) returned 1 [0182.717] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[DC9762122EB5C383]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[dc9762122eb5c383]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.719] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc)) returned 1 [0182.719] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WDF" (normalized: "c:\\programdata\\microsoft\\wdf"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.719] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WDF" (normalized: "c:\\programdata\\microsoft\\wdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.719] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WDF\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0182.751] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.751] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.751] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0182.751] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WDF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wdf\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.752] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WDF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wdf\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.752] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WDF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wdf\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.753] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.753] WriteFile (in: hFile=0x43c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.754] CloseHandle (hObject=0x43c) returned 1 [0182.755] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC" (normalized: "c:\\programdata\\microsoft\\winmsipc"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.771] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC" (normalized: "c:\\programdata\\microsoft\\winmsipc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.771] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.772] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.772] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1 [0182.772] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.772] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.772] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.772] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.773] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.784] SetEvent (hEvent=0x110) returned 1 [0182.785] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.785] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.786] CloseHandle (hObject=0x42c) returned 1 [0182.787] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.791] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.791] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.791] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.791] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.791] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.792] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.792] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.792] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.793] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.793] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.794] CloseHandle (hObject=0x1a0) returned 1 [0182.795] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows" (normalized: "c:\\programdata\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0182.795] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows" (normalized: "c:\\programdata\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.795] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x22e61277, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x22e61277, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppRepository", cAlternateFileName="APPREP~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac05299e, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xac05299e, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x3bc1d624, ftLastWriteTime.dwHighDateTime=0x1d112f3, nFileSizeHigh=0x0, nFileSizeLow=0x3c52, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppxProvisioning.xml", cAlternateFileName="APPXPR~1.XML")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x676ae9ec, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5024199a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50247a6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Caches", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cem", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x544aa3d0, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x544aa3d0, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClipSVC", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x625e35f4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x8a012d18, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x8a012d18, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceMetadataCache", cAlternateFileName="DEVICE~2")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceMetadataStore", cAlternateFileName="DEVICE~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameExplorer", cAlternateFileName="GAMEEX~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x89384062, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x89384062, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LfSvc", cAlternateFileName="")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parental Controls", cAlternateFileName="PARENT~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x70df061a, ftLastAccessTime.dwHighDateTime=0x1d7b05a, ftLastWriteTime.dwLowDateTime=0x70df061a, ftLastWriteTime.dwHighDateTime=0x1d7b05a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power Efficiency Diagnostics", cAlternateFileName="POWERE~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ringtones", cAlternateFileName="RINGTO~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3d02c647, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x3d02c647, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x3d02c647, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SleepStudy", cAlternateFileName="SLEEPS~1")) returned 1 [0182.796] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b82c014, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8b82c014, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8b82c014, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sqm", cAlternateFileName="")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3672e79, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3672e79, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu Places", cAlternateFileName="STARTM~2")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WER", cAlternateFileName="")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcc9e8f94, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xcc9e8f94, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wfp", cAlternateFileName="")) returned 1 [0182.797] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.797] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0182.797] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows Defender" (normalized: "c:\\programdata\\microsoft\\windows defender"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.798] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows Defender" (normalized: "c:\\programdata\\microsoft\\windows defender"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.798] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0182.804] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.804] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clean Store", cAlternateFileName="CLEANS~1")) returned 1 [0182.804] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0182.804] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Features", cAlternateFileName="")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Inspection System", cAlternateFileName="NETWOR~1")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scans", cAlternateFileName="")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x82987280, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 1 [0182.805] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.805] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0182.806] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows Live" (normalized: "c:\\programdata\\microsoft\\windows live"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.807] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows Live" (normalized: "c:\\programdata\\microsoft\\windows live"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.807] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows Live\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0182.808] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.808] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3731a3a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x0, dwReserved1=0x0, cFileName="WLive48x48.png", cAlternateFileName="WLIVE4~1.PNG")) returned 1 [0182.808] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.808] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0182.808] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows NT" (normalized: "c:\\programdata\\microsoft\\windows nt"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.811] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows NT" (normalized: "c:\\programdata\\microsoft\\windows nt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.811] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0182.811] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.811] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0182.812] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0182.812] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.812] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0182.812] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc" (normalized: "c:\\programdata\\microsoft\\wwansvc"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.812] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc" (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.813] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0182.813] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.813] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1 [0182.813] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0182.813] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.813] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0182.813] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.813] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.814] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.814] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.814] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.816] CloseHandle (hObject=0x1a0) returned 1 [0182.816] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.817] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.817] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.817] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.817] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.817] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.818] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.818] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\# SATAN CRYPTOR #.hta\\*", lpFindFileData=0x1282b640 | out: lpFindFileData=0x1282b640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.818] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.818] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.818] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.819] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.819] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.819] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.819] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.819] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\# SATAN CRYPTOR #.hta\\*", lpFindFileData=0x1282b640 | out: lpFindFileData=0x1282b640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.820] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive" (normalized: "c:\\programdata\\microsoft\\xboxlive"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.824] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive" (normalized: "c:\\programdata\\microsoft\\xboxlive"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.824] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.825] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.825] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 1 [0182.825] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.825] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.825] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.825] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.825] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.826] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.826] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b14c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12b14c00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.833] CloseHandle (hObject=0x1a0) returned 1 [0182.833] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.834] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.834] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0182.834] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.834] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.835] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0182.835] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.835] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.835] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.836] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.836] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a68000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a68000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.838] CloseHandle (hObject=0x1a0) returned 1 [0182.838] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive" (normalized: "c:\\programdata\\microsoft onedrive"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.844] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive" (normalized: "c:\\programdata\\microsoft onedrive"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.844] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.844] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.844] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1 [0182.844] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.844] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.845] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.845] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.845] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.845] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0182.845] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a69300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12a69300*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0182.847] CloseHandle (hObject=0x1a0) returned 1 [0182.847] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup" (normalized: "c:\\programdata\\microsoft onedrive\\setup"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.848] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup" (normalized: "c:\\programdata\\microsoft onedrive\\setup"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.848] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0182.848] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.848] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.848] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0182.849] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.849] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.849] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft OneDrive\\setup\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.849] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.849] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a6a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a6a600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.851] CloseHandle (hObject=0x1a0) returned 1 [0182.851] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache" (normalized: "c:\\programdata\\package cache"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.858] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache" (normalized: "c:\\programdata\\package cache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.858] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.861] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", cAlternateFileName="{0FA68~1.285")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", cAlternateFileName="{2BC3B~1.285")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{65e650ff-30be-469d-b63a-418d71ea1765}", cAlternateFileName="{65E65~1")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", cAlternateFileName="{6913E~1")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", cAlternateFileName="{7D0B7~1.285")) returned 1 [0182.863] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", cAlternateFileName="{EEA66~1.285")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0182.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.864] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0182.864] SetEvent (hEvent=0xfc) returned 1 [0182.864] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.866] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.867] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.868] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.868] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0182.868] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a6b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12a6b900*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0182.870] CloseHandle (hObject=0x1a0) returned 1 [0182.871] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.875] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.875] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0182.875] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.875] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0182.875] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.875] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0182.876] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.876] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.876] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.877] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.877] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.878] CloseHandle (hObject=0x1a0) returned 1 [0182.879] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.879] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.879] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0182.880] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.880] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.880] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.880] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.880] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.881] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.881] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.882] CloseHandle (hObject=0x1a0) returned 1 [0182.885] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.886] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.886] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0182.886] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.886] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x1b027600, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0182.886] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0182.886] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.886] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0182.887] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.887] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.887] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.893] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0182.893] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0182.895] CloseHandle (hObject=0x1a0) returned 1 [0182.896] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x1b027600, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae)) returned 1 [0182.901] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000)) returned 1 [0182.904] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.948] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.948] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.948] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.948] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0182.948] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.949] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.949] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.949] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.949] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0182.950] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.950] WriteFile (in: hFile=0x448, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.952] CloseHandle (hObject=0x448) returned 1 [0182.953] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.953] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.953] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.953] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.953] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0182.953] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.954] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.954] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.954] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.954] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0182.955] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.955] WriteFile (in: hFile=0x448, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.957] CloseHandle (hObject=0x448) returned 1 [0182.957] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.990] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.990] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0182.990] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.991] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0182.991] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0182.991] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.991] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0182.991] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.991] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.991] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0183.028] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0183.028] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0183.030] CloseHandle (hObject=0x42c) returned 1 [0183.031] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0xf36be)) returned 1 [0183.046] SetEvent (hEvent=0x420) returned 1 [0183.046] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0183.047] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0183.047] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.047] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0183.047] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0183.047] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0183.047] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0183.047] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0183.048] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.048] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.048] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0183.049] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0183.049] WriteFile (in: hFile=0x42c, lpBuffer=0x12a68000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a68000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0183.051] CloseHandle (hObject=0x42c) returned 1 [0183.051] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0183.052] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.052] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0183.052] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0183.052] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0183.053] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0183.053] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0183.053] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.053] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.053] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0183.156] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0183.156] WriteFile (in: hFile=0x42c, lpBuffer=0x12a69300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a69300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0183.157] CloseHandle (hObject=0x42c) returned 1 [0183.158] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0183.158] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.158] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0183.158] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0183.158] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xb21afe00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x14de75, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0183.158] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0183.158] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0183.159] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0183.159] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.159] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.159] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0183.218] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0183.219] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a6a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a6a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0183.220] CloseHandle (hObject=0x3c4) returned 1 [0183.221] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xb21afe00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x14de75)) returned 1 [0183.221] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000)) returned 1 [0183.222] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0183.222] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0183.222] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xb21afe00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x14de75)) returned 1 [0183.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98d20 | out: pbBuffer=0x12a98d20) returned 1 [0183.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915350 | out: pbBuffer=0x12915350) returned 1 [0183.222] ReadFile (in: hFile=0x3c4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0183.507] GetFileType (hFile=0x3c4) returned 0x1 [0183.508] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.508] WriteFile (in: hFile=0x3c4, lpBuffer=0x12cce000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12cce000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0183.509] GetFileType (hFile=0x3c4) returned 0x1 [0183.509] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0183.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0183.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0183.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915408 | out: pbBuffer=0x12915408) returned 1 [0183.619] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0183.619] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0183.619] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0183.868] CloseHandle (hObject=0x438) returned 1 [0183.957] CloseHandle (hObject=0x3c4) returned 1 [0183.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a040 | out: pbBuffer=0x12a9a040) returned 1 [0183.957] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[7E109BBD336917D0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[7e109bbd336917d0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.048] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.048] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0184.048] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x9d5870d9, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272)) returned 1 [0184.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e260 | out: pbBuffer=0x1280e260) returned 1 [0184.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3c0 | out: pbBuffer=0x12a9a3c0) returned 1 [0184.049] ReadFile (in: hFile=0x3c4, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x1282fd1c*=0x272, lpOverlapped=0x0) returned 1 [0184.051] GetFileType (hFile=0x3c4) returned 0x1 [0184.051] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0184.051] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x1282fd00*=0x272, lpOverlapped=0x1282fd0c) returned 1 [0184.051] GetFileType (hFile=0x3c4) returned 0x1 [0184.051] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0184.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0184.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0184.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0184.052] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0184.054] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0184.055] SetEvent (hEvent=0x110) returned 1 [0184.055] SetEvent (hEvent=0x420) returned 1 [0184.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a478 | out: pbBuffer=0x12a9a478) returned 1 [0184.056] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0184.056] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0184.056] WriteFile (in: hFile=0x428, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0184.061] CloseHandle (hObject=0x428) returned 1 [0184.065] CloseHandle (hObject=0x3c4) returned 1 [0184.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a490 | out: pbBuffer=0x12a9a490) returned 1 [0184.067] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\#_THIS_FILE_IS_ENCRYPTED_[C941AB7DC6CF59DE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\#_this_file_is_encrypted_[c941ab7dc6cf59de]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.070] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0184.075] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0184.088] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0184.088] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0184.088] SetEvent (hEvent=0x420) returned 1 [0184.088] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0184.094] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0184.094] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0184.116] SetEvent (hEvent=0x3f4) returned 1 [0184.116] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0184.117] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0184.117] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0184.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0184.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0184.118] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0184.143] GetFileType (hFile=0x1a0) returned 0x1 [0184.144] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0184.144] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0184.145] GetFileType (hFile=0x1a0) returned 0x1 [0184.146] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0184.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0184.146] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0184.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0184.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0184.147] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0184.148] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0184.148] WriteFile (in: hFile=0x43c, lpBuffer=0x12a70000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a70000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0184.148] CloseHandle (hObject=0x43c) returned 1 [0184.154] CloseHandle (hObject=0x1a0) returned 1 [0184.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0184.155] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[31D2ECEF396DCEE4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[31d2ecef396dcee4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.157] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0184.854] SwitchToThread () returned 1 [0185.346] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0185.346] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0185.346] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8)) returned 1 [0185.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0185.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0185.553] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ce8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce8000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0185.712] GetFileType (hFile=0x3c4) returned 0x1 [0185.712] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0185.712] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0185.713] GetFileType (hFile=0x3c4) returned 0x1 [0185.713] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0185.739] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaba9e611, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0185.739] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0185.740] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0185.740] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0185.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0185.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xad482581, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0185.751] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0185.751] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0185.751] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0185.751] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0185.751] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0185.751] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0185.886] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0185.886] WriteFile (in: hFile=0x42c, lpBuffer=0x12d69900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d69900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0185.887] CloseHandle (hObject=0x42c) returned 1 [0185.888] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\vc_redist.x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218)) returned 1 [0185.888] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xad482581, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0185.893] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0185.893] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0185.893] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\vc_redist.x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218)) returned 1 [0185.893] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98840 | out: pbBuffer=0x12a98840) returned 1 [0185.893] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915060 | out: pbBuffer=0x12915060) returned 1 [0185.894] ReadFile (in: hFile=0x42c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0186.085] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0186.381] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0186.397] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0186.426] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0186.426] SetEvent (hEvent=0x110) returned 1 [0186.426] SetEvent (hEvent=0xfc) returned 1 [0186.427] GetFileType (hFile=0x42c) returned 0x1 [0186.427] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.427] WriteFile (in: hFile=0x42c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0186.428] GetFileType (hFile=0x42c) returned 0x1 [0186.428] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0186.573] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0186.573] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0186.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0186.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915188 | out: pbBuffer=0x12915188) returned 1 [0186.758] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0186.758] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0186.758] WriteFile (in: hFile=0x448, lpBuffer=0x12a70500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a70500*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0186.758] CloseHandle (hObject=0x448) returned 1 [0186.760] CloseHandle (hObject=0x428) returned 1 [0186.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129151a0 | out: pbBuffer=0x129151a0) returned 1 [0186.773] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\#_THIS_FILE_IS_ENCRYPTED_[89A0C651E5895E79]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\#_this_file_is_encrypted_[89a0c651e5895e79]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0186.786] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0186.787] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0186.787] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xad482581, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0186.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98ac0 | out: pbBuffer=0x12a98ac0) returned 1 [0186.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129151e8 | out: pbBuffer=0x129151e8) returned 1 [0186.788] ReadFile (in: hFile=0x428, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12d37d1c*=0x320, lpOverlapped=0x0) returned 1 [0186.970] GetFileType (hFile=0x428) returned 0x1 [0186.970] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.970] WriteFile (in: hFile=0x428, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x12d37d00*=0x320, lpOverlapped=0x12d37d0c) returned 1 [0186.971] GetFileType (hFile=0x428) returned 0x1 [0186.971] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x320, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0186.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0186.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0186.972] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810140 | out: pbBuffer=0x12810140) returned 1 [0186.972] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0186.972] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0186.972] WriteFile (in: hFile=0x42c, lpBuffer=0x12a60500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60500*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0186.972] CloseHandle (hObject=0x42c) returned 1 [0186.974] CloseHandle (hObject=0x428) returned 1 [0186.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810158 | out: pbBuffer=0x12810158) returned 1 [0186.974] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\#_THIS_FILE_IS_ENCRYPTED_[B28EE0AB8B06678E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\#_this_file_is_encrypted_[b28ee0ab8b06678e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0186.975] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0187.088] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0187.278] SetEvent (hEvent=0x19c) returned 1 [0187.279] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.280] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12b17d0c | out: lpMode=0x12b17d0c) returned 0 [0187.280] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x12b17ad0 | out: lpFileInformation=0x12b17ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.280] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0187.281] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0187.281] ReadFile (in: hFile=0x43c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b17d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12b17d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.338] GetFileType (hFile=0x43c) returned 0x1 [0187.338] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b17ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.338] WriteFile (in: hFile=0x43c, lpBuffer=0x12ca8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12b17d00, lpOverlapped=0x12b17d0c | out: lpBuffer=0x12ca8000*, lpNumberOfBytesWritten=0x12b17d00*=0x20000, lpOverlapped=0x12b17d0c) returned 1 [0187.339] GetFileType (hFile=0x43c) returned 0x1 [0187.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12b17ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0187.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0187.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0187.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0187.340] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.341] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b17d0c | out: lpMode=0x12b17d0c) returned 0 [0187.341] WriteFile (in: hFile=0x42c, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b17d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x12b17d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.341] CloseHandle (hObject=0x42c) returned 1 [0187.341] CloseHandle (hObject=0x43c) returned 1 [0187.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0187.342] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[F9CB892196BF10CC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[f9cb892196bf10cc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.343] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.343] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.343] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb519600, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xeb519600, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xeb519600, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a)) returned 1 [0187.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0187.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0187.344] ReadFile (in: hFile=0x43c, lpBuffer=0x12cc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc8000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.400] GetFileType (hFile=0x43c) returned 0x1 [0187.400] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.400] WriteFile (in: hFile=0x43c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0187.402] GetFileType (hFile=0x43c) returned 0x1 [0187.402] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0187.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0187.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0187.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0187.403] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.403] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.403] WriteFile (in: hFile=0x448, lpBuffer=0x12c38500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38500*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.462] CloseHandle (hObject=0x448) returned 1 [0187.462] CloseHandle (hObject=0x43c) returned 1 [0187.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484e0 | out: pbBuffer=0x128484e0) returned 1 [0187.463] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[A7F3FF612A15AD28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[a7f3ff612a15ad28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.469] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0187.843] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.143] SetEvent (hEvent=0x420) returned 1 [0188.143] SetEvent (hEvent=0x19c) returned 1 [0188.143] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.172] SetEvent (hEvent=0x3f4) returned 1 [0188.172] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0188.173] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.173] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0188.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0188.173] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12d35d1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.187] GetFileType (hFile=0x1a0) returned 0x1 [0188.187] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.187] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a71000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12a71000*, lpNumberOfBytesWritten=0x12d35d00*=0x3000, lpOverlapped=0x12d35d0c) returned 1 [0188.188] GetFileType (hFile=0x1a0) returned 0x1 [0188.188] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0188.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0188.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0188.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0188.188] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.189] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.189] WriteFile (in: hFile=0x42c, lpBuffer=0x12c34500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c34500*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.189] CloseHandle (hObject=0x42c) returned 1 [0188.197] CloseHandle (hObject=0x1a0) returned 1 [0188.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0188.201] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[4BE57CF20FE3C686]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[4be57cf20fe3c686]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.411] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.469] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.471] SetEvent (hEvent=0x3f8) returned 1 [0188.471] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.523] SetEvent (hEvent=0x3f8) returned 1 [0188.523] SetEvent (hEvent=0xf4) returned 1 [0188.523] SwitchToThread () returned 1 [0188.542] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.638] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.674] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.776] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0188.793] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0189.825] SetEvent (hEvent=0x3f4) returned 1 [0189.825] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0190.516] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0190.561] SetEvent (hEvent=0xf4) returned 1 [0190.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x407cb15, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.561] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x407cb15, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.561] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x407cb15, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407cb15, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x565d93a, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0190.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x3fd0d0a, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fe8047, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0190.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.562] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.610] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.610] WriteFile (in: hFile=0x438, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.611] CloseHandle (hObject=0x438) returned 1 [0190.612] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407cb15, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x565d93a, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1400)) returned 1 [0190.612] SetEvent (hEvent=0xfc) returned 1 [0190.612] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x3fd0d0a, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fe8047, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.612] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x3fd0d0a, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fe8047, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.613] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x3fd0d0a, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fe8047, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.613] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3fe8047, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x56613a5, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer Suggested Sites~.feed-ms", cAlternateFileName="INTERN~1.FEE")) returned 1 [0190.613] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.613] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.664] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.664] WriteFile (in: hFile=0x438, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.666] CloseHandle (hObject=0x438) returned 1 [0190.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\internet explorer suggested sites~.feed-ms"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3fe8047, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fe8047, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x56613a5, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0190.747] SetEvent (hEvent=0xf4) returned 1 [0190.747] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4095142, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4095142, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0190.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.747] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4095142, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4095142, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.747] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4095142, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4095142, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.747] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2W1IXK2L", cAlternateFileName="")) returned 1 [0190.747] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4092ad8, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="59V5OUQ3", cAlternateFileName="")) returned 1 [0190.747] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3fd8244, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fd8244, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fd8244, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0190.747] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQMBKQJX", cAlternateFileName="")) returned 1 [0190.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4092ad8, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IC4VWCH6", cAlternateFileName="")) returned 1 [0190.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.748] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.748] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.748] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.749] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.749] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.750] CloseHandle (hObject=0x438) returned 1 [0190.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\2w1ixk2l"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\2w1ixk2l"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.751] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0190.751] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.751] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.751] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0190.751] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\2w1ixk2l\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\2w1ixk2l\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\2W1IXK2L\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\2w1ixk2l\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.752] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.752] WriteFile (in: hFile=0x438, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.753] CloseHandle (hObject=0x438) returned 1 [0190.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\59v5ouq3"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4092ad8, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\59v5ouq3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.754] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4092ad8, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0190.754] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4092ad8, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.754] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.754] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0190.754] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\59v5ouq3\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\59v5ouq3\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\59V5OUQ3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\59v5ouq3\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.755] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.755] WriteFile (in: hFile=0x438, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.756] CloseHandle (hObject=0x438) returned 1 [0190.757] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\fqmbkqjx"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\fqmbkqjx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.757] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0190.757] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x409170e, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x409170e, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x409170e, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.757] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.757] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0190.757] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\fqmbkqjx\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\fqmbkqjx\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\FQMBKQJX\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\fqmbkqjx\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.758] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.758] WriteFile (in: hFile=0x438, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.759] CloseHandle (hObject=0x438) returned 1 [0190.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4097881, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.760] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.760] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0190.760] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4092ad8, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4092ad8, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.760] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4097881, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4097881, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieonlinews.microsoft[1]", cAlternateFileName="IEONLI~1.MIC")) returned 1 [0190.760] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.760] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0190.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.761] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.762] WriteFile (in: hFile=0x438, lpBuffer=0x12923900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12923900*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.763] CloseHandle (hObject=0x438) returned 1 [0190.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\IC4VWCH6\\ieonlinews.microsoft[1]" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\ic4vwch6\\ieonlinews.microsoft[1]"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4097881, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x4097881, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4097881, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3fd8244, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3fd8244, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3fd8244, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.765] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0190.765] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.765] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7db342, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x212d1b5b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd23c, dwReserved0=0x0, dwReserved1=0x0, cFileName="KnownGameList.bin", cAlternateFileName="KNOWNG~1.BIN")) returned 1 [0190.765] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.765] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0190.766] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.767] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.767] WriteFile (in: hFile=0x438, lpBuffer=0x12924c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12924c00*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.769] CloseHandle (hObject=0x438) returned 1 [0190.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\knowngamelist.bin"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7db342, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x212d1b5b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd23c)) returned 1 [0190.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.816] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.816] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.816] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.816] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0190.816] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.816] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.817] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.817] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.817] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.817] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.817] WriteFile (in: hFile=0x438, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.819] CloseHandle (hObject=0x438) returned 1 [0190.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.820] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.820] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.820] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.820] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.821] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.821] WriteFile (in: hFile=0x438, lpBuffer=0x12c85300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12c85300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.822] CloseHandle (hObject=0x438) returned 1 [0190.822] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.823] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.823] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0190.823] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.823] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Checkpoints", cAlternateFileName="CHECKP~1")) returned 1 [0190.823] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.823] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0190.823] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.824] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.824] WriteFile (in: hFile=0x438, lpBuffer=0x12c86600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12c86600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.826] CloseHandle (hObject=0x438) returned 1 [0190.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.383] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.412] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0191.418] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.419] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.419] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0191.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.420] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.420] WriteFile (in: hFile=0x438, lpBuffer=0x12c87900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12c87900*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.422] CloseHandle (hObject=0x438) returned 1 [0191.423] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xab2455cf, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab2455cf, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0191.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.423] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xab2455cf, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab2455cf, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0191.423] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xab2455cf, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab2455cf, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4302da2a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4302da2a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x430ec4ba, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x966d3d20, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966d3d20, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966d3d20, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DomainSuggestions", cAlternateFileName="DOMAIN~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed2f390, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EmieSiteList", cAlternateFileName="EMIESI~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed4668a, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EmieUserList", cAlternateFileName="EMIEUS~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431ab1e5, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x431ab1e5, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x600a7168, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie4uinit-ClearIconCache.log", cAlternateFileName="IE4UIN~2.LOG")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4137bbef, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x431128d7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie4uinit-UserConfig.log", cAlternateFileName="IE4UIN~1.LOG")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatData", cAlternateFileName="IECOMP~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab2455cf, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEFlipAheadCache", cAlternateFileName="IEFLIP~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c90505, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c90505, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c90505, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="imagestore", cAlternateFileName="IMAGES~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf65bc6f2, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65bc6f2, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65bc6f2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabRoaming", cAlternateFileName="TABROA~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tracking Protection", cAlternateFileName="TRACKI~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b2676dd, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bff1e28, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bff1e28, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VersionManager", cAlternateFileName="VERSIO~1")) returned 1 [0191.424] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.424] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0191.425] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.471] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0191.471] WriteFile (in: hFile=0x438, lpBuffer=0x12c88c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12c88c00*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0191.473] CloseHandle (hObject=0x438) returned 1 [0191.473] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x966d3d20, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966db287, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.474] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x966d3d20, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966db287, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0191.474] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x966d3d20, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966db287, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.474] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966db287, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966bf0b2, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4700, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US.1", cAlternateFileName="")) returned 1 [0191.474] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.474] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0191.474] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.475] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.475] WriteFile (in: hFile=0x438, lpBuffer=0x12d26000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12d26000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.484] CloseHandle (hObject=0x438) returned 1 [0191.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\en-us.1"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966db287, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966db287, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966bf0b2, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4700)) returned 1 [0191.484] SetEvent (hEvent=0xfc) returned 1 [0191.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed2f390, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.485] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.485] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed2f390, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0191.485] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed2f390, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.485] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed41862, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0191.485] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.485] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0191.485] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.485] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.486] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.486] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.486] WriteFile (in: hFile=0x438, lpBuffer=0x12d27300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12d27300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.488] CloseHandle (hObject=0x438) returned 1 [0191.488] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed41862, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed41862, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed41862, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.488] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed4668a, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.489] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed4668a, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0191.489] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfed4668a, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.489] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed865d6, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0191.489] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.489] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0191.489] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.489] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.489] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.490] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.490] WriteFile (in: hFile=0x438, lpBuffer=0x12d28600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12d28600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.492] CloseHandle (hObject=0x438) returned 1 [0191.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed865d6, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.492] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.492] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0191.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc10, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompatdata.xml", cAlternateFileName="IECOMP~1.XML")) returned 1 [0191.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.493] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0191.493] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.494] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.494] WriteFile (in: hFile=0x438, lpBuffer=0x12d29900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12d29900*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.496] CloseHandle (hObject=0x438) returned 1 [0191.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc10)) returned 1 [0191.504] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab2455cf, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0191.505] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab2455cf, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0191.505] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab2455cf, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0191.505] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xab563468, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0191.505] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0191.505] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0191.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0191.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.506] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0191.506] WriteFile (in: hFile=0x438, lpBuffer=0x12d2ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12d2ac00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0191.508] CloseHandle (hObject=0x438) returned 1 [0191.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xab563468, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0xab563468, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xab563468, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0191.509] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0191.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc10)) returned 1 [0191.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ebc0 | out: pbBuffer=0x1280ebc0) returned 1 [0191.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a060 | out: pbBuffer=0x12a9a060) returned 1 [0191.510] ReadFile (in: hFile=0x438, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a6dd1c*=0xc10, lpOverlapped=0x0) returned 1 [0191.511] GetFileType (hFile=0x438) returned 0x1 [0191.511] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0191.511] WriteFile (in: hFile=0x438, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0xc10, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12a6dd00*=0xc10, lpOverlapped=0x12a6dd0c) returned 1 [0191.512] GetFileType (hFile=0x438) returned 0x1 [0191.512] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xc10, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0191.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.621] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0191.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfed865d6, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfed865d6, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfed865d6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0191.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ec60 | out: pbBuffer=0x1280ec60) returned 1 [0191.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0191.622] ReadFile (in: hFile=0x43c, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12a73d1c*=0x0, lpOverlapped=0x0) returned 1 [0191.622] CloseHandle (hObject=0x43c) returned 1 [0191.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0191.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0191.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0191.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a138 | out: pbBuffer=0x12a9a138) returned 1 [0191.638] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0191.639] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0191.639] WriteFile (in: hFile=0x43c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0191.639] CloseHandle (hObject=0x43c) returned 1 [0191.639] CloseHandle (hObject=0x438) returned 1 [0191.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a150 | out: pbBuffer=0x12a9a150) returned 1 [0191.640] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\#_THIS_FILE_IS_ENCRYPTED_[50D7F49103AE0B3A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\#_this_file_is_encrypted_[50d7f49103ae0b3a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0193.512] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0193.734] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0194.663] SetEvent (hEvent=0x3f4) returned 1 [0194.814] SetEvent (hEvent=0x40c) returned 1 [0194.897] SetEvent (hEvent=0x40c) returned 1 [0194.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4302da2a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4302da2a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x430ec4ba, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19b3)) returned 1 [0194.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431ab1e5, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x431ab1e5, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x600a7168, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x92)) returned 1 [0194.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4137bbef, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x431128d7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x514)) returned 1 [0194.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c90505, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c918de, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0194.899] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.900] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c90505, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c90505, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0194.900] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c90505, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c90505, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0194.900] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c918de, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c918de, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8p3vqxm", cAlternateFileName="")) returned 1 [0194.900] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0194.900] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0194.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0194.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0194.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0194.902] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0194.902] WriteFile (in: hFile=0x448, lpBuffer=0x12c8a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12c8a000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0194.957] CloseHandle (hObject=0x448) returned 1 [0194.957] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\8p3vqxm"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c918de, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c918de, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0194.958] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\8p3vqxm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.958] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c918de, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c918de, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0194.958] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c918de, ftCreationTime.dwHighDateTime=0x1d82a29, ftLastAccessTime.dwLowDateTime=0x3c918de, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x3c918de, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0194.958] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0194.958] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0194.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\8p3vqxm\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0194.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\8p3vqxm\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0194.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\8p3vqxm\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\8p3vqxm\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0194.959] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0194.959] WriteFile (in: hFile=0x448, lpBuffer=0x12c8b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c8b300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0194.961] CloseHandle (hObject=0x448) returned 1 [0194.961] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0194.962] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.962] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0194.962] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0194.962] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0194.962] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 1 [0194.962] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0194.963] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0194.963] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0194.963] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0194.963] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0195.080] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0195.326] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0195.326] WriteFile (in: hFile=0x448, lpBuffer=0x12c8c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12c8c600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0195.328] CloseHandle (hObject=0x448) returned 1 [0195.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0195.387] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0195.387] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0195.399] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0195.400] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0195.400] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0195.400] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0195.549] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0195.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0195.550] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0195.550] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0195.550] WriteFile (in: hFile=0x3c4, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0195.552] CloseHandle (hObject=0x3c4) returned 1 [0195.552] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0195.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0195.552] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0195.552] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0195.552] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="00007F03", cAlternateFileName="")) returned 1 [0195.552] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0195.553] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0195.553] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0195.553] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0195.553] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0195.553] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0195.553] WriteFile (in: hFile=0x3c4, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0195.554] CloseHandle (hObject=0x3c4) returned 1 [0195.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0195.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0195.555] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\*", lpFindFileData=0x1282b83c | out: lpFindFileData=0x1282b83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0195.680] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0196.317] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0196.318] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x0, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0196.318] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0196.318] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0196.318] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x0, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0196.318] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x0, dwReserved1=0x0, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0196.319] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x0, dwReserved1=0x0, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x0, dwReserved1=0x0, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x0, dwReserved1=0x0, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x0, dwReserved1=0x0, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x0, dwReserved1=0x0, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fe83ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x0, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0196.320] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0196.320] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0196.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b504 | out: lpFileInformation=0x1282b504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0196.335] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0196.335] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.336] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b714 | out: lpMode=0x1282b714) returned 0 [0196.336] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c8d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b714, lpOverlapped=0x0 | out: lpBuffer=0x12c8d900*, lpNumberOfBytesWritten=0x1282b714*=0x118a, lpOverlapped=0x0) returned 1 [0196.338] CloseHandle (hObject=0x3c4) returned 1 [0196.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\01_music_auto_rated_at_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x414)) returned 1 [0196.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\02_music_added_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4ff)) returned 1 [0196.387] SetEvent (hEvent=0x19c) returned 1 [0196.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\03_music_rated_at_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4f3)) returned 1 [0196.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\04_music_played_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x504)) returned 1 [0196.388] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\05_pictures_taken_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x31d)) returned 1 [0196.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0196.388] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0196.388] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\04_music_played_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x504)) returned 1 [0196.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129283c0 | out: pbBuffer=0x129283c0) returned 1 [0196.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b230 | out: pbBuffer=0x12a9b230) returned 1 [0196.390] ReadFile (in: hFile=0x15c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a49d1c*=0x504, lpOverlapped=0x0) returned 1 [0196.451] GetFileType (hFile=0x15c) returned 0x1 [0196.451] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.451] WriteFile (in: hFile=0x15c, lpBuffer=0x12c90580*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12c90580*, lpNumberOfBytesWritten=0x12a49d00*=0x504, lpOverlapped=0x12a49d0c) returned 1 [0196.451] GetFileType (hFile=0x15c) returned 0x1 [0196.452] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x504, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0196.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0196.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0196.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b2e8 | out: pbBuffer=0x12a9b2e8) returned 1 [0196.453] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.453] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0196.453] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0196.453] CloseHandle (hObject=0x3c4) returned 1 [0196.453] CloseHandle (hObject=0x15c) returned 1 [0196.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b300 | out: pbBuffer=0x12a9b300) returned 1 [0196.454] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\04_music_played_in_the_last_month.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[D05F76E54C48E1DB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[d05f76e54c48e1db]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.455] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0196.455] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0196.455] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\05_pictures_taken_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x31d)) returned 1 [0196.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129285c0 | out: pbBuffer=0x129285c0) returned 1 [0196.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b348 | out: pbBuffer=0x12a9b348) returned 1 [0196.456] ReadFile (in: hFile=0x15c, lpBuffer=0x12d30000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d30000*, lpNumberOfBytesRead=0x12a49d1c*=0x31d, lpOverlapped=0x0) returned 1 [0196.520] GetFileType (hFile=0x15c) returned 0x1 [0196.520] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.520] WriteFile (in: hFile=0x15c, lpBuffer=0x12920380*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12920380*, lpNumberOfBytesWritten=0x12a49d00*=0x31d, lpOverlapped=0x12a49d0c) returned 1 [0196.521] GetFileType (hFile=0x15c) returned 0x1 [0196.521] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x31d, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0196.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0196.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0196.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b400 | out: pbBuffer=0x12a9b400) returned 1 [0196.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.522] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0196.522] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0500*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0196.522] CloseHandle (hObject=0x3c4) returned 1 [0196.522] CloseHandle (hObject=0x15c) returned 1 [0196.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b418 | out: pbBuffer=0x12a9b418) returned 1 [0196.523] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[A7CE256AEDB866C4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[a7ce256aedb866c4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.639] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0196.665] SetEvent (hEvent=0xfc) returned 1 [0196.665] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0196.666] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\06_pictures_rated_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x311)) returned 1 [0196.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98360 | out: pbBuffer=0x12a98360) returned 1 [0196.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8320 | out: pbBuffer=0x128e8320) returned 1 [0196.667] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0196.673] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0196.673] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0196.673] SetEvent (hEvent=0x110) returned 1 [0196.674] SetEvent (hEvent=0xfc) returned 1 [0196.675] ReadFile (in: hFile=0x15c, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12a6fd1c*=0x311, lpOverlapped=0x0) returned 1 [0196.688] GetFileType (hFile=0x15c) returned 0x1 [0196.688] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.688] WriteFile (in: hFile=0x15c, lpBuffer=0x12a5c700*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a5c700*, lpNumberOfBytesWritten=0x12a6fd00*=0x311, lpOverlapped=0x12a6fd0c) returned 1 [0196.689] GetFileType (hFile=0x15c) returned 0x1 [0196.689] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x311, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0196.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0196.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0196.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848818 | out: pbBuffer=0x12848818) returned 1 [0196.690] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0196.690] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.690] WriteFile (in: hFile=0x438, lpBuffer=0x12cee500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12cee500*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.690] CloseHandle (hObject=0x438) returned 1 [0196.727] CloseHandle (hObject=0x15c) returned 1 [0196.765] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0196.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0196.773] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[794127204B5D4915]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[794127204b5d4915]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.953] SetEvent (hEvent=0x110) returned 1 [0196.953] SetEvent (hEvent=0x3f8) returned 1 [0196.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0196.953] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.953] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\10_all_music.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x427)) returned 1 [0196.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0196.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8498 | out: pbBuffer=0x128e8498) returned 1 [0196.953] ReadFile (in: hFile=0x438, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6fd1c*=0x427, lpOverlapped=0x0) returned 1 [0196.958] GetFileType (hFile=0x438) returned 0x1 [0196.958] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.958] WriteFile (in: hFile=0x438, lpBuffer=0x12891b00*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12891b00*, lpNumberOfBytesWritten=0x12a6fd00*=0x427, lpOverlapped=0x12a6fd0c) returned 1 [0196.958] GetFileType (hFile=0x438) returned 0x1 [0196.958] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x427, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0196.959] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0196.959] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0196.959] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8550 | out: pbBuffer=0x128e8550) returned 1 [0196.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\10_all_music.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0196.959] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.959] WriteFile (in: hFile=0x448, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.959] CloseHandle (hObject=0x448) returned 1 [0196.967] CloseHandle (hObject=0x438) returned 1 [0196.972] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8568 | out: pbBuffer=0x128e8568) returned 1 [0196.972] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\10_all_music.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[DA3CF0ACA22490E3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[da3cf0aca22490e3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.141] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.178] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.190] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.209] SetEvent (hEvent=0x19c) returned 1 [0197.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\05bddc85-1b21-40a1-ad47-d6ad70518ba9"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.209] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\05bddc85-1b21-40a1-ad47-d6ad70518ba9"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ca303e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ca303e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ca303e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3be8)) returned 1 [0197.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0197.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0197.211] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0197.215] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.215] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0197.215] SetEvent (hEvent=0x110) returned 1 [0197.215] SetEvent (hEvent=0x19c) returned 1 [0197.215] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x3be8, lpOverlapped=0x0) returned 1 [0197.307] GetFileType (hFile=0x1a0) returned 0x1 [0197.307] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.307] WriteFile (in: hFile=0x1a0, lpBuffer=0x12be8000*, nNumberOfBytesToWrite=0x3be8, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12be8000*, lpNumberOfBytesWritten=0x12a6dd00*=0x3be8, lpOverlapped=0x12a6dd0c) returned 1 [0197.307] GetFileType (hFile=0x1a0) returned 0x1 [0197.307] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3be8, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0197.308] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0197.308] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0197.308] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a248 | out: pbBuffer=0x12a9a248) returned 1 [0197.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\05bddc85-1b21-40a1-ad47-d6ad70518ba9"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0197.309] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.309] WriteFile (in: hFile=0x438, lpBuffer=0x12a64500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a64500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.309] CloseHandle (hObject=0x438) returned 1 [0197.316] SwitchToThread () returned 1 [0197.319] CloseHandle (hObject=0x1a0) returned 1 [0197.322] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0197.323] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\05bddc85-1b21-40a1-ad47-d6ad70518ba9"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[117D8C9D027BBA64]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[117d8c9d027bba64]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.474] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.511] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.626] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.651] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.675] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.776] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0197.916] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.028] SetEvent (hEvent=0xfc) returned 1 [0198.028] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.038] SetEvent (hEvent=0x19c) returned 1 [0198.039] SetEvent (hEvent=0x420) returned 1 [0198.039] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0198.044] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.044] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0198.044] SetEvent (hEvent=0x420) returned 1 [0198.044] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0198.048] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.048] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.583] SetEvent (hEvent=0x420) returned 1 [0198.583] SetEvent (hEvent=0x19c) returned 1 [0198.583] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.593] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.611] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.751] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0198.805] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.047] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.049] SetEvent (hEvent=0x3f4) returned 1 [0199.049] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.057] SetEvent (hEvent=0x3f4) returned 1 [0199.057] SetEvent (hEvent=0x420) returned 1 [0199.057] SwitchToThread () returned 1 [0199.108] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.143] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.165] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.185] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.269] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.314] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.338] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.364] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.550] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.673] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.751] SetEvent (hEvent=0xfc) returned 1 [0199.751] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.761] SetEvent (hEvent=0x420) returned 1 [0199.771] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0199.778] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.778] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0199.782] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0199.782] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0199.782] SetEvent (hEvent=0x3f4) returned 1 [0199.782] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0199.786] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.335] SetEvent (hEvent=0xfc) returned 1 [0200.335] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.340] SetEvent (hEvent=0xfc) returned 1 [0200.341] SetEvent (hEvent=0x420) returned 1 [0200.341] SwitchToThread () returned 1 [0200.381] SwitchToThread () returned 1 [0200.387] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.430] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.567] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.706] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.718] SetEvent (hEvent=0x40c) returned 1 [0200.718] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.728] SetEvent (hEvent=0x420) returned 1 [0200.728] SetEvent (hEvent=0x3f4) returned 1 [0200.728] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.747] SwitchToThread () returned 1 [0200.775] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a0d2b79b-05bb-4871-8de6-e766643bd65e"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.821] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.821] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a0d2b79b-05bb-4871-8de6-e766643bd65e"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbdccf8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbdccf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbdccf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x135f)) returned 1 [0200.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0200.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0200.822] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x135f, lpOverlapped=0x0) returned 1 [0200.841] GetFileType (hFile=0x1a0) returned 0x1 [0200.841] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.841] WriteFile (in: hFile=0x1a0, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x135f, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x12a6dd00*=0x135f, lpOverlapped=0x12a6dd0c) returned 1 [0200.841] GetFileType (hFile=0x1a0) returned 0x1 [0200.841] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x135f, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0200.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0200.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0200.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0200.842] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a0d2b79b-05bb-4871-8de6-e766643bd65e"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.843] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.843] WriteFile (in: hFile=0x448, lpBuffer=0x12c32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.843] CloseHandle (hObject=0x448) returned 1 [0200.843] CloseHandle (hObject=0x1a0) returned 1 [0200.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0200.843] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a0d2b79b-05bb-4871-8de6-e766643bd65e"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[3163B366F076868F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[3163b366f076868f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.851] SetEvent (hEvent=0x19c) returned 1 [0200.851] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.884] SetEvent (hEvent=0x40c) returned 1 [0200.884] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.976] SetEvent (hEvent=0x3f8) returned 1 [0200.976] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0200.979] SetEvent (hEvent=0x3f8) returned 1 [0200.979] SetEvent (hEvent=0x420) returned 1 [0200.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c52b4a7c-c9fd-485a-8375-f97f3a24c1ba"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4974447, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4974447, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49759af, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2bd8)) returned 1 [0200.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c7b65eec-91e0-4362-ac18-80b09c3c95ac"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83e6a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83e6a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83e6a80, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1167)) returned 1 [0200.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c85a59c5-2b02-4194-ab2c-0e6e2b6031a0"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b15f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829b15f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829b5109, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x634f)) returned 1 [0200.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c7b65eec-91e0-4362-ac18-80b09c3c95ac"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.980] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c7b65eec-91e0-4362-ac18-80b09c3c95ac"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83e6a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83e6a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83e6a80, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1167)) returned 1 [0200.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0200.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a840 | out: pbBuffer=0x12a9a840) returned 1 [0200.981] ReadFile (in: hFile=0x438, lpBuffer=0x12b50000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b50000*, lpNumberOfBytesRead=0x129abd1c*=0x1167, lpOverlapped=0x0) returned 1 [0200.993] GetFileType (hFile=0x438) returned 0x1 [0200.993] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.993] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x1167, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x129abd00*=0x1167, lpOverlapped=0x129abd0c) returned 1 [0200.994] GetFileType (hFile=0x438) returned 0x1 [0200.994] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1167, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0200.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0200.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0200.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a8f8 | out: pbBuffer=0x12a9a8f8) returned 1 [0200.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c7b65eec-91e0-4362-ac18-80b09c3c95ac"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.995] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.995] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.996] CloseHandle (hObject=0x448) returned 1 [0200.996] CloseHandle (hObject=0x438) returned 1 [0200.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a910 | out: pbBuffer=0x12a9a910) returned 1 [0200.996] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c7b65eec-91e0-4362-ac18-80b09c3c95ac"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[E05160C6D0BC4A0F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[e05160c6d0bc4a0f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.997] GetFileType (hFile=0x15c) returned 0x1 [0200.997] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.997] WriteFile (in: hFile=0x15c, lpBuffer=0x12a18000*, nNumberOfBytesToWrite=0x2f7e, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a18000*, lpNumberOfBytesWritten=0x12a6fd00*=0x2f7e, lpOverlapped=0x12a6fd0c) returned 1 [0200.998] GetFileType (hFile=0x15c) returned 0x1 [0200.998] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2f7e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.998] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0200.998] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0200.998] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0200.998] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aa00 | out: pbBuffer=0x12a9aa00) returned 1 [0200.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c4181e33-213a-4456-87ba-15fd83064187"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.999] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.999] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.999] CloseHandle (hObject=0x438) returned 1 [0200.999] CloseHandle (hObject=0x15c) returned 1 [0200.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa18 | out: pbBuffer=0x12a9aa18) returned 1 [0200.999] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c4181e33-213a-4456-87ba-15fd83064187"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[3689025E85BC6C37]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[3689025e85bc6c37]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.000] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c9b26f48-b9b2-452d-9e4f-bd539a769b1b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e2fa78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e2fa78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e30e51, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5543)) returned 1 [0201.001] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ca094f8f-d41e-43ab-8a32-1a2f34851250"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabad3e63, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabad3e63, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabad3e63, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a54)) returned 1 [0201.001] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ccb1b3fc-5e0c-4241-abc1-ca67b6c56947"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8293e9d0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x8293e9d0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8293ff31, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1e19)) returned 1 [0201.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ca094f8f-d41e-43ab-8a32-1a2f34851250"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.002] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0201.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ca094f8f-d41e-43ab-8a32-1a2f34851250"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabad3e63, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabad3e63, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabad3e63, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a54)) returned 1 [0201.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928500 | out: pbBuffer=0x12928500) returned 1 [0201.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b280 | out: pbBuffer=0x12a9b280) returned 1 [0201.002] ReadFile (in: hFile=0x15c, lpBuffer=0x12b74000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b74000*, lpNumberOfBytesRead=0x12a6fd1c*=0x1a54, lpOverlapped=0x0) returned 1 [0201.020] GetFileType (hFile=0x15c) returned 0x1 [0201.020] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.021] WriteFile (in: hFile=0x15c, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x1a54, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x12a6fd00*=0x1a54, lpOverlapped=0x12a6fd0c) returned 1 [0201.021] GetFileType (hFile=0x15c) returned 0x1 [0201.021] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1a54, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0201.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0201.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0201.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b338 | out: pbBuffer=0x12a9b338) returned 1 [0201.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ca094f8f-d41e-43ab-8a32-1a2f34851250"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.022] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0201.022] WriteFile (in: hFile=0x448, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.022] CloseHandle (hObject=0x448) returned 1 [0201.023] CloseHandle (hObject=0x15c) returned 1 [0201.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b350 | out: pbBuffer=0x12a9b350) returned 1 [0201.023] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ca094f8f-d41e-43ab-8a32-1a2f34851250"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[5505195987A87DCC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[5505195987a87dcc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\cfc05ea4-9a97-47d5-9459-fb2f94ee79cc"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d94a38, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d94a38, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d94a38, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x422e)) returned 1 [0201.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d03b54d7-2f02-4f26-b245-6759fd3e5356"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d89a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d89a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d8ae10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x595d)) returned 1 [0201.025] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\cfc05ea4-9a97-47d5-9459-fb2f94ee79cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.026] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0201.026] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\cfc05ea4-9a97-47d5-9459-fb2f94ee79cc"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d94a38, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d94a38, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d94a38, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x422e)) returned 1 [0201.026] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928700 | out: pbBuffer=0x12928700) returned 1 [0201.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b8f0 | out: pbBuffer=0x12a9b8f0) returned 1 [0201.027] ReadFile (in: hFile=0x15c, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12a6fd1c*=0x422e, lpOverlapped=0x0) returned 1 [0201.049] GetFileType (hFile=0x15c) returned 0x1 [0201.049] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.049] WriteFile (in: hFile=0x15c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x422e, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a6fd00*=0x422e, lpOverlapped=0x12a6fd0c) returned 1 [0201.049] GetFileType (hFile=0x15c) returned 0x1 [0201.049] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x422e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0201.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835301 | out: pbBuffer=0x12835301) returned 1 [0201.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0201.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b9a8 | out: pbBuffer=0x12a9b9a8) returned 1 [0201.050] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\cfc05ea4-9a97-47d5-9459-fb2f94ee79cc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.050] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0201.050] WriteFile (in: hFile=0x448, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.050] CloseHandle (hObject=0x448) returned 1 [0201.051] CloseHandle (hObject=0x15c) returned 1 [0201.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b9c0 | out: pbBuffer=0x12a9b9c0) returned 1 [0201.051] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\cfc05ea4-9a97-47d5-9459-fb2f94ee79cc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[7F9CB921A95A2684]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[7f9cb921a95a2684]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.052] SetEvent (hEvent=0x3f4) returned 1 [0201.052] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.071] SetEvent (hEvent=0x3f4) returned 1 [0201.072] GetFileType (hFile=0x438) returned 0x1 [0201.072] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a89ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.072] WriteFile (in: hFile=0x438, lpBuffer=0x129ae000*, nNumberOfBytesToWrite=0x5543, lpNumberOfBytesWritten=0x12a89d00, lpOverlapped=0x12a89d0c | out: lpBuffer=0x129ae000*, lpNumberOfBytesWritten=0x12a89d00*=0x5543, lpOverlapped=0x12a89d0c) returned 1 [0201.072] GetFileType (hFile=0x438) returned 0x1 [0201.072] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x5543, lpNewFilePointer=0x0, dwMoveMethod=0x12a89ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.072] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.084] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.186] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.227] SetEvent (hEvent=0x3f4) returned 1 [0201.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ea6554fc-7db2-4685-948e-52402e811540"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb679a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb679a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb679a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x292e)) returned 1 [0201.227] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.378] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0201.396] SetEvent (hEvent=0x3f4) returned 1 [0201.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x5d38e5d2, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d38e5d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0201.397] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0201.397] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*", lpFindFileData=0x1282b7d8 | out: lpFindFileData=0x1282b7d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d38e5d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0201.398] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d38e5d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0201.398] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d374b6c, ftCreationTime.dwHighDateTime=0x1d7b058, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d37726a, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x21d15, dwReserved0=0x0, dwReserved1=0x0, cFileName="4958AB69-A28E-4C1F-916A-BDF19CB99CF0", cAlternateFileName="4958AB~1")) returned 1 [0201.398] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x0, dwReserved1=0x0, cFileName="85783D1F-A228-4706-A7FF-1C07A8CCD84F", cAlternateFileName="85783D~1")) returned 1 [0201.398] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0201.398] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0201.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b4a0 | out: lpFileInformation=0x1282b4a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0201.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0201.401] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.402] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b6b0 | out: lpMode=0x1282b6b0) returned 0 [0201.402] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b6b0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b6b0*=0x118a, lpOverlapped=0x0) returned 1 [0201.403] CloseHandle (hObject=0x448) returned 1 [0201.403] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\4958AB69-A28E-4C1F-916A-BDF19CB99CF0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\4958ab69-a28e-4c1f-916a-bdf19cb99cf0"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d374b6c, ftCreationTime.dwHighDateTime=0x1d7b058, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d37726a, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x21d15)) returned 1 [0201.414] SetEvent (hEvent=0x420) returned 1 [0201.414] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\85783d1f-a228-4706-a7ff-1c07a8ccd84f"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2071b)) returned 1 [0201.414] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba9333c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba9333c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6b3f26a7, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x13bd9)) returned 1 [0201.415] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\85783d1f-a228-4706-a7ff-1c07a8ccd84f"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.415] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.415] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\85783d1f-a228-4706-a7ff-1c07a8ccd84f"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2071b)) returned 1 [0201.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286a0 | out: pbBuffer=0x129286a0) returned 1 [0201.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34870 | out: pbBuffer=0x12c34870) returned 1 [0201.415] ReadFile (in: hFile=0x3c4, lpBuffer=0x12986000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12986000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0201.577] GetFileType (hFile=0x3c4) returned 0x1 [0201.577] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.577] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0201.578] GetFileType (hFile=0x3c4) returned 0x1 [0201.578] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0201.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0201.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0201.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0201.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\85783d1f-a228-4706-a7ff-1c07a8ccd84f"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0201.579] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.579] WriteFile (in: hFile=0x42c, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.579] CloseHandle (hObject=0x42c) returned 1 [0201.579] CloseHandle (hObject=0x3c4) returned 1 [0201.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0201.579] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\85783d1f-a228-4706-a7ff-1c07a8ccd84f"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\#_THIS_FILE_IS_ENCRYPTED_[62066DDC742606F8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\#_this_file_is_encrypted_[62066ddc742606f8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.620] SetEvent (hEvent=0x3f8) returned 1 [0201.620] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.620] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bb7bfa, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x20bb7bfa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x20bb8ff9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0201.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e740 | out: pbBuffer=0x1280e740) returned 1 [0201.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a268 | out: pbBuffer=0x12a9a268) returned 1 [0201.620] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282fd1c*=0x4050, lpOverlapped=0x0) returned 1 [0201.624] GetFileType (hFile=0x3c4) returned 0x1 [0201.624] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.624] WriteFile (in: hFile=0x3c4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1282fd00*=0x4050, lpOverlapped=0x1282fd0c) returned 1 [0201.624] GetFileType (hFile=0x3c4) returned 0x1 [0201.624] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x4050, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.624] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0201.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0201.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0201.625] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0201.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.625] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.625] WriteFile (in: hFile=0x448, lpBuffer=0x12c38a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.625] CloseHandle (hObject=0x448) returned 1 [0201.629] CloseHandle (hObject=0x3c4) returned 1 [0201.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a338 | out: pbBuffer=0x12a9a338) returned 1 [0201.633] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[8588633CCCCD3E63]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[8588633ccccd3e63]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0202.457] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0202.594] SwitchToThread () returned 1 [0202.770] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.075] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.100] SetEvent (hEvent=0x19c) returned 1 [0203.100] GetFileType (hFile=0x15c) returned 0x1 [0203.100] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0203.101] WriteFile (in: hFile=0x15c, lpBuffer=0x12cf2000*, nNumberOfBytesToWrite=0x12c3e, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12cf2000*, lpNumberOfBytesWritten=0x12a6dd00*=0x12c3e, lpOverlapped=0x12a6dd0c) returned 1 [0203.118] GetFileType (hFile=0x15c) returned 0x1 [0203.119] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x12c3e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0203.184] SwitchToThread () returned 1 [0203.228] SetEvent (hEvent=0xfc) returned 1 [0203.228] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0203.330] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.330] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0203.443] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.443] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0203.469] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.469] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0203.469] SetEvent (hEvent=0x110) returned 1 [0203.479] SetEvent (hEvent=0x19c) returned 1 [0203.479] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0203.522] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0203.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0203.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0203.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0203.846] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848380 | out: pbBuffer=0x12848380) returned 1 [0203.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0203.847] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0203.847] WriteFile (in: hFile=0x15c, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0203.848] CloseHandle (hObject=0x15c) returned 1 [0203.848] CloseHandle (hObject=0x438) returned 1 [0203.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848398 | out: pbBuffer=0x12848398) returned 1 [0203.870] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[574B3A5AAEE87769]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[574b3a5aaee87769]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0203.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0203.872] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0203.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa7c66, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82fa7c66, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82fa7c66, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x197d6)) returned 1 [0203.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12980200 | out: pbBuffer=0x12980200) returned 1 [0203.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e0 | out: pbBuffer=0x128483e0) returned 1 [0203.873] ReadFile (in: hFile=0x438, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a71d1c*=0x197d6, lpOverlapped=0x0) returned 1 [0203.890] GetFileType (hFile=0x438) returned 0x1 [0203.891] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.891] WriteFile (in: hFile=0x438, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x197d6, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12a71d00*=0x197d6, lpOverlapped=0x12a71d0c) returned 1 [0203.891] GetFileType (hFile=0x438) returned 0x1 [0203.891] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x197d6, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0203.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0203.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0203.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0203.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0203.892] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0203.893] WriteFile (in: hFile=0x3c4, lpBuffer=0x12926500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12926500*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0203.893] CloseHandle (hObject=0x3c4) returned 1 [0204.055] CloseHandle (hObject=0x438) returned 1 [0204.153] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d0 | out: pbBuffer=0x128484d0) returned 1 [0204.153] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[7EC0B15341B87720]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[7ec0b15341b87720]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otele.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0204.334] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3048af2, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3048af2, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3049e34, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117)) returned 1 [0204.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928440 | out: pbBuffer=0x12928440) returned 1 [0204.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34d00 | out: pbBuffer=0x12c34d00) returned 1 [0204.335] ReadFile (in: hFile=0x1a0, lpBuffer=0x12986000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12986000*, lpNumberOfBytesRead=0x12a6fd1c*=0x117, lpOverlapped=0x0) returned 1 [0204.337] GetFileType (hFile=0x1a0) returned 0x1 [0204.337] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.337] WriteFile (in: hFile=0x1a0, lpBuffer=0x1297aa20*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x1297aa20*, lpNumberOfBytesWritten=0x12a6fd00*=0x117, lpOverlapped=0x12a6fd0c) returned 1 [0204.337] GetFileType (hFile=0x1a0) returned 0x1 [0204.337] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x117, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0204.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0204.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0204.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34ea8 | out: pbBuffer=0x12c34ea8) returned 1 [0204.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otele.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.339] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.339] WriteFile (in: hFile=0x448, lpBuffer=0x12b44a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.345] CloseHandle (hObject=0x448) returned 1 [0204.353] CloseHandle (hObject=0x1a0) returned 1 [0204.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ec0 | out: pbBuffer=0x12c34ec0) returned 1 [0204.357] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otele.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[F59F7161014ED5FD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[f59f7161014ed5fd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.520] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0204.647] SetEvent (hEvent=0x3f8) returned 1 [0204.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{a031426b-8b99-4a54-857d-b4412bdf67cd} (0) - 3412 - excel.exe - otele.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.648] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.648] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{a031426b-8b99-4a54-857d-b4412bdf67cd} (0) - 3412 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366f796f, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x366f796f, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x366f8d2c, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0xb8)) returned 1 [0204.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0204.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0204.649] ReadFile (in: hFile=0x448, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6fd1c*=0xb8, lpOverlapped=0x0) returned 1 [0204.650] GetFileType (hFile=0x448) returned 0x1 [0204.650] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.650] WriteFile (in: hFile=0x448, lpBuffer=0x128f0300*, nNumberOfBytesToWrite=0xb8, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x128f0300*, lpNumberOfBytesWritten=0x12a6fd00*=0xb8, lpOverlapped=0x12a6fd0c) returned 1 [0204.651] GetFileType (hFile=0x448) returned 0x1 [0204.651] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xb8, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0204.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0204.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0204.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0204.652] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{a031426b-8b99-4a54-857d-b4412bdf67cd} (0) - 3412 - excel.exe - otele.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.652] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.652] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.665] CloseHandle (hObject=0x3c4) returned 1 [0204.688] CloseHandle (hObject=0x448) returned 1 [0204.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ff8 | out: pbBuffer=0x12c34ff8) returned 1 [0204.709] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{a031426b-8b99-4a54-857d-b4412bdf67cd} (0) - 3412 - excel.exe - otele.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[6DD79A549F815273]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[6dd79a549f815273]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.792] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0204.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.819] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x959c295b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x959c295b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf8000)) returned 1 [0204.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0204.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0204.820] ReadFile (in: hFile=0x448, lpBuffer=0x12d28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d28000*, lpNumberOfBytesRead=0x12a6fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0204.835] GetFileType (hFile=0x448) returned 0x1 [0204.835] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.835] WriteFile (in: hFile=0x448, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12a6fd00*=0x20000, lpOverlapped=0x12a6fd0c) returned 1 [0204.836] GetFileType (hFile=0x448) returned 0x1 [0204.837] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0204.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0204.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0204.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0204.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0204.838] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0204.838] WriteFile (in: hFile=0x15c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.840] CloseHandle (hObject=0x15c) returned 1 [0204.871] CloseHandle (hObject=0x448) returned 1 [0204.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34118 | out: pbBuffer=0x12c34118) returned 1 [0204.993] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[68DA370B93186232]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[68da370b93186232]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.427] SetEvent (hEvent=0x110) returned 1 [0205.427] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0205.459] SetEvent (hEvent=0x3f4) returned 1 [0205.459] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.459] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0205.459] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91510d84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0205.460] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98200 | out: pbBuffer=0x12a98200) returned 1 [0205.460] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810410 | out: pbBuffer=0x12810410) returned 1 [0205.460] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282fd1c*=0xfcc0, lpOverlapped=0x0) returned 1 [0205.486] GetFileType (hFile=0x3c4) returned 0x1 [0205.486] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.486] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0xfcc0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x1282fd00*=0xfcc0, lpOverlapped=0x1282fd0c) returned 1 [0205.487] GetFileType (hFile=0x3c4) returned 0x1 [0205.487] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0205.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0205.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0205.488] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104c8 | out: pbBuffer=0x128104c8) returned 1 [0205.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.488] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0205.488] WriteFile (in: hFile=0x15c, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0205.488] CloseHandle (hObject=0x15c) returned 1 [0205.489] CloseHandle (hObject=0x3c4) returned 1 [0205.489] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104e0 | out: pbBuffer=0x128104e0) returned 1 [0205.489] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\#_THIS_FILE_IS_ENCRYPTED_[041D63B4A8CD55C4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\#_this_file_is_encrypted_[041d63b4a8cd55c4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.529] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0205.655] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0205.666] SetEvent (hEvent=0x19c) returned 1 [0205.666] SwitchToThread () returned 1 [0205.676] SetEvent (hEvent=0x3f4) returned 1 [0205.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.677] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0205.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97edd415, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0205.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0205.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0205.678] ReadFile (in: hFile=0x448, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x129abd1c*=0xf2c0, lpOverlapped=0x0) returned 1 [0205.692] GetFileType (hFile=0x448) returned 0x1 [0205.692] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0205.692] WriteFile (in: hFile=0x448, lpBuffer=0x12a42000*, nNumberOfBytesToWrite=0xf2c0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12a42000*, lpNumberOfBytesWritten=0x129abd00*=0xf2c0, lpOverlapped=0x129abd0c) returned 1 [0205.693] GetFileType (hFile=0x448) returned 0x1 [0205.693] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xf2c0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0205.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0205.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0205.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0205.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0205.694] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.694] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0205.694] WriteFile (in: hFile=0x15c, lpBuffer=0x12980000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12980000*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0205.694] CloseHandle (hObject=0x15c) returned 1 [0205.694] CloseHandle (hObject=0x448) returned 1 [0205.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0205.694] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\#_THIS_FILE_IS_ENCRYPTED_[0BE68F10F25323B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\#_this_file_is_encrypted_[0be68f10f25323b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.695] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0205.731] SetEvent (hEvent=0x19c) returned 1 [0205.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.732] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0205.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13ec46bb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0205.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128446a0 | out: pbBuffer=0x128446a0) returned 1 [0205.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0205.732] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x129add1c*=0x123c, lpOverlapped=0x0) returned 1 [0205.738] GetFileType (hFile=0x3c4) returned 0x1 [0205.738] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0205.738] WriteFile (in: hFile=0x3c4, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x129add00*=0x123c, lpOverlapped=0x129add0c) returned 1 [0205.739] GetFileType (hFile=0x3c4) returned 0x1 [0205.739] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x123c, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0205.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0205.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0205.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0205.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0205.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.741] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0205.741] WriteFile (in: hFile=0x15c, lpBuffer=0x12980500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12980500*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0205.742] CloseHandle (hObject=0x15c) returned 1 [0205.742] CloseHandle (hObject=0x3c4) returned 1 [0205.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0205.742] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[517B882BE9523B25]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[517b882be9523b25]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.815] SetEvent (hEvent=0x110) returned 1 [0205.815] SetEvent (hEvent=0x3f8) returned 1 [0205.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.816] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0205.816] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1583f985, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1583f985, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15a2f89d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0205.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0205.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810298 | out: pbBuffer=0x12810298) returned 1 [0205.816] ReadFile (in: hFile=0x3c4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x129add1c*=0x72c0, lpOverlapped=0x0) returned 1 [0205.827] GetFileType (hFile=0x3c4) returned 0x1 [0205.827] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0205.827] WriteFile (in: hFile=0x3c4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x129add00*=0x72c0, lpOverlapped=0x129add0c) returned 1 [0205.828] GetFileType (hFile=0x3c4) returned 0x1 [0205.828] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x72c0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0205.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0205.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0205.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0205.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810350 | out: pbBuffer=0x12810350) returned 1 [0205.829] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0205.829] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0205.829] WriteFile (in: hFile=0x438, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0205.830] CloseHandle (hObject=0x438) returned 1 [0205.834] CloseHandle (hObject=0x3c4) returned 1 [0205.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0205.837] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[3ABED31EE7F28839]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[3abed31ee7f28839]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.950] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0206.278] SetEvent (hEvent=0x420) returned 1 [0206.278] SetEvent (hEvent=0x3f4) returned 1 [0206.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17f23e2a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.283] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0206.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.333] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17f23e2a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0206.333] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17f23e2a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.333] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f23e2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.333] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.333] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0206.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0206.363] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.363] WriteFile (in: hFile=0x448, lpBuffer=0x12bdd300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12bdd300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.365] CloseHandle (hObject=0x448) returned 1 [0206.365] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f23e2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0206.383] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0206.396] SetEvent (hEvent=0x40c) returned 1 [0206.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1989ef6a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.492] SetEvent (hEvent=0x110) returned 1 [0206.492] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.492] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1989ef6a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1989ef6a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1989ef6a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a464b30, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.493] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.493] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.525] SetEvent (hEvent=0x110) returned 1 [0206.525] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.525] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.527] CloseHandle (hObject=0x15c) returned 1 [0206.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1989ef6a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a464b30, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0206.535] SetEvent (hEvent=0x110) returned 1 [0206.535] SetEvent (hEvent=0x3f8) returned 1 [0206.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a7abf56, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.561] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a7abf56, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.561] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a7abf56, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.561] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7abf56, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a94f788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.561] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.561] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.566] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.566] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.567] CloseHandle (hObject=0x1a0) returned 1 [0206.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7abf56, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a94f788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0206.571] SetEvent (hEvent=0x3f8) returned 1 [0206.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ac24464, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.571] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ac24464, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0206.572] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ac24464, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.572] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac24464, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ad092fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.572] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.572] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0206.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.572] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.572] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0206.573] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.573] WriteFile (in: hFile=0x448, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.575] CloseHandle (hObject=0x448) returned 1 [0206.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac24464, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ad092fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0206.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b1a7cae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.587] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.588] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b1a7cae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.588] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b1a7cae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.588] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a7cae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b2b2bd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.588] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.588] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.589] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.589] WriteFile (in: hFile=0x1a0, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.591] CloseHandle (hObject=0x1a0) returned 1 [0206.591] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a7cae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b2b2bd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0206.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b587918, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.597] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0206.615] SetEvent (hEvent=0x10c) returned 1 [0206.615] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.615] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b587918, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0206.615] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b587918, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.615] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.616] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.616] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0206.616] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.617] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.617] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c21300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c21300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.619] CloseHandle (hObject=0x3c4) returned 1 [0206.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0206.620] SetEvent (hEvent=0x40c) returned 1 [0206.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b91b09f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.621] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b91b09f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0206.622] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b91b09f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.622] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b91b09f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bf10fb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.622] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.622] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0206.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.622] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.622] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.623] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.623] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c22600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c22600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.625] CloseHandle (hObject=0x3c4) returned 1 [0206.625] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b91b09f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bf10fb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0206.626] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c5eb9fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.626] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.626] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c5eb9fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c5eb9fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5eb9fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1df1a8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.627] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.628] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.628] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c23900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c23900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.639] CloseHandle (hObject=0x3c4) returned 1 [0206.639] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5eb9fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1df1a8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.639] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0207.057] SetEvent (hEvent=0x3f8) returned 1 [0207.057] SetEvent (hEvent=0xfc) returned 1 [0207.058] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0207.499] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0209.017] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0209.019] SetEvent (hEvent=0x3f8) returned 1 [0209.019] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0209.025] SetEvent (hEvent=0x3f8) returned 1 [0209.025] SetEvent (hEvent=0x1b8) returned 1 [0209.025] SwitchToThread () returned 1 [0209.075] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0209.813] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0209.961] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.013] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.219] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.249] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.288] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.324] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.435] SetEvent (hEvent=0x1b8) returned 1 [0210.435] SetEvent (hEvent=0x3f8) returned 1 [0210.435] SetEvent (hEvent=0x3f4) returned 1 [0210.435] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0210.442] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.478] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0210.489] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0210.489] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0210.489] SetEvent (hEvent=0x3f8) returned 1 [0210.489] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0210.505] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0214.883] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0215.558] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0219.038] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0219.116] SwitchToThread () returned 1 [0219.156] SetEvent (hEvent=0xf4) returned 1 [0219.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0219.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0219.156] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0219.156] WriteFile (in: hFile=0x1a0, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0219.157] CloseHandle (hObject=0x1a0) returned 1 [0219.157] CloseHandle (hObject=0x15c) returned 1 [0219.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a030 | out: pbBuffer=0x12a9a030) returned 1 [0219.158] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\#_THIS_FILE_IS_ENCRYPTED_[5C98CC2EA3C337C5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\#_this_file_is_encrypted_[5c98cc2ea3c337c5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0219.750] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0223.577] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffacc, ulCount=0x10, ulNumEntriesRemoved=0x334ffab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffacc, ulNumEntriesRemoved=0x334ffab0) returned 0 [0223.577] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffacc, ulCount=0x10, ulNumEntriesRemoved=0x334ffab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x334ffacc, ulNumEntriesRemoved=0x334ffab0) returned 1 [0229.355] WSAGetOverlappedResult (in: s=0x3e4, lpOverlapped=0x12b1c014, lpcbTransfer=0x334ffaac, fWait=0, lpdwFlags=0x334ffabc | out: lpcbTransfer=0x334ffaac, lpdwFlags=0x334ffabc) returned 0 [0229.355] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0229.433] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.434] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50e97fc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0229.434] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844560 | out: pbBuffer=0x12844560) returned 1 [0229.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849050 | out: pbBuffer=0x12849050) returned 1 [0229.435] ReadFile (in: hFile=0x438, lpBuffer=0x1299a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x1299a000*, lpNumberOfBytesRead=0x12be5d1c*=0xf2c0, lpOverlapped=0x0) returned 1 [0229.578] GetFileType (hFile=0x438) returned 0x1 [0229.578] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.579] WriteFile (in: hFile=0x438, lpBuffer=0x12d7a000*, nNumberOfBytesToWrite=0xf2c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12d7a000*, lpNumberOfBytesWritten=0x12be5d00*=0xf2c0, lpOverlapped=0x12be5d0c) returned 1 [0229.579] GetFileType (hFile=0x438) returned 0x1 [0229.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xf2c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0229.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0229.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0229.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ad90 | out: pbBuffer=0x12a9ad90) returned 1 [0229.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.582] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.582] WriteFile (in: hFile=0x458, lpBuffer=0x129fd400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fd400*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.582] CloseHandle (hObject=0x458) returned 1 [0229.583] CloseHandle (hObject=0x438) returned 1 [0229.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ada8 | out: pbBuffer=0x12a9ada8) returned 1 [0229.583] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\#_THIS_FILE_IS_ENCRYPTED_[075AE61EBCB7A11C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\#_this_file_is_encrypted_[075ae61ebcb7a11c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.586] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0229.655] SetEvent (hEvent=0x3cc) returned 1 [0229.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0229.656] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0229.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51631498, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x516f0240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0229.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0229.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0229.656] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12be3d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0229.700] GetFileType (hFile=0x3e4) returned 0x1 [0229.700] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.700] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be3d00*=0x15ac0, lpOverlapped=0x12be3d0c) returned 1 [0229.701] GetFileType (hFile=0x3e4) returned 0x1 [0229.701] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0229.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0229.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0229.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0229.702] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.702] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0229.702] WriteFile (in: hFile=0x44c, lpBuffer=0x1294e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x1294e500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.702] CloseHandle (hObject=0x44c) returned 1 [0229.702] CloseHandle (hObject=0x3e4) returned 1 [0229.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0229.703] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\#_THIS_FILE_IS_ENCRYPTED_[F8D3BFA53BFAA058]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\#_this_file_is_encrypted_[f8d3bfa53bfaa058]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.800] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0229.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0229.856] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562eeec6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5668283e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0229.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e760 | out: pbBuffer=0x1280e760) returned 1 [0229.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810290 | out: pbBuffer=0x12810290) returned 1 [0229.856] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0229.856] SetEvent (hEvent=0xfc) returned 1 [0229.856] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12be5d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0229.908] GetFileType (hFile=0x3e4) returned 0x1 [0229.908] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.908] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d12000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12d12000*, lpNumberOfBytesWritten=0x12be5d00*=0x162c0, lpOverlapped=0x12be5d0c) returned 1 [0229.909] GetFileType (hFile=0x3e4) returned 0x1 [0229.909] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0229.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0229.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0229.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810348 | out: pbBuffer=0x12810348) returned 1 [0229.910] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.910] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.911] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.911] CloseHandle (hObject=0x44c) returned 1 [0229.911] CloseHandle (hObject=0x3e4) returned 1 [0229.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810360 | out: pbBuffer=0x12810360) returned 1 [0229.911] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\#_THIS_FILE_IS_ENCRYPTED_[1D72B1E2BD9BC7EF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\#_this_file_is_encrypted_[1d72b1e2bd9bc7ef]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.033] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0230.036] SetEvent (hEvent=0x40c) returned 1 [0230.036] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.036] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.036] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b938ba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56f011c0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0230.036] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0230.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0230.037] ReadFile (in: hFile=0x3e4, lpBuffer=0x1295a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesRead=0x12829d1c*=0x186c0, lpOverlapped=0x0) returned 1 [0230.051] GetFileType (hFile=0x3e4) returned 0x1 [0230.052] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.052] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x186c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12829d00*=0x186c0, lpOverlapped=0x12829d0c) returned 1 [0230.053] GetFileType (hFile=0x3e4) returned 0x1 [0230.053] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x186c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0230.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0230.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0230.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0230.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.054] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.054] WriteFile (in: hFile=0x42c, lpBuffer=0x129fc000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.054] CloseHandle (hObject=0x42c) returned 1 [0230.054] CloseHandle (hObject=0x3e4) returned 1 [0230.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0230.055] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\#_THIS_FILE_IS_ENCRYPTED_[8D272654BF661D70]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\#_this_file_is_encrypted_[8d272654bf661d70]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.074] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0230.095] SetEvent (hEvent=0x3f4) returned 1 [0230.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.095] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bdd475a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cb63e92, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0230.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0230.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8bf0 | out: pbBuffer=0x128e8bf0) returned 1 [0230.096] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12be5d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0230.122] GetFileType (hFile=0x3e4) returned 0x1 [0230.122] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.122] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12be5d00*=0x15cc0, lpOverlapped=0x12be5d0c) returned 1 [0230.133] GetFileType (hFile=0x3e4) returned 0x1 [0230.133] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0230.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0230.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0230.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8ca8 | out: pbBuffer=0x128e8ca8) returned 1 [0230.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0230.135] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.135] WriteFile (in: hFile=0x458, lpBuffer=0x12c30000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c30000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.135] CloseHandle (hObject=0x458) returned 1 [0230.135] CloseHandle (hObject=0x3e4) returned 1 [0230.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8cc0 | out: pbBuffer=0x128e8cc0) returned 1 [0230.135] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\#_THIS_FILE_IS_ENCRYPTED_[E8389613A462DB80]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\#_this_file_is_encrypted_[e8389613a462db80]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d80e6a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.311] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.311] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d80e6a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0230.312] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d80e6a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.312] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d80e6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.312] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.312] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0230.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.313] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.313] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.336] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.336] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.338] CloseHandle (hObject=0x42c) returned 1 [0230.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d80e6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0230.343] SetEvent (hEvent=0x40c) returned 1 [0230.343] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dfa7ed7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.647] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dfa7ed7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0230.647] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dfa7ed7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.647] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dfa7ed7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e197eee, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.647] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.647] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0230.648] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.654] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.654] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.655] CloseHandle (hObject=0x3e4) returned 1 [0230.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dfa7ed7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e197eee, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0230.669] SetEvent (hEvent=0x110) returned 1 [0230.669] SetEvent (hEvent=0x40c) returned 1 [0230.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e492cdf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.747] SetEvent (hEvent=0x110) returned 1 [0230.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.747] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e492cdf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0230.748] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e492cdf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.748] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e492cdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e7da121, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.748] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.748] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0230.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.748] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.748] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.755] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.755] WriteFile (in: hFile=0x42c, lpBuffer=0x1294e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1294e000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.756] CloseHandle (hObject=0x42c) returned 1 [0230.756] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e492cdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e7da121, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0230.761] SetEvent (hEvent=0x40c) returned 1 [0230.761] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ea3c6d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.766] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ea3c6d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0230.766] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ea3c6d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.766] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea3c6d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ebe02eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.767] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.767] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0230.767] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.768] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.768] WriteFile (in: hFile=0x42c, lpBuffer=0x1294f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1294f300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.770] CloseHandle (hObject=0x42c) returned 1 [0230.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea3c6d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ebe02eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0230.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5f222205, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.771] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5f222205, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0230.771] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5f222205, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.771] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f222205, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5fc90822, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.771] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.771] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0230.771] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.773] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.773] WriteFile (in: hFile=0x42c, lpBuffer=0x12950600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12950600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.774] CloseHandle (hObject=0x42c) returned 1 [0230.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f222205, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5fc90822, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0230.787] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60e25c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.864] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60e25c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0230.864] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60e25c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.864] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e25c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6129e362, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.864] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.864] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0230.865] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.892] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.893] WriteFile (in: hFile=0x42c, lpBuffer=0x12951900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12951900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.894] CloseHandle (hObject=0x42c) returned 1 [0230.894] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e25c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6129e362, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0230.902] SetEvent (hEvent=0x3cc) returned 1 [0230.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x620c61fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.913] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x620c61fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0230.913] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x620c61fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.913] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620c61fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6247ff69, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.913] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.913] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0230.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.915] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.915] WriteFile (in: hFile=0x42c, lpBuffer=0x12952c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12952c00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.917] CloseHandle (hObject=0x42c) returned 1 [0230.917] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620c61fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6247ff69, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0230.928] SetEvent (hEvent=0x3f4) returned 1 [0230.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x637def0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.928] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x637def0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0230.929] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x637def0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.929] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637def0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6435835e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.929] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.929] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0230.929] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.929] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.929] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.930] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.930] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.932] CloseHandle (hObject=0x42c) returned 1 [0230.932] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637def0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6435835e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64653213, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.933] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.933] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64653213, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0230.933] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64653213, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.933] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64653213, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.934] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.934] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0230.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.961] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.961] WriteFile (in: hFile=0x42c, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.963] CloseHandle (hObject=0x42c) returned 1 [0230.963] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64653213, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.969] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0230.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6523efba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.979] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6523efba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0230.979] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6523efba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.979] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6523efba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.979] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.979] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0230.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.981] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.981] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.983] CloseHandle (hObject=0x3e4) returned 1 [0230.983] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6523efba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0230.988] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.989] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0230.989] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64653213, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928900 | out: pbBuffer=0x12928900) returned 1 [0230.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b30 | out: pbBuffer=0x12810b30) returned 1 [0230.989] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0231.040] GetFileType (hFile=0x3e4) returned 0x1 [0231.040] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.040] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ec0, lpOverlapped=0x1282fd0c) returned 1 [0231.041] GetFileType (hFile=0x3e4) returned 0x1 [0231.041] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0231.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0231.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0231.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0231.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.042] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.042] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0231.043] CloseHandle (hObject=0x42c) returned 1 [0231.043] CloseHandle (hObject=0x3e4) returned 1 [0231.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0231.043] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\#_THIS_FILE_IS_ENCRYPTED_[572E01ACB1CA7D3E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\#_this_file_is_encrypted_[572e01acb1ca7d3e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.189] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6787d40a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.221] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6787d40a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.221] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6787d40a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.221] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6787d40a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.221] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.222] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.226] SetEvent (hEvent=0x110) returned 1 [0231.226] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.226] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.227] CloseHandle (hObject=0x42c) returned 1 [0231.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6787d40a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0231.232] SetEvent (hEvent=0x1b8) returned 1 [0231.232] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6820824a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.232] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6820824a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.233] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6820824a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.233] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6820824a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x684b56cd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.233] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.233] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.233] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.233] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.234] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.234] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.235] CloseHandle (hObject=0x42c) returned 1 [0231.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6820824a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x684b56cd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0231.239] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68ad15e9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.240] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68ad15e9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68ad15e9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6902ec5e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.240] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.240] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.241] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.241] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.242] CloseHandle (hObject=0x3e4) returned 1 [0231.242] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6902ec5e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0231.255] SetEvent (hEvent=0x454) returned 1 [0231.255] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x694c8d43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.255] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x694c8d43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0231.256] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x694c8d43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.256] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694c8d43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.256] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.256] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0231.256] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.257] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.257] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.257] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.259] CloseHandle (hObject=0x3e4) returned 1 [0231.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694c8d43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0231.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.260] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6902ec5e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0231.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844fc0 | out: pbBuffer=0x12844fc0) returned 1 [0231.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b200 | out: pbBuffer=0x12a9b200) returned 1 [0231.260] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0231.264] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0231.264] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0231.264] SetEvent (hEvent=0x110) returned 1 [0231.264] SetEvent (hEvent=0x454) returned 1 [0231.264] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12be5d1c*=0x168c0, lpOverlapped=0x0) returned 1 [0231.322] GetFileType (hFile=0x3e4) returned 0x1 [0231.322] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.322] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12be5d00*=0x168c0, lpOverlapped=0x12be5d0c) returned 1 [0231.324] GetFileType (hFile=0x3e4) returned 0x1 [0231.324] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.324] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0231.324] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0231.324] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0231.325] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0231.325] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.325] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.326] WriteFile (in: hFile=0x458, lpBuffer=0x12a4c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4c000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.326] CloseHandle (hObject=0x458) returned 1 [0231.326] CloseHandle (hObject=0x3e4) returned 1 [0231.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0231.327] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\#_THIS_FILE_IS_ENCRYPTED_[98749A56AD7E5794]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\#_this_file_is_encrypted_[98749a56ad7e5794]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.330] SetEvent (hEvent=0xfc) returned 1 [0231.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.331] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a811240, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6acfbf1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.331] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844500 | out: pbBuffer=0x12844500) returned 1 [0231.331] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0231.331] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12be5d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0231.369] GetFileType (hFile=0x3e4) returned 0x1 [0231.369] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.369] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12be5d00*=0x156c0, lpOverlapped=0x12be5d0c) returned 1 [0231.369] GetFileType (hFile=0x3e4) returned 0x1 [0231.370] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0231.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0231.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0231.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810b60 | out: pbBuffer=0x12810b60) returned 1 [0231.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.371] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.371] WriteFile (in: hFile=0x458, lpBuffer=0x12a4ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4ca00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.371] CloseHandle (hObject=0x458) returned 1 [0231.371] CloseHandle (hObject=0x3e4) returned 1 [0231.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b78 | out: pbBuffer=0x12810b78) returned 1 [0231.371] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\#_THIS_FILE_IS_ENCRYPTED_[1A3A46E7A0A167A0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\#_this_file_is_encrypted_[1a3a46e7a0a167a0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.493] SetEvent (hEvent=0x110) returned 1 [0231.493] SetEvent (hEvent=0xfc) returned 1 [0231.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.494] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6675a388, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6675a388, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x679d4966, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x684c0)) returned 1 [0231.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845340 | out: pbBuffer=0x12845340) returned 1 [0231.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cc8 | out: pbBuffer=0x12810cc8) returned 1 [0231.504] ReadFile (in: hFile=0x3e4, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12be5d1c*=0x20000, lpOverlapped=0x0) returned 1 [0231.657] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0231.661] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0231.661] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0231.661] SetEvent (hEvent=0x110) returned 1 [0231.661] SetEvent (hEvent=0x3cc) returned 1 [0231.662] GetFileType (hFile=0x3e4) returned 0x1 [0231.663] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.663] WriteFile (in: hFile=0x3e4, lpBuffer=0x12cbc000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12cbc000*, lpNumberOfBytesWritten=0x12be5d00*=0x20000, lpOverlapped=0x12be5d0c) returned 1 [0231.664] GetFileType (hFile=0x3e4) returned 0x1 [0231.664] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0231.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0231.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0231.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a530 | out: pbBuffer=0x12a9a530) returned 1 [0231.667] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.667] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.667] WriteFile (in: hFile=0x438, lpBuffer=0x129c4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x129c4000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.688] CloseHandle (hObject=0x438) returned 1 [0231.688] CloseHandle (hObject=0x3e4) returned 1 [0231.688] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0231.688] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[57839217D5D51B9A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[57839217d5d51b9a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.690] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0231.736] SetEvent (hEvent=0x40c) returned 1 [0231.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.736] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd30f840f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd30f840f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3b4055a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0231.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0231.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0231.737] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ba6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba6000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0231.754] GetFileType (hFile=0x3e4) returned 0x1 [0231.754] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.754] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0231.755] GetFileType (hFile=0x3e4) returned 0x1 [0231.755] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0231.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0231.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0231.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d00 | out: pbBuffer=0x12810d00) returned 1 [0231.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.756] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.757] WriteFile (in: hFile=0x438, lpBuffer=0x129c4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x129c4a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0231.766] CloseHandle (hObject=0x438) returned 1 [0231.772] CloseHandle (hObject=0x3e4) returned 1 [0231.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811278 | out: pbBuffer=0x12811278) returned 1 [0231.777] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[2C99FD37DBEBC2C7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[2c99fd37dbebc2c7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.971] SetEvent (hEvent=0x110) returned 1 [0231.971] SetEvent (hEvent=0xfc) returned 1 [0231.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0231.972] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.972] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd514dfac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd514dfac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0231.973] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286c0 | out: pbBuffer=0x129286c0) returned 1 [0231.973] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2a8 | out: pbBuffer=0x12a9a2a8) returned 1 [0231.973] ReadFile (in: hFile=0x44c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x1282fd1c*=0x4e5f, lpOverlapped=0x0) returned 1 [0232.000] GetFileType (hFile=0x44c) returned 0x1 [0232.000] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0232.000] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x4e5f, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1282fd00*=0x4e5f, lpOverlapped=0x1282fd0c) returned 1 [0232.000] GetFileType (hFile=0x44c) returned 0x1 [0232.001] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x4e5f, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0232.001] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0232.001] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0232.001] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0232.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a370 | out: pbBuffer=0x12a9a370) returned 1 [0232.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0232.002] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0232.002] WriteFile (in: hFile=0x3e4, lpBuffer=0x12aeea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aeea00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0232.002] CloseHandle (hObject=0x3e4) returned 1 [0232.069] CloseHandle (hObject=0x44c) returned 1 [0232.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a448 | out: pbBuffer=0x12a9a448) returned 1 [0232.078] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[B5AF47315946FFC2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[b5af47315946ffc2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0233.533] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0233.878] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0234.036] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0234.107] SetEvent (hEvent=0x1b8) returned 1 [0234.108] SetEvent (hEvent=0xfc) returned 1 [0234.108] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0235.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0235.212] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0235.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a385d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1a385d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2245d34, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0235.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129293e0 | out: pbBuffer=0x129293e0) returned 1 [0235.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a970 | out: pbBuffer=0x12a9a970) returned 1 [0235.213] ReadFile (in: hFile=0x458, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12a67d1c*=0x1a8c0, lpOverlapped=0x0) returned 1 [0235.507] GetFileType (hFile=0x458) returned 0x1 [0235.507] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.508] WriteFile (in: hFile=0x458, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x1a8c0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12a67d00*=0x1a8c0, lpOverlapped=0x12a67d0c) returned 1 [0235.509] GetFileType (hFile=0x458) returned 0x1 [0235.509] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x1a8c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0235.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0235.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0235.576] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b080 | out: pbBuffer=0x12a9b080) returned 1 [0235.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0235.577] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0235.577] WriteFile (in: hFile=0x450, lpBuffer=0x12b02a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02a00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0235.578] CloseHandle (hObject=0x450) returned 1 [0235.578] CloseHandle (hObject=0x458) returned 1 [0235.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b098 | out: pbBuffer=0x12a9b098) returned 1 [0235.578] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[BBFACF22D7102411]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[bbfacf22d7102411]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.058] SetEvent (hEvent=0x110) returned 1 [0236.059] SetEvent (hEvent=0x19c) returned 1 [0236.059] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0236.060] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d0a816, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x14d0a816, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16afe0f6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0236.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a6a680 | out: pbBuffer=0x12a6a680) returned 1 [0236.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8600 | out: pbBuffer=0x128e8600) returned 1 [0236.061] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0236.069] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.069] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0236.069] SetEvent (hEvent=0x19c) returned 1 [0236.069] ReadFile (in: hFile=0x458, lpBuffer=0x12cc0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc0000*, lpNumberOfBytesRead=0x12a67d1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.085] GetFileType (hFile=0x458) returned 0x1 [0236.085] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.085] WriteFile (in: hFile=0x458, lpBuffer=0x12d08000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12d08000*, lpNumberOfBytesWritten=0x12a67d00*=0x20000, lpOverlapped=0x12a67d0c) returned 1 [0236.087] GetFileType (hFile=0x458) returned 0x1 [0236.087] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0236.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0236.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0236.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e86b8 | out: pbBuffer=0x128e86b8) returned 1 [0236.089] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0236.090] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.090] WriteFile (in: hFile=0x45c, lpBuffer=0x128ad400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ad400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.098] CloseHandle (hObject=0x45c) returned 1 [0236.103] CloseHandle (hObject=0x458) returned 1 [0236.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0236.106] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[3801AF8FEE840B35]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[3801af8fee840b35]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.434] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.466] SetEvent (hEvent=0x40c) returned 1 [0236.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0236.467] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.468] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25924c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25924c48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c240c38, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0)) returned 1 [0236.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0236.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a028 | out: pbBuffer=0x12a9a028) returned 1 [0236.468] ReadFile (in: hFile=0x458, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a67d1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.511] GetFileType (hFile=0x458) returned 0x1 [0236.511] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.511] WriteFile (in: hFile=0x458, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a67d00*=0x20000, lpOverlapped=0x12a67d0c) returned 1 [0236.523] GetFileType (hFile=0x458) returned 0x1 [0236.524] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0236.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0236.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0236.535] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1e0 | out: pbBuffer=0x12a9a1e0) returned 1 [0236.535] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0236.535] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.536] WriteFile (in: hFile=0x44c, lpBuffer=0x1285e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285e500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.668] SetEvent (hEvent=0x110) returned 1 [0236.668] CloseHandle (hObject=0x44c) returned 1 [0236.673] CloseHandle (hObject=0x458) returned 1 [0236.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34cb8 | out: pbBuffer=0x12c34cb8) returned 1 [0236.676] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[E1CAA9FA38C2ABA4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[e1caa9fa38c2aba4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.714] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b11c874, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0236.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0236.718] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b11c874, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0236.741] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b11c874, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0236.741] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b11c874, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b3f84d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0236.741] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0236.741] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0236.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0236.770] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0236.770] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0236.771] CloseHandle (hObject=0x42c) returned 1 [0236.771] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b11c874, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b3f84d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0236.775] SetEvent (hEvent=0x19c) returned 1 [0236.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3beb3411, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0236.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0236.781] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3beb3411, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0236.781] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3beb3411, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0236.781] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3beb3411, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c1fa809, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0236.781] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0236.781] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0236.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0236.782] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0236.783] WriteFile (in: hFile=0x460, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0236.785] CloseHandle (hObject=0x460) returned 1 [0236.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3beb3411, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c1fa809, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x114c0)) returned 1 [0236.788] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.926] SetEvent (hEvent=0x1b8) returned 1 [0236.926] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.955] SetEvent (hEvent=0x1b8) returned 1 [0236.956] SetEvent (hEvent=0x40c) returned 1 [0236.956] SetEvent (hEvent=0x420) returned 1 [0236.956] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.966] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0236.971] SetEvent (hEvent=0x1b8) returned 1 [0236.971] SetEvent (hEvent=0x40c) returned 1 [0236.971] SetEvent (hEvent=0x19c) returned 1 [0236.971] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.006] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.080] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.080] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3eb6a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0)) returned 1 [0237.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0237.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0237.080] ReadFile (in: hFile=0x42c, lpBuffer=0x12bac000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bac000*, lpNumberOfBytesRead=0x12a65d1c*=0x138c0, lpOverlapped=0x0) returned 1 [0237.092] GetFileType (hFile=0x42c) returned 0x1 [0237.092] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.093] WriteFile (in: hFile=0x42c, lpBuffer=0x129a0000*, nNumberOfBytesToWrite=0x138c0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x129a0000*, lpNumberOfBytesWritten=0x12a65d00*=0x138c0, lpOverlapped=0x12a65d0c) returned 1 [0237.093] GetFileType (hFile=0x42c) returned 0x1 [0237.093] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x138c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0237.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0237.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0237.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0237.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.094] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.094] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.094] CloseHandle (hObject=0x450) returned 1 [0237.094] CloseHandle (hObject=0x42c) returned 1 [0237.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0237.095] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\#_THIS_FILE_IS_ENCRYPTED_[FC62B8FDE5EC4E43]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\#_this_file_is_encrypted_[fc62b8fde5ec4e43]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.124] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.133] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.326] SetEvent (hEvent=0xfc) returned 1 [0237.339] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.562] SetEvent (hEvent=0xfc) returned 1 [0237.562] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.568] SetEvent (hEvent=0xfc) returned 1 [0237.568] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.578] SetEvent (hEvent=0x19c) returned 1 [0237.580] SetEvent (hEvent=0x3f8) returned 1 [0237.580] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0237.589] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.589] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0237.597] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0237.597] SetEvent (hEvent=0x420) returned 1 [0237.597] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0237.629] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0237.629] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0238.421] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0238.790] SetEvent (hEvent=0x420) returned 1 [0238.790] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0238.962] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0238.992] SetEvent (hEvent=0x420) returned 1 [0238.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.993] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.993] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f5ba3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25584f2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0238.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0238.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0238.994] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12855d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0239.009] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0239.084] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0239.098] SetEvent (hEvent=0xfc) returned 1 [0239.098] SetEvent (hEvent=0x420) returned 1 [0239.098] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0239.099] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0239.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597b70f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe663028c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0239.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0239.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0239.100] ReadFile (in: hFile=0x42c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12b05d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0239.137] GetFileType (hFile=0x42c) returned 0x1 [0239.138] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.138] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12b05d00*=0x160c0, lpOverlapped=0x12b05d0c) returned 1 [0239.138] GetFileType (hFile=0x42c) returned 0x1 [0239.138] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0239.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0239.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0239.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0239.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0239.139] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0239.139] WriteFile (in: hFile=0x3e4, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.141] CloseHandle (hObject=0x3e4) returned 1 [0239.141] CloseHandle (hObject=0x42c) returned 1 [0239.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0239.141] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\#_THIS_FILE_IS_ENCRYPTED_[DB9E82E5EC25C3FA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\#_this_file_is_encrypted_[db9e82e5ec25c3fa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.205] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0239.579] SetEvent (hEvent=0xfc) returned 1 [0239.579] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0239.863] SetEvent (hEvent=0x19c) returned 1 [0239.863] SetEvent (hEvent=0x1b8) returned 1 [0239.863] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0240.298] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0240.725] SetEvent (hEvent=0x420) returned 1 [0240.725] GetFileType (hFile=0x44c) returned 0x1 [0240.725] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0240.726] WriteFile (in: hFile=0x44c, lpBuffer=0x12caa000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12caa000*, lpNumberOfBytesWritten=0x12829d00*=0x15cc0, lpOverlapped=0x12829d0c) returned 1 [0240.727] GetFileType (hFile=0x44c) returned 0x1 [0240.727] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0241.037] SetEvent (hEvent=0x420) returned 1 [0241.113] SetEvent (hEvent=0x420) returned 1 [0241.113] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0241.215] SetEvent (hEvent=0x420) returned 1 [0241.216] SetEvent (hEvent=0x1b8) returned 1 [0242.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0242.546] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0242.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0242.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340a0 | out: pbBuffer=0x12c340a0) returned 1 [0242.707] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0242.707] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12993d0c | out: lpMode=0x12993d0c) returned 0 [0242.708] WriteFile (in: hFile=0x45c, lpBuffer=0x12be4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12993d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4000*, lpNumberOfBytesWritten=0x12993d0c*=0x276, lpOverlapped=0x0) returned 1 [0242.708] CloseHandle (hObject=0x45c) returned 1 [0242.708] CloseHandle (hObject=0x450) returned 1 [0242.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340b8 | out: pbBuffer=0x12c340b8) returned 1 [0242.829] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\#_THIS_FILE_IS_ENCRYPTED_[28A564A0E2FF1960]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\#_this_file_is_encrypted_[28a564a0e2ff1960]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0242.832] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0aabfbc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0242.832] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0242.832] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0aabfbc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0242.851] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0aabfbc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0242.852] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0aabfbc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0e3f813, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0242.852] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0242.852] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0242.884] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0242.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0242.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0242.886] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0242.886] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0242.887] CloseHandle (hObject=0x458) returned 1 [0242.888] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0aabfbc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0e3f813, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0242.896] SetEvent (hEvent=0xfc) returned 1 [0242.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf137687f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0242.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0242.916] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf137687f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0242.916] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf137687f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0242.917] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf137687f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf16257fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0242.917] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0242.917] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0242.917] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0242.917] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0242.917] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.005] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.005] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.006] CloseHandle (hObject=0x42c) returned 1 [0243.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf137687f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf16257fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0243.013] SetEvent (hEvent=0x1b8) returned 1 [0243.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf1b36552, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.014] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf1b36552, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.014] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf1b36552, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.014] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b36552, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf34924de, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.014] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.014] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.015] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.016] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.017] CloseHandle (hObject=0x42c) returned 1 [0243.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b36552, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf34924de, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf56df403, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.018] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.018] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf56df403, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0243.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf56df403, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56df403, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5b318da, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.019] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0243.019] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.020] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.020] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.022] CloseHandle (hObject=0x42c) returned 1 [0243.022] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56df403, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5b318da, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.023] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf646e6b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.023] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.024] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf646e6b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0243.024] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf646e6b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.024] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf646e6b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf98bc1f8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.024] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.024] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0243.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.025] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.025] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.027] CloseHandle (hObject=0x42c) returned 1 [0243.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf646e6b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf98bc1f8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0243.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x103e07d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.028] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x103e07d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0243.028] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x103e07d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.028] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103e07d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cda3a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.028] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.028] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0243.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.029] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.029] WriteFile (in: hFile=0x42c, lpBuffer=0x12c86000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c86000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.031] CloseHandle (hObject=0x42c) returned 1 [0243.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103e07d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cda3a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0243.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.033] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.033] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf646e6b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf98bc1f8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0243.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0243.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ce0 | out: pbBuffer=0x12849ce0) returned 1 [0243.034] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12a97d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0243.048] GetFileType (hFile=0x42c) returned 0x1 [0243.048] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.049] WriteFile (in: hFile=0x42c, lpBuffer=0x12a20000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12a20000*, lpNumberOfBytesWritten=0x12a97d00*=0x14cc0, lpOverlapped=0x12a97d0c) returned 1 [0243.053] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.101] GetFileType (hFile=0x42c) returned 0x1 [0243.101] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.101] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.126] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.227] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.295] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.335] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.375] SetEvent (hEvent=0x19c) returned 1 [0243.375] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.431] SetEvent (hEvent=0x420) returned 1 [0243.431] SetEvent (hEvent=0xfc) returned 1 [0243.431] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.452] SetEvent (hEvent=0x19c) returned 1 [0243.453] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.455] SetEvent (hEvent=0x19c) returned 1 [0243.456] SetEvent (hEvent=0x1b8) returned 1 [0243.456] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.457] CloseHandle (hObject=0x458) returned 1 [0243.458] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b2c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18e9b2c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c03a060, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.458] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f710191, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.459] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.459] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f710191, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.459] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f710191, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.460] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1fe3748c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.460] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.460] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.460] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.460] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.460] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.461] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.461] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.462] CloseHandle (hObject=0x458) returned 1 [0243.463] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1fe3748c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.463] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22862cea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.476] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.476] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22862cea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22862cea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22862cea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2312d9e6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.476] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.478] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.478] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.479] CloseHandle (hObject=0x3e4) returned 1 [0243.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22862cea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2312d9e6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.483] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x251fc483, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.483] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x251fc483, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x251fc483, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x259bd4f8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.483] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.483] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.483] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.485] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.485] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.486] CloseHandle (hObject=0x3e4) returned 1 [0243.487] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x259bd4f8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0243.507] SetEvent (hEvent=0x1b8) returned 1 [0243.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25f77c72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.507] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.507] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25f77c72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.507] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25f77c72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.507] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f77c72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262e4835, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.507] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.508] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.509] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.509] WriteFile (in: hFile=0x44c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.510] CloseHandle (hObject=0x44c) returned 1 [0243.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f77c72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262e4835, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0243.526] SetEvent (hEvent=0x1b8) returned 1 [0243.526] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.526] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f2857f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.527] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.527] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.528] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.528] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.529] CloseHandle (hObject=0x3e4) returned 1 [0243.530] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f2857f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.542] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x275b3298, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.577] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x275b3298, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.577] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x275b3298, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.577] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275b3298, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27d029e2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.577] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.577] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.655] SetEvent (hEvent=0x110) returned 1 [0243.655] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.655] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b14000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b14000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.669] CloseHandle (hObject=0x3e4) returned 1 [0243.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275b3298, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27d029e2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.677] SetEvent (hEvent=0xfc) returned 1 [0243.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x281e3bed, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.677] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x281e3bed, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0243.678] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x281e3bed, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.678] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28445fae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.678] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.678] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0243.678] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.678] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.678] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.680] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.680] WriteFile (in: hFile=0x44c, lpBuffer=0x12b15300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b15300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.681] CloseHandle (hObject=0x44c) returned 1 [0243.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28445fae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.806] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28cc4a7f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.814] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.850] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0243.853] SetEvent (hEvent=0x1b8) returned 1 [0243.853] SetEvent (hEvent=0x19c) returned 1 [0243.853] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28cc4a7f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0243.853] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28cc4a7f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.854] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x293271fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.854] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.854] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0243.854] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.856] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.856] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.858] CloseHandle (hObject=0x44c) returned 1 [0243.858] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x293271fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x297795d1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.876] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x297795d1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0243.877] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x297795d1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.877] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29ac0a15, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.877] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.877] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0243.877] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.877] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.878] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.879] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.879] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.883] CloseHandle (hObject=0x3e4) returned 1 [0243.883] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29ac0a15, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0243.903] SetEvent (hEvent=0x1b8) returned 1 [0243.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.917] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0243.918] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.918] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6602d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.918] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.918] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0243.918] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.918] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.918] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.919] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.919] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.921] CloseHandle (hObject=0x3e4) returned 1 [0243.922] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6602d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0243.933] SetEvent (hEvent=0x19c) returned 1 [0243.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a9cd754, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0243.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0243.940] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a9cd754, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0243.941] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a9cd754, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0243.941] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9cd754, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2adf0c02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0243.941] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0243.941] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0243.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0243.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0243.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.948] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0243.949] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0243.950] CloseHandle (hObject=0x458) returned 1 [0243.951] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9cd754, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2adf0c02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0243.951] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b458fec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.003] SetEvent (hEvent=0x110) returned 1 [0244.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.003] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b458fec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0244.003] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b458fec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.004] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b458fec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b8d1654, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.004] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.004] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0244.004] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.004] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.004] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.059] SetEvent (hEvent=0x110) returned 1 [0244.059] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.059] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.061] CloseHandle (hObject=0x3e4) returned 1 [0244.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b458fec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b8d1654, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.072] SetEvent (hEvent=0xfc) returned 1 [0244.072] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bc64f47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.073] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.073] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bc64f47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0244.074] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bc64f47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.074] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc64f47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c043349, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.074] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.074] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0244.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.075] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.075] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.078] CloseHandle (hObject=0x458) returned 1 [0244.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc64f47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c043349, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.080] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x214b780e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x214b780e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22a78c0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0244.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c561bfa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.081] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.081] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c561bfa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0244.082] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c561bfa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.082] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c561bfa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cbca209, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.082] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.082] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0244.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.082] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.083] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.083] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.087] CloseHandle (hObject=0x458) returned 1 [0244.088] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c561bfa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cbca209, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.097] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e00e27b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0244.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0244.100] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e00e27b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0244.100] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e00e27b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0244.100] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e00e27b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0244.100] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0244.100] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0244.101] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0244.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0244.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.103] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0244.103] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0244.106] CloseHandle (hObject=0x3e4) returned 1 [0244.106] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e00e27b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0244.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0244.107] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1285bd0c | out: lpMode=0x1285bd0c) returned 0 [0244.107] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1285bad0 | out: lpFileInformation=0x1285bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c561bfa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cbca209, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.107] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e560 | out: pbBuffer=0x1280e560) returned 1 [0244.107] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811320 | out: pbBuffer=0x12811320) returned 1 [0244.107] ReadFile (in: hFile=0x3e4, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1285bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x1285bd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0244.120] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0244.159] SetEvent (hEvent=0x19c) returned 1 [0244.159] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0245.808] SetEvent (hEvent=0xfc) returned 1 [0245.808] SetEvent (hEvent=0x40c) returned 1 [0245.808] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0245.830] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0246.103] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0246.197] SetEvent (hEvent=0x3f8) returned 1 [0246.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0246.198] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0246.198] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), fInfoLevelId=0x0, lpFileInformation=0x12db5ad0 | out: lpFileInformation=0x12db5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13219ec0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13219ec0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae607dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0246.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0246.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848900 | out: pbBuffer=0x12848900) returned 1 [0246.198] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12db5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12db5d1c*=0xf5f6, lpOverlapped=0x0) returned 1 [0246.271] GetFileType (hFile=0x3e4) returned 0x1 [0246.271] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0246.272] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0xf5f6, lpNumberOfBytesWritten=0x12db5d00, lpOverlapped=0x12db5d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12db5d00*=0xf5f6, lpOverlapped=0x12db5d0c) returned 1 [0246.272] GetFileType (hFile=0x3e4) returned 0x1 [0246.272] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0xf5f6, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0246.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0246.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0246.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0246.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848a18 | out: pbBuffer=0x12848a18) returned 1 [0246.273] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0246.274] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0246.274] WriteFile (in: hFile=0x458, lpBuffer=0x12a48500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12db5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48500*, lpNumberOfBytesWritten=0x12db5d0c*=0x276, lpOverlapped=0x0) returned 1 [0246.274] CloseHandle (hObject=0x458) returned 1 [0246.357] CloseHandle (hObject=0x3e4) returned 1 [0246.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a30 | out: pbBuffer=0x12848a30) returned 1 [0246.445] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[27ED40D629E850D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[27ed40d629e850d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0249.034] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0249.661] SetEvent (hEvent=0x3f4) returned 1 [0251.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0251.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0251.613] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0251.667] SetEvent (hEvent=0x3f8) returned 1 [0251.669] SwitchToThread () returned 1 [0251.769] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0251.935] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0251.935] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0252.027] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.027] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0252.032] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.032] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0252.032] SetEvent (hEvent=0x110) returned 1 [0252.044] SetEvent (hEvent=0x19c) returned 1 [0252.045] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0252.052] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.068] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.068] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0252.068] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.069] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43f61d3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0252.069] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.069] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0252.069] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.070] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.070] WriteFile (in: hFile=0x42c, lpBuffer=0x1295f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1295f300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.091] CloseHandle (hObject=0x42c) returned 1 [0252.091] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43f61d3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.092] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0252.092] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.092] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.093] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.3DBuilder_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.3DB")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BRO")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AccountsControl_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ACC")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Appconnector_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.APP")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingFinance_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.BIN")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingNews_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.BIN")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingSports_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.BIN")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingWeather_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.BIN")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BioEnrollment_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BIO")) returned 1 [0252.094] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.CommsPhone_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.COM")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ConnectivityStore_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.CON")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Getstarted_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.GET")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.LockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.LOC")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4ed334a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Messaging_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MES")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MIC")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.MIC")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.0_8")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.1_8")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_8")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.1_8")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.OneNote_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ONE")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Sway_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.SWA")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dcf9475, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.People_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PEO")) returned 1 [0252.095] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.SkypeApp_kzf8qxf38zg5c", cAlternateFileName="MICROS~1.SKY")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.00_")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ASS")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CLO")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CON")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.Cortana_cw5n1h2txyewy", cAlternateFileName="MICROS~1.COR")) returned 1 [0252.096] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", cAlternateFileName="MICROS~1.PAR")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.Photos_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PHO")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SEC")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SHE")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsAlarms_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsCalculator_8wekyb3d8bbwe", cAlternateFileName="MIB609~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsCamera_8wekyb3d8bbwe", cAlternateFileName="MI97A6~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9993618c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsFeedback_cw5n1h2txyewy", cAlternateFileName="MICROS~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsMaps_8wekyb3d8bbwe", cAlternateFileName="MID92F~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsPhone_8wekyb3d8bbwe", cAlternateFileName="MI7D5A~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", cAlternateFileName="MIA6CE~1.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsStore_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.WIN")) returned 1 [0252.097] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxApp_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.XBO")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", cAlternateFileName="MICROS~1.XBO")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxIdentityProvider_cw5n1h2txyewy", cAlternateFileName="MICROS~2.XBO")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ZuneMusic_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.ZUN")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ZuneVideo_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ZUN")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.ContactSupport_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.CON")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="windows.devicesflow_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.DEV")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="windows.immersivecontrolpanel_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.IMM")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.MiracastView_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.MIR")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.PrintDialog_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.PRI")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab58681a, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.PurchaseDialog_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.PUR")) returned 1 [0252.098] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="windows_ie_ac_001", cAlternateFileName="WINDOW~1")) returned 1 [0252.099] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.099] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.102] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0252.102] WriteFile (in: hFile=0x42c, lpBuffer=0x12960600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12960600*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0252.105] CloseHandle (hObject=0x42c) returned 1 [0252.105] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.106] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0252.126] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0252.127] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.127] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0252.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.132] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0252.132] WriteFile (in: hFile=0x42c, lpBuffer=0x12961900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12961900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0252.133] CloseHandle (hObject=0x42c) returned 1 [0252.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.144] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0252.147] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0252.148] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.148] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0252.149] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.152] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.152] WriteFile (in: hFile=0x42c, lpBuffer=0x12962c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12962c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.153] CloseHandle (hObject=0x42c) returned 1 [0252.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.160] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.160] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.160] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.160] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.161] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.161] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.161] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.245] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.245] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.250] CloseHandle (hObject=0x42c) returned 1 [0252.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.256] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.257] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.257] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.257] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.257] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.257] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.258] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.260] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.260] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.262] CloseHandle (hObject=0x42c) returned 1 [0252.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.263] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0252.263] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.263] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.263] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0252.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.265] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.265] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.266] CloseHandle (hObject=0x42c) returned 1 [0252.267] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.285] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.285] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.285] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.285] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.286] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.286] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.289] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.289] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.291] CloseHandle (hObject=0x42c) returned 1 [0252.291] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.292] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.292] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.292] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.292] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.294] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.294] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.295] CloseHandle (hObject=0x42c) returned 1 [0252.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.305] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0252.305] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.305] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.305] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0252.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.307] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.307] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.308] CloseHandle (hObject=0x42c) returned 1 [0252.309] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.309] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.309] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.309] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.310] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.310] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.310] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.310] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.311] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.311] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.313] CloseHandle (hObject=0x42c) returned 1 [0252.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.383] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.383] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.383] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0252.383] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.383] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.383] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.384] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.384] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.385] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.385] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.386] CloseHandle (hObject=0x42c) returned 1 [0252.386] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.387] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.387] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.392] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.392] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45e24a35, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45e24a35, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0252.392] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0252.392] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0252.392] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.393] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.394] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.396] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.396] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2d300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.397] CloseHandle (hObject=0x42c) returned 1 [0252.398] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45e24a35, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45e24a35, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.398] SetEvent (hEvent=0x19c) returned 1 [0252.398] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.422] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.423] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.423] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0252.423] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.423] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.423] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0252.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.429] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.429] WriteFile (in: hFile=0x458, lpBuffer=0x12c2e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2e600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.430] CloseHandle (hObject=0x458) returned 1 [0252.430] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x407b74db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.430] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.431] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.431] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.431] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407b74db, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x407b74db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0252.431] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0252.431] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.431] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.431] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.431] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.433] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.433] WriteFile (in: hFile=0x458, lpBuffer=0x12c2f900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2f900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.434] CloseHandle (hObject=0x458) returned 1 [0252.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407b74db, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x407b74db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.435] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.435] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407b74db, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x407b74db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f5c0 | out: pbBuffer=0x1280f5c0) returned 1 [0252.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ec0 | out: pbBuffer=0x12849ec0) returned 1 [0252.454] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.454] CloseHandle (hObject=0x458) returned 1 [0252.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.454] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.454] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f5e0 | out: pbBuffer=0x1280f5e0) returned 1 [0252.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ed0 | out: pbBuffer=0x12849ed0) returned 1 [0252.456] ReadFile (in: hFile=0x458, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.456] CloseHandle (hObject=0x458) returned 1 [0252.456] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.456] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.457] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0252.457] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.457] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.457] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0252.457] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.457] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.457] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.458] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.458] WriteFile (in: hFile=0x458, lpBuffer=0x12c30c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c30c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.462] CloseHandle (hObject=0x458) returned 1 [0252.462] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.462] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0252.462] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.462] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.463] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0252.463] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.464] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.464] WriteFile (in: hFile=0x458, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.465] CloseHandle (hObject=0x458) returned 1 [0252.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0252.465] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.465] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0252.466] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.466] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0252.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.467] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0252.467] WriteFile (in: hFile=0x458, lpBuffer=0x12b13300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12b13300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0252.469] CloseHandle (hObject=0x458) returned 1 [0252.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0252.469] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.469] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0252.470] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.471] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0252.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.476] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.476] WriteFile (in: hFile=0x458, lpBuffer=0x12b14600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b14600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.477] CloseHandle (hObject=0x458) returned 1 [0252.477] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.489] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.489] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.490] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.490] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.490] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.490] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.491] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.491] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b15900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b15900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.492] CloseHandle (hObject=0x3e4) returned 1 [0252.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.496] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.496] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.496] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.496] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.497] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.497] WriteFile (in: hFile=0x42c, lpBuffer=0x12b16c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b16c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.499] CloseHandle (hObject=0x42c) returned 1 [0252.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.500] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.500] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.500] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.500] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.500] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.501] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.501] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.502] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.502] WriteFile (in: hFile=0x42c, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.503] CloseHandle (hObject=0x42c) returned 1 [0252.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.504] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.504] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.504] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.504] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.506] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.506] WriteFile (in: hFile=0x42c, lpBuffer=0x12a91300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a91300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.508] CloseHandle (hObject=0x42c) returned 1 [0252.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.509] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0252.509] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.509] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.509] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0252.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.510] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.510] WriteFile (in: hFile=0x42c, lpBuffer=0x12a92600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a92600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.511] CloseHandle (hObject=0x42c) returned 1 [0252.511] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.513] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.513] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.514] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.514] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.514] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.514] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.515] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.515] WriteFile (in: hFile=0x42c, lpBuffer=0x12a93900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a93900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.516] CloseHandle (hObject=0x42c) returned 1 [0252.516] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.516] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0252.516] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.517] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.517] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0252.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.517] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.517] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.517] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.517] WriteFile (in: hFile=0x42c, lpBuffer=0x12a94c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a94c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.519] CloseHandle (hObject=0x42c) returned 1 [0252.519] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.519] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.519] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0252.519] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.519] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0252.520] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.520] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0252.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.525] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.525] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.526] CloseHandle (hObject=0x42c) returned 1 [0252.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.527] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.534] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.534] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54936dab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54936dab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0252.534] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0252.534] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0252.534] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.534] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.538] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.538] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a5f300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.539] CloseHandle (hObject=0x42c) returned 1 [0252.539] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54936dab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54936dab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.539] SetEvent (hEvent=0x19c) returned 1 [0252.539] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.545] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.545] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.546] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.546] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.546] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.546] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.547] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.547] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a60600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a60600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.548] CloseHandle (hObject=0x3e4) returned 1 [0252.548] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x903edf7e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x903edf7e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.549] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x903edf7e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.553] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.578] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.610] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.671] SetEvent (hEvent=0x19c) returned 1 [0252.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.672] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.672] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9035563d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9035563d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9035563d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0252.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a028 | out: pbBuffer=0x12a9a028) returned 1 [0252.673] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0252.681] GetFileType (hFile=0x3e4) returned 0x1 [0252.681] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.681] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0252.681] GetFileType (hFile=0x3e4) returned 0x1 [0252.681] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0252.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0252.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0252.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0252.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.682] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.682] WriteFile (in: hFile=0x42c, lpBuffer=0x12d8e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d8e500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.683] CloseHandle (hObject=0x42c) returned 1 [0252.683] CloseHandle (hObject=0x3e4) returned 1 [0252.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0252.691] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[A1424A5592C507D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[a1424a5592c507d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.754] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.888] SetEvent (hEvent=0x420) returned 1 [0252.888] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.894] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.894] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd000)) returned 1 [0252.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88e00 | out: pbBuffer=0x12b88e00) returned 1 [0252.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ce8 | out: pbBuffer=0x12c34ce8) returned 1 [0252.895] ReadFile (in: hFile=0x42c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12851d1c*=0xd000, lpOverlapped=0x0) returned 1 [0252.911] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0252.992] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.045] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.163] SetEvent (hEvent=0x3f4) returned 1 [0253.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.165] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.165] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844c60 | out: pbBuffer=0x12844c60) returned 1 [0253.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0253.165] ReadFile (in: hFile=0x3e4, lpBuffer=0x12958000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12958000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.165] CloseHandle (hObject=0x3e4) returned 1 [0253.165] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.166] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0253.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37a393d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x37a393d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0253.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844c80 | out: pbBuffer=0x12844c80) returned 1 [0253.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8018 | out: pbBuffer=0x128e8018) returned 1 [0253.167] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12853d1c*=0x4000, lpOverlapped=0x0) returned 1 [0253.189] GetFileType (hFile=0x3e4) returned 0x1 [0253.189] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.189] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12853d00*=0x4000, lpOverlapped=0x12853d0c) returned 1 [0253.190] GetFileType (hFile=0x3e4) returned 0x1 [0253.190] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0253.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0253.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0253.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8750 | out: pbBuffer=0x128e8750) returned 1 [0253.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.191] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0253.192] WriteFile (in: hFile=0x458, lpBuffer=0x12ad8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ad8000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.192] CloseHandle (hObject=0x458) returned 1 [0253.192] CloseHandle (hObject=0x3e4) returned 1 [0253.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8768 | out: pbBuffer=0x128e8768) returned 1 [0253.193] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[1B8D467EBE2140E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[1b8d467ebe2140e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.228] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.307] SetEvent (hEvent=0x420) returned 1 [0253.307] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.312] SetEvent (hEvent=0x3f4) returned 1 [0253.312] SetEvent (hEvent=0xf4) returned 1 [0253.312] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.363] SetEvent (hEvent=0x420) returned 1 [0253.363] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.368] SetEvent (hEvent=0x420) returned 1 [0253.368] SetEvent (hEvent=0x3f8) returned 1 [0253.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.370] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0253.370] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0253.371] ReadFile (in: hFile=0x458, lpBuffer=0x12aa6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa6000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0253.371] CloseHandle (hObject=0x458) returned 1 [0253.371] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.372] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0253.372] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.372] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0253.372] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0253.372] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x6000, lpOverlapped=0x0) returned 1 [0253.379] GetFileType (hFile=0x458) returned 0x1 [0253.379] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.379] WriteFile (in: hFile=0x458, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x12829d00*=0x6000, lpOverlapped=0x12829d0c) returned 1 [0253.380] GetFileType (hFile=0x458) returned 0x1 [0253.380] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0253.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0253.381] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0253.381] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340d0 | out: pbBuffer=0x12c340d0) returned 1 [0253.381] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.381] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0253.381] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.381] CloseHandle (hObject=0x3e4) returned 1 [0253.382] CloseHandle (hObject=0x458) returned 1 [0253.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340e8 | out: pbBuffer=0x12c340e8) returned 1 [0253.382] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[BC45CDEA57388846]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[bc45cdea57388846]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.407] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.578] SetEvent (hEvent=0x3f4) returned 1 [0253.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.579] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2eef4cf1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2eef4cf1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0253.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0253.580] ReadFile (in: hFile=0x458, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x8000, lpOverlapped=0x0) returned 1 [0253.598] GetFileType (hFile=0x458) returned 0x1 [0253.598] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.598] WriteFile (in: hFile=0x458, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x1282fd00*=0x8000, lpOverlapped=0x1282fd0c) returned 1 [0253.599] GetFileType (hFile=0x458) returned 0x1 [0253.599] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0253.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0253.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0253.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341e8 | out: pbBuffer=0x12c341e8) returned 1 [0253.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.601] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.601] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0253.601] CloseHandle (hObject=0x42c) returned 1 [0253.601] CloseHandle (hObject=0x458) returned 1 [0253.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34200 | out: pbBuffer=0x12c34200) returned 1 [0253.602] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[3035302BE1BC1833]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[3035302be1bc1833]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.604] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12d63d0c | out: lpMode=0x12d63d0c) returned 0 [0253.604] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12d63ad0 | out: lpFileInformation=0x12d63ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0253.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34248 | out: pbBuffer=0x12c34248) returned 1 [0253.605] ReadFile (in: hFile=0x458, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12d63d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.605] CloseHandle (hObject=0x458) returned 1 [0253.605] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.654] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.802] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.815] SetEvent (hEvent=0x3f8) returned 1 [0253.815] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0253.843] SetEvent (hEvent=0x3f8) returned 1 [0253.843] SetEvent (hEvent=0x3f4) returned 1 [0253.843] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.844] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.844] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0253.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0253.844] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12851d1c*=0x6000, lpOverlapped=0x0) returned 1 [0253.869] GetFileType (hFile=0x42c) returned 0x1 [0253.869] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.869] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x12851d00*=0x6000, lpOverlapped=0x12851d0c) returned 1 [0253.869] GetFileType (hFile=0x42c) returned 0x1 [0253.869] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0253.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0253.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0253.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0253.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.870] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.870] WriteFile (in: hFile=0x44c, lpBuffer=0x12af2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af2000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.871] CloseHandle (hObject=0x44c) returned 1 [0253.871] CloseHandle (hObject=0x42c) returned 1 [0253.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0253.872] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[57CDE01CEC66182D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[57cde01cec66182d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.084] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929440 | out: pbBuffer=0x12929440) returned 1 [0254.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad68 | out: pbBuffer=0x12a9ad68) returned 1 [0254.085] ReadFile (in: hFile=0x3e4, lpBuffer=0x12998000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12998000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.085] CloseHandle (hObject=0x3e4) returned 1 [0254.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.085] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128b1d0c | out: lpMode=0x128b1d0c) returned 0 [0254.086] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x128b1ad0 | out: lpFileInformation=0x128b1ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1edad144, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1edad144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0254.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929460 | out: pbBuffer=0x12929460) returned 1 [0254.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad78 | out: pbBuffer=0x12a9ad78) returned 1 [0254.113] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b1d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x128b1d1c*=0x8000, lpOverlapped=0x0) returned 1 [0254.150] GetFileType (hFile=0x3e4) returned 0x1 [0254.150] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128b1ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.150] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x128b1d00, lpOverlapped=0x128b1d0c | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x128b1d00*=0x8000, lpOverlapped=0x128b1d0c) returned 1 [0254.151] GetFileType (hFile=0x3e4) returned 0x1 [0254.151] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x128b1ce4 | out: lpNewFilePointer=0x0) returned 1 [0254.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0254.157] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.255] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.275] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.493] SetEvent (hEvent=0x3f4) returned 1 [0254.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.495] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.495] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0254.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0254.495] ReadFile (in: hFile=0x44c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.542] GetFileType (hFile=0x44c) returned 0x1 [0254.542] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.542] WriteFile (in: hFile=0x44c, lpBuffer=0x12a72000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a72000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0254.543] GetFileType (hFile=0x44c) returned 0x1 [0254.543] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0254.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0254.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0254.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0254.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.544] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.544] WriteFile (in: hFile=0x458, lpBuffer=0x12b18500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.546] CloseHandle (hObject=0x458) returned 1 [0254.548] CloseHandle (hObject=0x44c) returned 1 [0254.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0254.548] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[F014E26B2D644243]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[f014e26b2d644243]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.550] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.550] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x916b486a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x916b486a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0254.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0254.551] ReadFile (in: hFile=0x44c, lpBuffer=0x12c9a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9a000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.570] GetFileType (hFile=0x44c) returned 0x1 [0254.570] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.570] WriteFile (in: hFile=0x44c, lpBuffer=0x12c70000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c70000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0254.570] GetFileType (hFile=0x44c) returned 0x1 [0254.570] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0254.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0254.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0254.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0254.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.571] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.571] WriteFile (in: hFile=0x42c, lpBuffer=0x12b18a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.572] CloseHandle (hObject=0x42c) returned 1 [0254.572] CloseHandle (hObject=0x44c) returned 1 [0254.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0254.572] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[65E85E221E3E780C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[65e85e221e3e780c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.578] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.639] SetEvent (hEvent=0x19c) returned 1 [0254.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.last.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.640] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.last.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3a667a9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844900 | out: pbBuffer=0x12844900) returned 1 [0254.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8488 | out: pbBuffer=0x128e8488) returned 1 [0254.641] ReadFile (in: hFile=0x42c, lpBuffer=0x12d14000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d14000*, lpNumberOfBytesRead=0x1282fd1c*=0x1000, lpOverlapped=0x0) returned 1 [0254.643] GetFileType (hFile=0x42c) returned 0x1 [0254.643] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.643] WriteFile (in: hFile=0x42c, lpBuffer=0x12dba000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12dba000*, lpNumberOfBytesWritten=0x1282fd00*=0x1000, lpOverlapped=0x1282fd0c) returned 1 [0254.643] GetFileType (hFile=0x42c) returned 0x1 [0254.643] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0254.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0254.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0254.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8540 | out: pbBuffer=0x128e8540) returned 1 [0254.644] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.last.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.645] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.645] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b18f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b18f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.645] CloseHandle (hObject=0x3e4) returned 1 [0254.647] CloseHandle (hObject=0x42c) returned 1 [0254.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8558 | out: pbBuffer=0x128e8558) returned 1 [0254.647] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.last.etl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\#_THIS_FILE_IS_ENCRYPTED_[3005E8B2F13A0ADF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\#_this_file_is_encrypted_[3005e8b2f13a0adf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.650] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d60 | out: pbBuffer=0x12844d60) returned 1 [0254.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e85a0 | out: pbBuffer=0x128e85a0) returned 1 [0254.650] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0254.658] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.659] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0254.659] SetEvent (hEvent=0x110) returned 1 [0254.659] SetEvent (hEvent=0x19c) returned 1 [0254.659] SetEvent (hEvent=0xf4) returned 1 [0254.659] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0254.659] CloseHandle (hObject=0x42c) returned 1 [0254.660] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0254.670] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.670] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0254.723] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0254.728] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.728] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0254.728] SetEvent (hEvent=0xf4) returned 1 [0254.728] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0254.736] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0254.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.737] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.737] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.738] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.738] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.738] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.738] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.739] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.740] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.740] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.742] CloseHandle (hObject=0x42c) returned 1 [0254.742] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.742] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1331ced9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1331ced9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1331ced9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3bc7451, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xa3bc7451, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0254.743] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.743] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0254.743] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.744] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.744] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.745] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.745] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.748] CloseHandle (hObject=0x42c) returned 1 [0254.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1331ced9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3bc7451, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xa3bc7451, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0254.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.750] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0254.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0254.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ef60 | out: pbBuffer=0x1280ef60) returned 1 [0254.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849220 | out: pbBuffer=0x12849220) returned 1 [0254.751] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x128afd1c*=0x8000, lpOverlapped=0x0) returned 1 [0254.779] GetFileType (hFile=0x42c) returned 0x1 [0254.779] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0254.780] WriteFile (in: hFile=0x42c, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x128afd00, lpOverlapped=0x128afd0c | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x128afd00*=0x8000, lpOverlapped=0x128afd0c) returned 1 [0254.780] GetFileType (hFile=0x42c) returned 0x1 [0254.780] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0254.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0254.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0254.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0254.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849318 | out: pbBuffer=0x12849318) returned 1 [0254.781] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.781] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0254.781] WriteFile (in: hFile=0x44c, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x128afd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x128afd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.781] CloseHandle (hObject=0x44c) returned 1 [0254.781] CloseHandle (hObject=0x42c) returned 1 [0254.781] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849340 | out: pbBuffer=0x12849340) returned 1 [0254.781] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[A1E771A4C0526BDC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[a1e771a4c0526bdc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.782] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0255.009] SetEvent (hEvent=0xf4) returned 1 [0255.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0255.010] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0255.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0255.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f160 | out: pbBuffer=0x1280f160) returned 1 [0255.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849398 | out: pbBuffer=0x12849398) returned 1 [0255.011] ReadFile (in: hFile=0x458, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x1282bd1c*=0x3000, lpOverlapped=0x0) returned 1 [0255.059] GetFileType (hFile=0x458) returned 0x1 [0255.059] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0255.059] WriteFile (in: hFile=0x458, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x1282bd00*=0x3000, lpOverlapped=0x1282bd0c) returned 1 [0255.060] GetFileType (hFile=0x458) returned 0x1 [0255.060] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0255.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0255.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0255.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0255.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0255.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0255.061] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0255.061] WriteFile (in: hFile=0x44c, lpBuffer=0x12cf2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf2000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0255.061] CloseHandle (hObject=0x44c) returned 1 [0255.061] CloseHandle (hObject=0x458) returned 1 [0255.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0255.061] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[B4B6736152D155F6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[b4b6736152d155f6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0255.617] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0256.518] SetEvent (hEvent=0xf4) returned 1 [0256.518] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0259.411] SetEvent (hEvent=0x19c) returned 1 [0259.411] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0259.565] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0259.669] SetEvent (hEvent=0x3f8) returned 1 [0259.669] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0260.973] SetEvent (hEvent=0x3f8) returned 1 [0260.973] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0262.060] SetEvent (hEvent=0x19c) returned 1 [0262.060] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.867] SetEvent (hEvent=0x1b8) returned 1 [0270.867] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.882] SetEvent (hEvent=0x1b8) returned 1 [0270.882] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0270.884] SetEvent (hEvent=0x1b8) returned 1 [0270.884] SetEvent (hEvent=0x104) returned 1 [0270.885] ReadFile (in: hFile=0x460, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12851d1c*=0x10be, lpOverlapped=0x0) returned 1 [0270.886] GetFileType (hFile=0x460) returned 0x1 [0270.886] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.886] WriteFile (in: hFile=0x460, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x10be, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12851d00*=0x10be, lpOverlapped=0x12851d0c) returned 1 [0270.887] GetFileType (hFile=0x460) returned 0x1 [0270.887] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x10be, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0270.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0270.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0270.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80b0 | out: pbBuffer=0x128e80b0) returned 1 [0270.888] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.888] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.888] WriteFile (in: hFile=0x45c, lpBuffer=0x12c16500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c16500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.888] CloseHandle (hObject=0x45c) returned 1 [0270.889] CloseHandle (hObject=0x460) returned 1 [0270.889] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80c8 | out: pbBuffer=0x128e80c8) returned 1 [0270.889] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\#_THIS_FILE_IS_ENCRYPTED_[3255F423788D522B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\#_this_file_is_encrypted_[3255f423788d522b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.905] SetEvent (hEvent=0x104) returned 1 [0270.905] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\21IYDnRMwIe_qVIs.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\21iydnrmwie_qvis.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.906] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\21IYDnRMwIe_qVIs.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\21iydnrmwie_qvis.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c2ae40, ftCreationTime.dwHighDateTime=0x1d81f9d, ftLastAccessTime.dwLowDateTime=0x5d8e0480, ftLastAccessTime.dwHighDateTime=0x1d82851, ftLastWriteTime.dwLowDateTime=0x5d8e0480, ftLastWriteTime.dwHighDateTime=0x1d82851, nFileSizeHigh=0x0, nFileSizeLow=0x14945)) returned 1 [0270.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0270.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8110 | out: pbBuffer=0x128e8110) returned 1 [0270.906] ReadFile (in: hFile=0x460, lpBuffer=0x12cb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb0000*, lpNumberOfBytesRead=0x12851d1c*=0x14945, lpOverlapped=0x0) returned 1 [0270.909] GetFileType (hFile=0x460) returned 0x1 [0270.909] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.909] WriteFile (in: hFile=0x460, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x14945, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12851d00*=0x14945, lpOverlapped=0x12851d0c) returned 1 [0270.910] GetFileType (hFile=0x460) returned 0x1 [0270.910] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x14945, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0270.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0270.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0270.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8358 | out: pbBuffer=0x128e8358) returned 1 [0270.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\21IYDnRMwIe_qVIs.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\21iydnrmwie_qvis.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.911] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.911] WriteFile (in: hFile=0x45c, lpBuffer=0x12c16a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c16a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.912] CloseHandle (hObject=0x45c) returned 1 [0270.912] CloseHandle (hObject=0x460) returned 1 [0270.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8370 | out: pbBuffer=0x128e8370) returned 1 [0270.912] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\21IYDnRMwIe_qVIs.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\21iydnrmwie_qvis.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[06E41EF41E0DF914]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[06e41ef41e0df914]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.918] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\3pvh7FV9PjIhmA0Ig.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\3pvh7fv9pjihma0ig.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.918] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\3pvh7FV9PjIhmA0Ig.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\3pvh7fv9pjihma0ig.png"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5f49a30, ftCreationTime.dwHighDateTime=0x1d81cc0, ftLastAccessTime.dwLowDateTime=0x5de5b5e0, ftLastAccessTime.dwHighDateTime=0x1d82108, ftLastWriteTime.dwLowDateTime=0x5de5b5e0, ftLastWriteTime.dwHighDateTime=0x1d82108, nFileSizeHigh=0x0, nFileSizeLow=0x837b)) returned 1 [0270.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0270.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e83b8 | out: pbBuffer=0x128e83b8) returned 1 [0270.919] ReadFile (in: hFile=0x460, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12851d1c*=0x837b, lpOverlapped=0x0) returned 1 [0270.921] GetFileType (hFile=0x460) returned 0x1 [0270.921] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.921] WriteFile (in: hFile=0x460, lpBuffer=0x12ac4000*, nNumberOfBytesToWrite=0x837b, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12ac4000*, lpNumberOfBytesWritten=0x12851d00*=0x837b, lpOverlapped=0x12851d0c) returned 1 [0270.921] GetFileType (hFile=0x460) returned 0x1 [0270.921] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x837b, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0270.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0270.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0270.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8470 | out: pbBuffer=0x128e8470) returned 1 [0270.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\3pvh7FV9PjIhmA0Ig.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\3pvh7fv9pjihma0ig.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0270.922] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.923] WriteFile (in: hFile=0x458, lpBuffer=0x12c16f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c16f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.923] CloseHandle (hObject=0x458) returned 1 [0270.923] CloseHandle (hObject=0x460) returned 1 [0270.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8488 | out: pbBuffer=0x128e8488) returned 1 [0270.924] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\3pvh7FV9PjIhmA0Ig.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\3pvh7fv9pjihma0ig.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[C89DBC9105E95C1A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[c89dbc9105e95c1a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5BAeAyZU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5baeayzu.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c72cb20, ftCreationTime.dwHighDateTime=0x1d82187, ftLastAccessTime.dwLowDateTime=0x829a7690, ftLastAccessTime.dwHighDateTime=0x1d824d3, ftLastWriteTime.dwLowDateTime=0x829a7690, ftLastWriteTime.dwHighDateTime=0x1d824d3, nFileSizeHigh=0x0, nFileSizeLow=0xe1ea)) returned 1 [0270.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\7J2VhS-EpUeH.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\7j2vhs-epueh.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46df5060, ftCreationTime.dwHighDateTime=0x1d826a1, ftLastAccessTime.dwLowDateTime=0x489af640, ftLastAccessTime.dwHighDateTime=0x1d82866, ftLastWriteTime.dwLowDateTime=0x489af640, ftLastWriteTime.dwHighDateTime=0x1d82866, nFileSizeHigh=0x0, nFileSizeLow=0x34aa)) returned 1 [0270.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5BAeAyZU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5baeayzu.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.926] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.927] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5BAeAyZU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5baeayzu.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c72cb20, ftCreationTime.dwHighDateTime=0x1d82187, ftLastAccessTime.dwLowDateTime=0x829a7690, ftLastAccessTime.dwHighDateTime=0x1d824d3, ftLastWriteTime.dwLowDateTime=0x829a7690, ftLastWriteTime.dwHighDateTime=0x1d824d3, nFileSizeHigh=0x0, nFileSizeLow=0xe1ea)) returned 1 [0270.927] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98620 | out: pbBuffer=0x12a98620) returned 1 [0270.927] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9320 | out: pbBuffer=0x128e9320) returned 1 [0270.927] ReadFile (in: hFile=0x460, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12851d1c*=0xe1ea, lpOverlapped=0x0) returned 1 [0270.930] GetFileType (hFile=0x460) returned 0x1 [0270.930] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.930] WriteFile (in: hFile=0x460, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xe1ea, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12851d00*=0xe1ea, lpOverlapped=0x12851d0c) returned 1 [0270.930] GetFileType (hFile=0x460) returned 0x1 [0270.930] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xe1ea, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.930] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835501 | out: pbBuffer=0x12835501) returned 1 [0270.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835601 | out: pbBuffer=0x12835601) returned 1 [0270.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835701 | out: pbBuffer=0x12835701) returned 1 [0270.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e93d8 | out: pbBuffer=0x128e93d8) returned 1 [0270.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5BAeAyZU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5baeayzu.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0270.931] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.931] WriteFile (in: hFile=0x458, lpBuffer=0x12c17400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c17400*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.932] CloseHandle (hObject=0x458) returned 1 [0270.932] CloseHandle (hObject=0x460) returned 1 [0270.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e93f0 | out: pbBuffer=0x128e93f0) returned 1 [0270.932] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5BAeAyZU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5baeayzu.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[D68B87315B7B9F39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[d68b87315b7b9f39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.933] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\7J2VhS-EpUeH.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\7j2vhs-epueh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.934] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\7J2VhS-EpUeH.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\7j2vhs-epueh.avi"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46df5060, ftCreationTime.dwHighDateTime=0x1d826a1, ftLastAccessTime.dwLowDateTime=0x489af640, ftLastAccessTime.dwHighDateTime=0x1d82866, ftLastWriteTime.dwLowDateTime=0x489af640, ftLastWriteTime.dwHighDateTime=0x1d82866, nFileSizeHigh=0x0, nFileSizeLow=0x34aa)) returned 1 [0270.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98820 | out: pbBuffer=0x12a98820) returned 1 [0270.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9438 | out: pbBuffer=0x128e9438) returned 1 [0270.934] ReadFile (in: hFile=0x460, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12851d1c*=0x34aa, lpOverlapped=0x0) returned 1 [0270.953] GetFileType (hFile=0x460) returned 0x1 [0270.953] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.953] WriteFile (in: hFile=0x460, lpBuffer=0x12b78000*, nNumberOfBytesToWrite=0x34aa, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b78000*, lpNumberOfBytesWritten=0x12851d00*=0x34aa, lpOverlapped=0x12851d0c) returned 1 [0270.953] GetFileType (hFile=0x460) returned 0x1 [0270.953] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x34aa, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835881 | out: pbBuffer=0x12835881) returned 1 [0270.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835981 | out: pbBuffer=0x12835981) returned 1 [0270.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a81 | out: pbBuffer=0x12835a81) returned 1 [0270.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e94f0 | out: pbBuffer=0x128e94f0) returned 1 [0270.954] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\7J2VhS-EpUeH.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\7j2vhs-epueh.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.955] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.955] WriteFile (in: hFile=0x450, lpBuffer=0x12c17900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c17900*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.955] CloseHandle (hObject=0x450) returned 1 [0270.955] CloseHandle (hObject=0x460) returned 1 [0270.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9508 | out: pbBuffer=0x128e9508) returned 1 [0270.955] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\7J2VhS-EpUeH.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\7j2vhs-epueh.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[72993AD0FB6CF2D4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[72993ad0fb6cf2d4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FLIUZbRcCx2rfhc.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fliuzbrccx2rfhc.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.958] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FLIUZbRcCx2rfhc.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fliuzbrccx2rfhc.gif"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66681ef0, ftCreationTime.dwHighDateTime=0x1d8250a, ftLastAccessTime.dwLowDateTime=0xda111580, ftLastAccessTime.dwHighDateTime=0x1d82796, ftLastWriteTime.dwLowDateTime=0xda111580, ftLastWriteTime.dwHighDateTime=0x1d82796, nFileSizeHigh=0x0, nFileSizeLow=0x919c)) returned 1 [0270.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a20 | out: pbBuffer=0x12a98a20) returned 1 [0270.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9550 | out: pbBuffer=0x128e9550) returned 1 [0270.959] ReadFile (in: hFile=0x460, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12851d1c*=0x919c, lpOverlapped=0x0) returned 1 [0270.962] GetFileType (hFile=0x460) returned 0x1 [0270.962] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.962] WriteFile (in: hFile=0x460, lpBuffer=0x12a36000*, nNumberOfBytesToWrite=0x919c, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a36000*, lpNumberOfBytesWritten=0x12851d00*=0x919c, lpOverlapped=0x12851d0c) returned 1 [0270.962] GetFileType (hFile=0x460) returned 0x1 [0270.962] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x919c, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.963] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835d01 | out: pbBuffer=0x12835d01) returned 1 [0270.963] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835e01 | out: pbBuffer=0x12835e01) returned 1 [0270.963] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835f01 | out: pbBuffer=0x12835f01) returned 1 [0270.963] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9608 | out: pbBuffer=0x128e9608) returned 1 [0270.963] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FLIUZbRcCx2rfhc.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fliuzbrccx2rfhc.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.963] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.964] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.964] CloseHandle (hObject=0x450) returned 1 [0270.964] CloseHandle (hObject=0x460) returned 1 [0270.964] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9620 | out: pbBuffer=0x128e9620) returned 1 [0270.965] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FLIUZbRcCx2rfhc.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fliuzbrccx2rfhc.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[D2C9BAFB49F1B458]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[d2c9bafb49f1b458]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.966] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FXCEn83AIhwhF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fxcen83aihwhf.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e9ea420, ftCreationTime.dwHighDateTime=0x1d82007, ftLastAccessTime.dwLowDateTime=0xdab95c40, ftLastAccessTime.dwHighDateTime=0x1d827be, ftLastWriteTime.dwLowDateTime=0xdab95c40, ftLastWriteTime.dwHighDateTime=0x1d827be, nFileSizeHigh=0x0, nFileSizeLow=0x5acc)) returned 1 [0270.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IgjPP1x0rd-DVHI.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\igjpp1x0rd-dvhi.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4add5d20, ftCreationTime.dwHighDateTime=0x1d829cf, ftLastAccessTime.dwLowDateTime=0x307850, ftLastAccessTime.dwHighDateTime=0x1d82a26, ftLastWriteTime.dwLowDateTime=0x307850, ftLastWriteTime.dwHighDateTime=0x1d82a26, nFileSizeHigh=0x0, nFileSizeLow=0x9947)) returned 1 [0270.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FXCEn83AIhwhF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fxcen83aihwhf.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.967] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FXCEn83AIhwhF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fxcen83aihwhf.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e9ea420, ftCreationTime.dwHighDateTime=0x1d82007, ftLastAccessTime.dwLowDateTime=0xdab95c40, ftLastAccessTime.dwHighDateTime=0x1d827be, ftLastWriteTime.dwLowDateTime=0xdab95c40, ftLastWriteTime.dwHighDateTime=0x1d827be, nFileSizeHigh=0x0, nFileSizeLow=0x5acc)) returned 1 [0270.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99f80 | out: pbBuffer=0x12a99f80) returned 1 [0270.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9f90 | out: pbBuffer=0x128e9f90) returned 1 [0270.968] ReadFile (in: hFile=0x460, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12851d1c*=0x5acc, lpOverlapped=0x0) returned 1 [0270.969] GetFileType (hFile=0x460) returned 0x1 [0270.969] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.970] WriteFile (in: hFile=0x460, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x5acc, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12851d00*=0x5acc, lpOverlapped=0x12851d0c) returned 1 [0270.970] GetFileType (hFile=0x460) returned 0x1 [0270.970] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5acc, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.970] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0270.970] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0270.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0270.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34058 | out: pbBuffer=0x12c34058) returned 1 [0270.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FXCEn83AIhwhF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fxcen83aihwhf.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.971] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.971] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.971] CloseHandle (hObject=0x450) returned 1 [0270.972] CloseHandle (hObject=0x460) returned 1 [0270.972] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34090 | out: pbBuffer=0x12c34090) returned 1 [0270.972] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\FXCEn83AIhwhF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\fxcen83aihwhf.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[1B9E67D167D7D7D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[1b9e67d167d7d7d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.973] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IgjPP1x0rd-DVHI.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\igjpp1x0rd-dvhi.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0270.974] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.974] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IgjPP1x0rd-DVHI.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\igjpp1x0rd-dvhi.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4add5d20, ftCreationTime.dwHighDateTime=0x1d829cf, ftLastAccessTime.dwLowDateTime=0x307850, ftLastAccessTime.dwHighDateTime=0x1d82a26, ftLastWriteTime.dwLowDateTime=0x307850, ftLastWriteTime.dwHighDateTime=0x1d82a26, nFileSizeHigh=0x0, nFileSizeLow=0x9947)) returned 1 [0270.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128443a0 | out: pbBuffer=0x128443a0) returned 1 [0270.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0270.975] ReadFile (in: hFile=0x460, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12851d1c*=0x9947, lpOverlapped=0x0) returned 1 [0270.977] GetFileType (hFile=0x460) returned 0x1 [0270.977] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.977] WriteFile (in: hFile=0x460, lpBuffer=0x12cf0000*, nNumberOfBytesToWrite=0x9947, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12cf0000*, lpNumberOfBytesWritten=0x12851d00*=0x9947, lpOverlapped=0x12851d0c) returned 1 [0270.978] GetFileType (hFile=0x460) returned 0x1 [0270.978] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x9947, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0270.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0270.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0270.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34190 | out: pbBuffer=0x12c34190) returned 1 [0270.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IgjPP1x0rd-DVHI.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\igjpp1x0rd-dvhi.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.979] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0270.979] WriteFile (in: hFile=0x450, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.979] CloseHandle (hObject=0x450) returned 1 [0270.979] CloseHandle (hObject=0x460) returned 1 [0270.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341a8 | out: pbBuffer=0x12c341a8) returned 1 [0270.979] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IgjPP1x0rd-DVHI.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\igjpp1x0rd-dvhi.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[B2EAFEC9396CDE71]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[b2eafec9396cde71]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.624] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0271.810] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.211] SetEvent (hEvent=0x1b8) returned 1 [0272.211] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882)) returned 1 [0272.229] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.233] SetEvent (hEvent=0x1b8) returned 1 [0272.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d)) returned 1 [0272.234] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.315] SetEvent (hEvent=0x40c) returned 1 [0272.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132)) returned 1 [0272.316] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea)) returned 1 [0272.316] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3)) returned 1 [0272.462] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.536] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.594] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.611] SetEvent (hEvent=0x19c) returned 1 [0272.611] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.622] SetEvent (hEvent=0x1b8) returned 1 [0272.622] SetEvent (hEvent=0x104) returned 1 [0272.622] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0272.664] SetEvent (hEvent=0x19c) returned 1 [0272.664] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.535] SetEvent (hEvent=0x40c) returned 1 [0273.535] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.540] SetEvent (hEvent=0x40c) returned 1 [0273.540] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0273.542] SetEvent (hEvent=0x40c) returned 1 [0273.542] SetEvent (hEvent=0xfc) returned 1 [0273.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0273.542] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[0BD8842BB7370D86]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[0bd8842bb7370d86]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.545] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9841a2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9841a2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf2786e00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x7fb28)) returned 1 [0273.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0273.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a058 | out: pbBuffer=0x12a9a058) returned 1 [0273.545] ReadFile (in: hFile=0x45c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.565] GetFileType (hFile=0x45c) returned 0x1 [0273.565] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.565] WriteFile (in: hFile=0x45c, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0273.566] GetFileType (hFile=0x45c) returned 0x1 [0273.566] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0273.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0273.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0273.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a140 | out: pbBuffer=0x12a9a140) returned 1 [0273.567] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.568] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.568] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.588] CloseHandle (hObject=0x44c) returned 1 [0273.588] CloseHandle (hObject=0x45c) returned 1 [0273.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a158 | out: pbBuffer=0x12a9a158) returned 1 [0273.589] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[D1D01A66919443DD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[d1d01a66919443dd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.686] SetEvent (hEvent=0x110) returned 1 [0273.686] SetEvent (hEvent=0x104) returned 1 [0273.686] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0273.687] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9818a945, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9818a945, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba712b00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xec122)) returned 1 [0273.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0273.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3a8 | out: pbBuffer=0x12a9a3a8) returned 1 [0273.688] ReadFile (in: hFile=0x45c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.696] GetFileType (hFile=0x45c) returned 0x1 [0273.696] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.697] WriteFile (in: hFile=0x45c, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0273.698] GetFileType (hFile=0x45c) returned 0x1 [0273.698] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0273.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0273.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0273.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a460 | out: pbBuffer=0x12a9a460) returned 1 [0273.699] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.699] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.699] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.050] CloseHandle (hObject=0x42c) returned 1 [0274.091] CloseHandle (hObject=0x45c) returned 1 [0274.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a478 | out: pbBuffer=0x12a9a478) returned 1 [0274.103] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[802618B11F5F9B37]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[802618b11f5f9b37]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.278] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.285] SetEvent (hEvent=0x1b8) returned 1 [0274.285] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0274.286] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978145cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978145cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xee481)) returned 1 [0274.286] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844400 | out: pbBuffer=0x12844400) returned 1 [0274.287] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0274.287] ReadFile (in: hFile=0x450, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.300] GetFileType (hFile=0x450) returned 0x1 [0274.300] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.300] WriteFile (in: hFile=0x450, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0274.301] GetFileType (hFile=0x450) returned 0x1 [0274.301] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0274.302] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0274.302] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0274.302] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341c0 | out: pbBuffer=0x12c341c0) returned 1 [0274.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.303] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.303] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.307] CloseHandle (hObject=0x44c) returned 1 [0274.308] CloseHandle (hObject=0x450) returned 1 [0274.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0274.317] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[A5978C4BA829C00F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[a5978c4ba829c00f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.479] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.544] SetEvent (hEvent=0x19c) returned 1 [0274.544] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0274.545] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981588c3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x981588c3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x2358a300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2c9ecd)) returned 1 [0274.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98820 | out: pbBuffer=0x12a98820) returned 1 [0274.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8560 | out: pbBuffer=0x128e8560) returned 1 [0274.545] ReadFile (in: hFile=0x458, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.558] GetFileType (hFile=0x458) returned 0x1 [0274.558] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.558] WriteFile (in: hFile=0x458, lpBuffer=0x129d6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x129d6000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0274.559] GetFileType (hFile=0x458) returned 0x1 [0274.559] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0274.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0274.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0274.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8618 | out: pbBuffer=0x128e8618) returned 1 [0274.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0274.561] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.561] WriteFile (in: hFile=0x450, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.565] CloseHandle (hObject=0x450) returned 1 [0274.573] CloseHandle (hObject=0x458) returned 1 [0274.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8630 | out: pbBuffer=0x128e8630) returned 1 [0274.581] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[DD3ADA00EA956DB4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[dd3ada00ea956db4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.692] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0274.722] SetEvent (hEvent=0x3f8) returned 1 [0274.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.723] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9860260f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9860260f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x235700, ftLastWriteTime.dwHighDateTime=0x1d4196e, nFileSizeHigh=0x0, nFileSizeLow=0x9477a)) returned 1 [0274.723] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b885c0 | out: pbBuffer=0x12b885c0) returned 1 [0274.723] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0274.723] ReadFile (in: hFile=0x45c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.737] GetFileType (hFile=0x45c) returned 0x1 [0274.737] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.737] WriteFile (in: hFile=0x45c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0274.738] GetFileType (hFile=0x45c) returned 0x1 [0274.738] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0274.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0274.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0274.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0274.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e84f8 | out: pbBuffer=0x128e84f8) returned 1 [0274.739] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0274.739] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0274.739] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0274.744] CloseHandle (hObject=0x460) returned 1 [0274.770] CloseHandle (hObject=0x45c) returned 1 [0274.793] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342d8 | out: pbBuffer=0x12c342d8) returned 1 [0274.793] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[78D361C7191AA4DA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[78d361c7191aa4da]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.912] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.309] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.312] SetEvent (hEvent=0x19c) returned 1 [0275.312] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.314] SetEvent (hEvent=0x19c) returned 1 [0275.314] SetEvent (hEvent=0x40c) returned 1 [0275.314] SwitchToThread () returned 1 [0275.316] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.335] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.357] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.380] SetEvent (hEvent=0x40c) returned 1 [0275.380] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851218[[fn=gb]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97625f0b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97625f0b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9762869a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4181d)) returned 1 [0275.381] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.413] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.431] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.476] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.497] SetEvent (hEvent=0x3f8) returned 1 [0275.497] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.500] SetEvent (hEvent=0x40c) returned 1 [0275.501] SetEvent (hEvent=0x19c) returned 1 [0275.501] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0275.508] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0275.510] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0275.510] SetEvent (hEvent=0x40c) returned 1 [0275.511] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0275.517] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.518] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.540] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0275.546] SetEvent (hEvent=0x19c) returned 1 [0275.547] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851225[[fn=mlaseventheditionofficeonline]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.547] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.547] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851225[[fn=mlaseventheditionofficeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9786c3ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9786c3ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9786d825, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e39b)) returned 1 [0275.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928040 | out: pbBuffer=0x12928040) returned 1 [0275.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34058 | out: pbBuffer=0x12c34058) returned 1 [0275.548] ReadFile (in: hFile=0x44c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.552] GetFileType (hFile=0x44c) returned 0x1 [0275.552] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.552] WriteFile (in: hFile=0x44c, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0275.553] GetFileType (hFile=0x44c) returned 0x1 [0275.553] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0275.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0275.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0275.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0275.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0275.554] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851225[[fn=mlaseventheditionofficeonline]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.554] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0275.554] WriteFile (in: hFile=0x45c, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.554] CloseHandle (hObject=0x45c) returned 1 [0275.558] CloseHandle (hObject=0x44c) returned 1 [0275.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34148 | out: pbBuffer=0x12c34148) returned 1 [0275.558] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851225[[fn=mlaseventheditionofficeonline]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[EA35C38F18C917D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[ea35c38f18c917d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.060] SetEvent (hEvent=0x1b8) returned 1 [0276.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.061] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98167377, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98167377, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98167377, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x866f)) returned 1 [0276.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928be0 | out: pbBuffer=0x12928be0) returned 1 [0276.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344c0 | out: pbBuffer=0x12c344c0) returned 1 [0276.062] ReadFile (in: hFile=0x45c, lpBuffer=0x12cf8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf8000*, lpNumberOfBytesRead=0x12a5fd1c*=0x866f, lpOverlapped=0x0) returned 1 [0276.107] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0276.161] GetFileType (hFile=0x45c) returned 0x1 [0276.161] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.161] WriteFile (in: hFile=0x45c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x866f, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a5fd00*=0x866f, lpOverlapped=0x12a5fd0c) returned 1 [0276.162] GetFileType (hFile=0x45c) returned 0x1 [0276.162] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x866f, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0276.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0276.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0276.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34380 | out: pbBuffer=0x12c34380) returned 1 [0276.163] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0276.163] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.163] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0276.163] CloseHandle (hObject=0x460) returned 1 [0276.164] CloseHandle (hObject=0x45c) returned 1 [0276.164] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34398 | out: pbBuffer=0x12c34398) returned 1 [0276.164] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\#_THIS_FILE_IS_ENCRYPTED_[FA071822DAB9B33B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\#_this_file_is_encrypted_[fa071822dab9b33b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.166] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.168] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9846e6c1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9846e6c1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f3b86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34df74)) returned 1 [0276.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b80 | out: pbBuffer=0x12928b80) returned 1 [0276.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34410 | out: pbBuffer=0x12c34410) returned 1 [0276.168] ReadFile (in: hFile=0x45c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0276.230] GetFileType (hFile=0x45c) returned 0x1 [0276.230] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.231] WriteFile (in: hFile=0x45c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0276.231] GetFileType (hFile=0x45c) returned 0x1 [0276.231] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0276.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0276.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0276.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c344e8 | out: pbBuffer=0x12c344e8) returned 1 [0276.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0276.232] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.232] WriteFile (in: hFile=0x460, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0276.356] CloseHandle (hObject=0x460) returned 1 [0276.356] CloseHandle (hObject=0x45c) returned 1 [0276.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34500 | out: pbBuffer=0x12c34500) returned 1 [0276.357] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\#_THIS_FILE_IS_ENCRYPTED_[3925A31D4C4F4526]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\#_this_file_is_encrypted_[3925a31d4c4f4526]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.359] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0276.816] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\P30eaW83bz2S.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p30eaw83bz2s.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.817] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.817] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\P30eaW83bz2S.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p30eaw83bz2s.avi"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefbb2e20, ftCreationTime.dwHighDateTime=0x1d819e0, ftLastAccessTime.dwLowDateTime=0x1602f390, ftLastAccessTime.dwHighDateTime=0x1d8211d, ftLastWriteTime.dwLowDateTime=0x1602f390, ftLastWriteTime.dwHighDateTime=0x1d8211d, nFileSizeHigh=0x0, nFileSizeLow=0xf3c8)) returned 1 [0276.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b880c0 | out: pbBuffer=0x12b880c0) returned 1 [0276.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0276.818] ReadFile (in: hFile=0x45c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a5fd1c*=0xf3c8, lpOverlapped=0x0) returned 1 [0276.820] GetFileType (hFile=0x45c) returned 0x1 [0276.820] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.820] WriteFile (in: hFile=0x45c, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0xf3c8, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12a5fd00*=0xf3c8, lpOverlapped=0x12a5fd0c) returned 1 [0276.821] GetFileType (hFile=0x45c) returned 0x1 [0276.821] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xf3c8, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0276.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0276.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0276.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0276.822] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8340 | out: pbBuffer=0x128e8340) returned 1 [0276.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\P30eaW83bz2S.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p30eaw83bz2s.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0276.822] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0276.822] WriteFile (in: hFile=0x460, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0276.822] CloseHandle (hObject=0x460) returned 1 [0276.987] CloseHandle (hObject=0x45c) returned 1 [0277.228] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.427] SetEvent (hEvent=0x104) returned 1 [0277.427] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.626] SetEvent (hEvent=0x104) returned 1 [0277.626] SetEvent (hEvent=0x420) returned 1 [0277.626] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.862] SetEvent (hEvent=0x1b8) returned 1 [0277.862] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\qKzW8J3AvmRUdsVCGgRU.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\qkzw8j3avmrudsvcggru.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.877] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.877] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\qKzW8J3AvmRUdsVCGgRU.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\qkzw8j3avmrudsvcggru.flv"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa17c6f0, ftCreationTime.dwHighDateTime=0x1d8270d, ftLastAccessTime.dwLowDateTime=0x8d18b340, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x8d18b340, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x2ac1)) returned 1 [0277.877] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a992c0 | out: pbBuffer=0x12a992c0) returned 1 [0277.877] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489e8 | out: pbBuffer=0x128489e8) returned 1 [0277.877] ReadFile (in: hFile=0x1a4, lpBuffer=0x129ac000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129ac000*, lpNumberOfBytesRead=0x1282fd1c*=0x2ac1, lpOverlapped=0x0) returned 1 [0277.879] GetFileType (hFile=0x1a4) returned 0x1 [0277.879] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.879] WriteFile (in: hFile=0x1a4, lpBuffer=0x129ec000*, nNumberOfBytesToWrite=0x2ac1, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x129ec000*, lpNumberOfBytesWritten=0x1282fd00*=0x2ac1, lpOverlapped=0x1282fd0c) returned 1 [0277.879] GetFileType (hFile=0x1a4) returned 0x1 [0277.879] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x2ac1, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0277.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0277.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0277.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0277.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ac0 | out: pbBuffer=0x12848ac0) returned 1 [0277.880] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\qKzW8J3AvmRUdsVCGgRU.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\qkzw8j3avmrudsvcggru.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.880] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0277.880] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.881] CloseHandle (hObject=0x42c) returned 1 [0277.881] CloseHandle (hObject=0x1a4) returned 1 [0277.881] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ad8 | out: pbBuffer=0x12848ad8) returned 1 [0277.881] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\qKzW8J3AvmRUdsVCGgRU.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\qkzw8j3avmrudsvcggru.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[CABF18E17B0B4373]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[cabf18e17b0b4373]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.883] SetEvent (hEvent=0x3f4) returned 1 [0277.883] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.962] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.983] SetEvent (hEvent=0x1b8) returned 1 [0277.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\-LoqqXzbvdQz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\-loqqxzbvdqz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.984] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0277.984] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\-LoqqXzbvdQz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\-loqqxzbvdqz.png"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e2f240, ftCreationTime.dwHighDateTime=0x1d8289d, ftLastAccessTime.dwLowDateTime=0xb0eca460, ftLastAccessTime.dwHighDateTime=0x1d8290a, ftLastWriteTime.dwLowDateTime=0xb0eca460, ftLastWriteTime.dwHighDateTime=0x1d8290a, nFileSizeHigh=0x0, nFileSizeLow=0xba59)) returned 1 [0277.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0277.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0277.984] ReadFile (in: hFile=0x44c, lpBuffer=0x12bbe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bbe000*, lpNumberOfBytesRead=0x12855d1c*=0xba59, lpOverlapped=0x0) returned 1 [0277.986] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0277.990] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0277.990] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0277.990] SetEvent (hEvent=0x110) returned 1 [0277.990] SetEvent (hEvent=0x1b8) returned 1 [0277.990] SetEvent (hEvent=0x3f8) returned 1 [0277.990] GetFileType (hFile=0x44c) returned 0x1 [0277.990] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.990] WriteFile (in: hFile=0x44c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0xba59, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12855d00*=0xba59, lpOverlapped=0x12855d0c) returned 1 [0277.991] GetFileType (hFile=0x44c) returned 0x1 [0277.991] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xba59, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0277.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0277.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0277.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34260 | out: pbBuffer=0x12c34260) returned 1 [0277.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\-LoqqXzbvdQz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\-loqqxzbvdqz.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0277.992] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0277.992] WriteFile (in: hFile=0x460, lpBuffer=0x12bde000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0277.992] CloseHandle (hObject=0x460) returned 1 [0278.000] CloseHandle (hObject=0x44c) returned 1 [0278.005] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0278.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849bc0 | out: pbBuffer=0x12849bc0) returned 1 [0278.007] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\-LoqqXzbvdQz.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\-loqqxzbvdqz.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[6C9195CA9835B957]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[6c9195ca9835b957]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.032] SetEvent (hEvent=0x110) returned 1 [0278.032] SetEvent (hEvent=0xf4) returned 1 [0278.033] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\EEvtC_8FCgIX-TWo8I.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eevtc_8fcgix-two8i.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0278.033] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.033] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\EEvtC_8FCgIX-TWo8I.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eevtc_8fcgix-two8i.wav"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3000250, ftCreationTime.dwHighDateTime=0x1d82204, ftLastAccessTime.dwLowDateTime=0x980eff80, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0x980eff80, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0xf305)) returned 1 [0278.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e220 | out: pbBuffer=0x1280e220) returned 1 [0278.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0278.034] ReadFile (in: hFile=0x45c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0xf305, lpOverlapped=0x0) returned 1 [0278.036] GetFileType (hFile=0x45c) returned 0x1 [0278.036] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.036] WriteFile (in: hFile=0x45c, lpBuffer=0x12e20000*, nNumberOfBytesToWrite=0xf305, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e20000*, lpNumberOfBytesWritten=0x12855d00*=0xf305, lpOverlapped=0x12855d0c) returned 1 [0278.037] GetFileType (hFile=0x45c) returned 0x1 [0278.037] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xf305, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0278.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0278.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0278.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810140 | out: pbBuffer=0x12810140) returned 1 [0278.037] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\EEvtC_8FCgIX-TWo8I.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eevtc_8fcgix-two8i.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0278.037] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.037] WriteFile (in: hFile=0x458, lpBuffer=0x12dc6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.038] CloseHandle (hObject=0x458) returned 1 [0278.041] CloseHandle (hObject=0x45c) returned 1 [0278.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810158 | out: pbBuffer=0x12810158) returned 1 [0278.048] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\EEvtC_8FCgIX-TWo8I.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eevtc_8fcgix-two8i.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[85A1B06D5B814F14]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[85a1b06d5b814f14]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.236] SetEvent (hEvent=0xf4) returned 1 [0278.236] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\ggbWGBU.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\ggbwgbu.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.237] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\ggbWGBU.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\ggbwgbu.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62eebdf0, ftCreationTime.dwHighDateTime=0x1d8209c, ftLastAccessTime.dwLowDateTime=0xbe8588c0, ftLastAccessTime.dwHighDateTime=0x1d820c8, ftLastWriteTime.dwLowDateTime=0xbe8588c0, ftLastWriteTime.dwHighDateTime=0x1d820c8, nFileSizeHigh=0x0, nFileSizeLow=0x1749b)) returned 1 [0278.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e8e0 | out: pbBuffer=0x1280e8e0) returned 1 [0278.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810420 | out: pbBuffer=0x12810420) returned 1 [0278.238] ReadFile (in: hFile=0x460, lpBuffer=0x12de8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12de8000*, lpNumberOfBytesRead=0x12855d1c*=0x1749b, lpOverlapped=0x0) returned 1 [0278.240] GetFileType (hFile=0x460) returned 0x1 [0278.240] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.240] WriteFile (in: hFile=0x460, lpBuffer=0x12c0a000*, nNumberOfBytesToWrite=0x1749b, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c0a000*, lpNumberOfBytesWritten=0x12855d00*=0x1749b, lpOverlapped=0x12855d0c) returned 1 [0278.241] GetFileType (hFile=0x460) returned 0x1 [0278.241] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1749b, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0278.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0278.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835481 | out: pbBuffer=0x12835481) returned 1 [0278.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104d8 | out: pbBuffer=0x128104d8) returned 1 [0278.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\ggbWGBU.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\ggbwgbu.ppt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.242] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.242] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc7400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc7400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.242] CloseHandle (hObject=0x42c) returned 1 [0278.276] SetEvent (hEvent=0x110) returned 1 [0278.276] CloseHandle (hObject=0x460) returned 1 [0278.280] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a10 | out: pbBuffer=0x12848a10) returned 1 [0278.311] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\ggbWGBU.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\ggbwgbu.ppt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[211C1E758D537A2B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[211c1e758d537a2b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.570] SetEvent (hEvent=0xf4) returned 1 [0278.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4oMFooZPReWD1.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4omfoozprewd1.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.572] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4oMFooZPReWD1.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4omfoozprewd1.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca45fda0, ftCreationTime.dwHighDateTime=0x1d824fd, ftLastAccessTime.dwLowDateTime=0x390e3380, ftLastAccessTime.dwHighDateTime=0x1d82989, ftLastWriteTime.dwLowDateTime=0x390e3380, ftLastWriteTime.dwHighDateTime=0x1d82989, nFileSizeHigh=0x0, nFileSizeLow=0x13a77)) returned 1 [0278.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928a60 | out: pbBuffer=0x12928a60) returned 1 [0278.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848da0 | out: pbBuffer=0x12848da0) returned 1 [0278.581] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0278.584] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0278.584] SetEvent (hEvent=0x110) returned 1 [0278.584] SetEvent (hEvent=0xf4) returned 1 [0278.585] ReadFile (in: hFile=0x460, lpBuffer=0x12cd0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd0000*, lpNumberOfBytesRead=0x12855d1c*=0x13a77, lpOverlapped=0x0) returned 1 [0278.587] GetFileType (hFile=0x460) returned 0x1 [0278.587] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.587] WriteFile (in: hFile=0x460, lpBuffer=0x12a2c000*, nNumberOfBytesToWrite=0x13a77, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a2c000*, lpNumberOfBytesWritten=0x12855d00*=0x13a77, lpOverlapped=0x12855d0c) returned 1 [0278.588] GetFileType (hFile=0x460) returned 0x1 [0278.588] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x13a77, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bc01 | out: pbBuffer=0x1286bc01) returned 1 [0278.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bd01 | out: pbBuffer=0x1286bd01) returned 1 [0278.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286be01 | out: pbBuffer=0x1286be01) returned 1 [0278.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e58 | out: pbBuffer=0x12848e58) returned 1 [0278.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4oMFooZPReWD1.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4omfoozprewd1.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.589] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.589] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdf900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdf900*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.589] CloseHandle (hObject=0x42c) returned 1 [0278.596] CloseHandle (hObject=0x460) returned 1 [0278.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0278.598] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4oMFooZPReWD1.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4omfoozprewd1.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[19FBC23A2F0D4C73]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[19fbc23a2f0d4c73]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\6etfHXV 5PagM21.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\6etfhxv 5pagm21.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.604] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.604] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\6etfHXV 5PagM21.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\6etfhxv 5pagm21.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8501f0, ftCreationTime.dwHighDateTime=0x1d8226d, ftLastAccessTime.dwLowDateTime=0xd2e053a0, ftLastAccessTime.dwHighDateTime=0x1d822ed, ftLastWriteTime.dwLowDateTime=0xd2e053a0, ftLastWriteTime.dwHighDateTime=0x1d822ed, nFileSizeHigh=0x0, nFileSizeLow=0x7e62)) returned 1 [0278.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0278.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0278.604] ReadFile (in: hFile=0x460, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x7e62, lpOverlapped=0x0) returned 1 [0278.606] GetFileType (hFile=0x460) returned 0x1 [0278.606] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.606] WriteFile (in: hFile=0x460, lpBuffer=0x12b9e000*, nNumberOfBytesToWrite=0x7e62, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b9e000*, lpNumberOfBytesWritten=0x12855d00*=0x7e62, lpOverlapped=0x12855d0c) returned 1 [0278.606] GetFileType (hFile=0x460) returned 0x1 [0278.606] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x7e62, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0278.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0278.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0278.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0278.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\6etfHXV 5PagM21.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\6etfhxv 5pagm21.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.607] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.607] WriteFile (in: hFile=0x44c, lpBuffer=0x12bde000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.607] CloseHandle (hObject=0x44c) returned 1 [0278.616] CloseHandle (hObject=0x460) returned 1 [0278.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0278.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\6etfHXV 5PagM21.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\6etfhxv 5pagm21.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[5FE9C49EDDC66B4B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[5fe9c49eddc66b4b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.676] SetEvent (hEvent=0x110) returned 1 [0278.676] SetEvent (hEvent=0x3f8) returned 1 [0278.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\FObnuAwtmJC9McsJ_-Z.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\fobnuawtmjc9mcsj_-z.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.677] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\FObnuAwtmJC9McsJ_-Z.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\fobnuawtmjc9mcsj_-z.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dca7a20, ftCreationTime.dwHighDateTime=0x1d82027, ftLastAccessTime.dwLowDateTime=0xb179bfb0, ftLastAccessTime.dwHighDateTime=0x1d825c9, ftLastWriteTime.dwLowDateTime=0xb179bfb0, ftLastWriteTime.dwHighDateTime=0x1d825c9, nFileSizeHigh=0x0, nFileSizeLow=0x18cbc)) returned 1 [0278.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2a0 | out: pbBuffer=0x1280e2a0) returned 1 [0278.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae68 | out: pbBuffer=0x12a9ae68) returned 1 [0278.679] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12855d1c*=0x18cbc, lpOverlapped=0x0) returned 1 [0278.681] GetFileType (hFile=0x44c) returned 0x1 [0278.681] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.681] WriteFile (in: hFile=0x44c, lpBuffer=0x12c08000*, nNumberOfBytesToWrite=0x18cbc, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c08000*, lpNumberOfBytesWritten=0x12855d00*=0x18cbc, lpOverlapped=0x12855d0c) returned 1 [0278.682] GetFileType (hFile=0x44c) returned 0x1 [0278.682] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x18cbc, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0278.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0278.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0278.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9af20 | out: pbBuffer=0x12a9af20) returned 1 [0278.683] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\FObnuAwtmJC9McsJ_-Z.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\fobnuawtmjc9mcsj_-z.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.683] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.683] WriteFile (in: hFile=0x42c, lpBuffer=0x12e72f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.683] CloseHandle (hObject=0x42c) returned 1 [0278.688] CloseHandle (hObject=0x44c) returned 1 [0278.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b008 | out: pbBuffer=0x12a9b008) returned 1 [0278.710] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\FObnuAwtmJC9McsJ_-Z.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\fobnuawtmjc9mcsj_-z.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[BF31F9F4AE43819F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[bf31f9f4ae43819f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.809] SetEvent (hEvent=0x3f8) returned 1 [0278.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TBp4.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbp4.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0278.810] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TBp4.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbp4.gif"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cd910c0, ftCreationTime.dwHighDateTime=0x1d81bc5, ftLastAccessTime.dwLowDateTime=0x1f631800, ftLastAccessTime.dwHighDateTime=0x1d822e6, ftLastWriteTime.dwLowDateTime=0x1f631800, ftLastWriteTime.dwHighDateTime=0x1d822e6, nFileSizeHigh=0x0, nFileSizeLow=0x94ac)) returned 1 [0278.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ebc0 | out: pbBuffer=0x1280ebc0) returned 1 [0278.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b2c0 | out: pbBuffer=0x12a9b2c0) returned 1 [0278.810] ReadFile (in: hFile=0x460, lpBuffer=0x12d30000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d30000*, lpNumberOfBytesRead=0x12855d1c*=0x94ac, lpOverlapped=0x0) returned 1 [0278.812] GetFileType (hFile=0x460) returned 0x1 [0278.812] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.812] WriteFile (in: hFile=0x460, lpBuffer=0x12e0e000*, nNumberOfBytesToWrite=0x94ac, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12e0e000*, lpNumberOfBytesWritten=0x12855d00*=0x94ac, lpOverlapped=0x12855d0c) returned 1 [0278.812] GetFileType (hFile=0x460) returned 0x1 [0278.812] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x94ac, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801e81 | out: pbBuffer=0x12801e81) returned 1 [0278.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0278.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc081 | out: pbBuffer=0x12afc081) returned 1 [0278.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b378 | out: pbBuffer=0x12a9b378) returned 1 [0278.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TBp4.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbp4.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.814] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.814] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.814] CloseHandle (hObject=0x42c) returned 1 [0278.819] CloseHandle (hObject=0x460) returned 1 [0278.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b390 | out: pbBuffer=0x12a9b390) returned 1 [0278.824] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TBp4.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbp4.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[18BC625C212C21BF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[18bc625c212c21bf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.931] SetEvent (hEvent=0x110) returned 1 [0278.931] SetEvent (hEvent=0x3f8) returned 1 [0278.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\YJa5crqa6E.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yja5crqa6e.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0278.933] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\YJa5crqa6E.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yja5crqa6e.wav"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e12f570, ftCreationTime.dwHighDateTime=0x1d81f84, ftLastAccessTime.dwLowDateTime=0xbb26ae80, ftLastAccessTime.dwHighDateTime=0x1d827e8, ftLastWriteTime.dwLowDateTime=0xbb26ae80, ftLastWriteTime.dwHighDateTime=0x1d827e8, nFileSizeHigh=0x0, nFileSizeLow=0x15308)) returned 1 [0278.933] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e720 | out: pbBuffer=0x1280e720) returned 1 [0278.933] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34278 | out: pbBuffer=0x12c34278) returned 1 [0278.933] ReadFile (in: hFile=0x44c, lpBuffer=0x12aba000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aba000*, lpNumberOfBytesRead=0x12855d1c*=0x15308, lpOverlapped=0x0) returned 1 [0278.935] GetFileType (hFile=0x44c) returned 0x1 [0278.935] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.935] WriteFile (in: hFile=0x44c, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x15308, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12855d00*=0x15308, lpOverlapped=0x12855d0c) returned 1 [0278.936] GetFileType (hFile=0x44c) returned 0x1 [0278.936] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15308, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0278.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0278.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0278.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34330 | out: pbBuffer=0x12c34330) returned 1 [0278.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\YJa5crqa6E.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yja5crqa6e.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.937] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0278.937] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.937] CloseHandle (hObject=0x42c) returned 1 [0278.944] CloseHandle (hObject=0x44c) returned 1 [0279.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34348 | out: pbBuffer=0x12c34348) returned 1 [0279.040] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\YJa5crqa6E.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yja5crqa6e.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[105AC2406D93B775]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[105ac2406d93b775]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0279.208] SetEvent (hEvent=0x3f8) returned 1 [0279.208] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0279.208] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe\\*", lpFindFileData=0x12855a44 | out: lpFindFileData=0x12855a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0279.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0279.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\e30J.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e30j.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bc5b20, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0xfa0b5f80, ftLastAccessTime.dwHighDateTime=0x1d8273c, ftLastWriteTime.dwLowDateTime=0xfa0b5f80, ftLastWriteTime.dwHighDateTime=0x1d8273c, nFileSizeHigh=0x0, nFileSizeLow=0x5a97)) returned 1 [0279.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0279.210] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0279.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0279.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f180 | out: pbBuffer=0x1280f180) returned 1 [0279.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34df0 | out: pbBuffer=0x12c34df0) returned 1 [0279.211] ReadFile (in: hFile=0x44c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12855d1c*=0x11a, lpOverlapped=0x0) returned 1 [0279.212] GetFileType (hFile=0x44c) returned 0x1 [0279.212] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0279.213] WriteFile (in: hFile=0x44c, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12855d00*=0x11a, lpOverlapped=0x12855d0c) returned 1 [0279.213] GetFileType (hFile=0x44c) returned 0x1 [0279.213] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x11a, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0279.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afda01 | out: pbBuffer=0x12afda01) returned 1 [0279.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdb01 | out: pbBuffer=0x12afdb01) returned 1 [0279.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdc01 | out: pbBuffer=0x12afdc01) returned 1 [0279.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34ea8 | out: pbBuffer=0x12c34ea8) returned 1 [0279.214] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0279.214] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0279.214] WriteFile (in: hFile=0x42c, lpBuffer=0x12b0c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0c500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0279.222] CloseHandle (hObject=0x42c) returned 1 [0279.226] CloseHandle (hObject=0x44c) returned 1 [0279.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ec0 | out: pbBuffer=0x12c34ec0) returned 1 [0279.374] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[3739F3C584CB7018]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[3739f3c584cb7018]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\k M94JU5AVmadGtlfkKp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\k m94ju5avmadgtlfkkp.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0280.321] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\k M94JU5AVmadGtlfkKp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\k m94ju5avmadgtlfkkp.csv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed78bd00, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xf4b4b9c0, ftLastAccessTime.dwHighDateTime=0x1d82802, ftLastWriteTime.dwLowDateTime=0xf4b4b9c0, ftLastWriteTime.dwHighDateTime=0x1d82802, nFileSizeHigh=0x0, nFileSizeLow=0x1211d)) returned 1 [0280.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f580 | out: pbBuffer=0x1280f580) returned 1 [0280.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34fb8 | out: pbBuffer=0x12c34fb8) returned 1 [0280.322] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x1211d, lpOverlapped=0x0) returned 1 [0280.324] GetFileType (hFile=0x44c) returned 0x1 [0280.324] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.324] WriteFile (in: hFile=0x44c, lpBuffer=0x12a24000*, nNumberOfBytesToWrite=0x1211d, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a24000*, lpNumberOfBytesWritten=0x12855d00*=0x1211d, lpOverlapped=0x12855d0c) returned 1 [0280.325] GetFileType (hFile=0x44c) returned 0x1 [0280.325] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1211d, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.325] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0280.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0280.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0280.326] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35070 | out: pbBuffer=0x12c35070) returned 1 [0280.326] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\k M94JU5AVmadGtlfkKp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\k m94ju5avmadgtlfkkp.csv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0280.326] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.326] WriteFile (in: hFile=0x1a4, lpBuffer=0x12b0ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0ca00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0280.327] CloseHandle (hObject=0x1a4) returned 1 [0280.327] CloseHandle (hObject=0x44c) returned 1 [0280.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35088 | out: pbBuffer=0x12c35088) returned 1 [0280.327] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\k M94JU5AVmadGtlfkKp.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\k m94ju5avmadgtlfkkp.csv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[C0E3AD138F146320]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[c0e3ad138f146320]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\lhTqiGWmPjxkjNAmr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lhtqigwmpjxkjnamr.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91e9a410, ftCreationTime.dwHighDateTime=0x1d82300, ftLastAccessTime.dwLowDateTime=0xc9ef44a0, ftLastAccessTime.dwHighDateTime=0x1d8293b, ftLastWriteTime.dwLowDateTime=0xc9ef44a0, ftLastWriteTime.dwHighDateTime=0x1d8293b, nFileSizeHigh=0x0, nFileSizeLow=0xeab2)) returned 1 [0280.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\n1ENg_qPm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\n1eng_qpm.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799a7730, ftCreationTime.dwHighDateTime=0x1d81f5f, ftLastAccessTime.dwLowDateTime=0xe0c6bcb0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0xe0c6bcb0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x7b8b)) returned 1 [0280.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\lhTqiGWmPjxkjNAmr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lhtqigwmpjxkjnamr.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0280.335] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.335] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\lhTqiGWmPjxkjNAmr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lhtqigwmpjxkjnamr.docx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91e9a410, ftCreationTime.dwHighDateTime=0x1d82300, ftLastAccessTime.dwLowDateTime=0xc9ef44a0, ftLastAccessTime.dwHighDateTime=0x1d8293b, ftLastWriteTime.dwLowDateTime=0xc9ef44a0, ftLastWriteTime.dwHighDateTime=0x1d8293b, nFileSizeHigh=0x0, nFileSizeLow=0xeab2)) returned 1 [0280.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fd80 | out: pbBuffer=0x1280fd80) returned 1 [0280.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35900 | out: pbBuffer=0x12c35900) returned 1 [0280.336] ReadFile (in: hFile=0x44c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12855d1c*=0xeab2, lpOverlapped=0x0) returned 1 [0280.338] GetFileType (hFile=0x44c) returned 0x1 [0280.338] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.338] WriteFile (in: hFile=0x44c, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0xeab2, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12855d00*=0xeab2, lpOverlapped=0x12855d0c) returned 1 [0280.338] GetFileType (hFile=0x44c) returned 0x1 [0280.339] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xeab2, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0280.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0280.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0280.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c359b8 | out: pbBuffer=0x12c359b8) returned 1 [0280.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\lhTqiGWmPjxkjNAmr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lhtqigwmpjxkjnamr.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0280.340] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.340] WriteFile (in: hFile=0x1a4, lpBuffer=0x12b0cf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0cf00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0280.340] CloseHandle (hObject=0x1a4) returned 1 [0280.340] CloseHandle (hObject=0x44c) returned 1 [0280.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c359d0 | out: pbBuffer=0x12c359d0) returned 1 [0280.340] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\lhTqiGWmPjxkjNAmr.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lhtqigwmpjxkjnamr.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[621381154BDAB692]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[621381154bdab692]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\n1ENg_qPm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\n1eng_qpm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0280.344] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\n1ENg_qPm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\n1eng_qpm.swf"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799a7730, ftCreationTime.dwHighDateTime=0x1d81f5f, ftLastAccessTime.dwLowDateTime=0xe0c6bcb0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0xe0c6bcb0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x7b8b)) returned 1 [0280.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ffa0 | out: pbBuffer=0x1280ffa0) returned 1 [0280.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35a18 | out: pbBuffer=0x12c35a18) returned 1 [0280.345] ReadFile (in: hFile=0x44c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12855d1c*=0x7b8b, lpOverlapped=0x0) returned 1 [0280.347] GetFileType (hFile=0x44c) returned 0x1 [0280.347] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.347] WriteFile (in: hFile=0x44c, lpBuffer=0x12adc000*, nNumberOfBytesToWrite=0x7b8b, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12adc000*, lpNumberOfBytesWritten=0x12855d00*=0x7b8b, lpOverlapped=0x12855d0c) returned 1 [0280.347] GetFileType (hFile=0x44c) returned 0x1 [0280.347] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x7b8b, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0280.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0280.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0280.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35ad0 | out: pbBuffer=0x12c35ad0) returned 1 [0280.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\n1ENg_qPm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\n1eng_qpm.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0280.349] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.349] WriteFile (in: hFile=0x1a4, lpBuffer=0x12b0d400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0d400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0280.349] CloseHandle (hObject=0x1a4) returned 1 [0280.349] CloseHandle (hObject=0x44c) returned 1 [0280.349] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35ae8 | out: pbBuffer=0x12c35ae8) returned 1 [0280.349] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\n1ENg_qPm.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\n1eng_qpm.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[CAC292EE31FBDAA2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[cac292ee31fbdaa2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ra GcpUdr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ra gcpudr.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaa45410, ftCreationTime.dwHighDateTime=0x1d8294c, ftLastAccessTime.dwLowDateTime=0x152edf00, ftLastAccessTime.dwHighDateTime=0x1d82952, ftLastWriteTime.dwLowDateTime=0x152edf00, ftLastWriteTime.dwHighDateTime=0x1d82952, nFileSizeHigh=0x0, nFileSizeLow=0xabec)) returned 1 [0280.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sLFOy4ycVM9cI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\slfoy4ycvm9ci.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fc2f40, ftCreationTime.dwHighDateTime=0x1d8284b, ftLastAccessTime.dwLowDateTime=0xab90c70, ftLastAccessTime.dwHighDateTime=0x1d82958, ftLastWriteTime.dwLowDateTime=0xab90c70, ftLastWriteTime.dwHighDateTime=0x1d82958, nFileSizeHigh=0x0, nFileSizeLow=0x15499)) returned 1 [0280.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ra GcpUdr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ra gcpudr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0280.352] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.352] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ra GcpUdr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ra gcpudr.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaa45410, ftCreationTime.dwHighDateTime=0x1d8294c, ftLastAccessTime.dwLowDateTime=0x152edf00, ftLastAccessTime.dwHighDateTime=0x1d82952, ftLastWriteTime.dwLowDateTime=0x152edf00, ftLastWriteTime.dwHighDateTime=0x1d82952, nFileSizeHigh=0x0, nFileSizeLow=0xabec)) returned 1 [0280.394] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0280.449] SetEvent (hEvent=0x104) returned 1 [0280.449] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844f40 | out: pbBuffer=0x12844f40) returned 1 [0280.449] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0280.722] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914650 | out: pbBuffer=0x12914650) returned 1 [0280.722] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12855d1c*=0xabec, lpOverlapped=0x0) returned 1 [0280.724] GetFileType (hFile=0x44c) returned 0x1 [0280.724] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.724] WriteFile (in: hFile=0x44c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xabec, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12855d00*=0xabec, lpOverlapped=0x12855d0c) returned 1 [0280.724] GetFileType (hFile=0x44c) returned 0x1 [0280.724] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xabec, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0280.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0280.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0280.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914708 | out: pbBuffer=0x12914708) returned 1 [0280.725] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ra GcpUdr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ra gcpudr.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0280.725] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0280.725] WriteFile (in: hFile=0x1a4, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0280.725] CloseHandle (hObject=0x1a4) returned 1 [0282.037] CloseHandle (hObject=0x44c) returned 1 [0282.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914720 | out: pbBuffer=0x12914720) returned 1 [0282.666] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ra GcpUdr.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ra gcpudr.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[D631886F0A78E5BA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[d631886f0a78e5ba]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.665] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0283.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\-iNHujDwVSFtWaHT.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-inhujdwvsftwaht.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0283.753] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0283.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\-iNHujDwVSFtWaHT.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-inhujdwvsftwaht.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d8a5680, ftCreationTime.dwHighDateTime=0x1d7dc37, ftLastAccessTime.dwLowDateTime=0x4bf540, ftLastAccessTime.dwHighDateTime=0x1d801c6, ftLastWriteTime.dwLowDateTime=0x4bf540, ftLastWriteTime.dwHighDateTime=0x1d801c6, nFileSizeHigh=0x0, nFileSizeLow=0xa472)) returned 1 [0283.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929340 | out: pbBuffer=0x12929340) returned 1 [0283.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c00 | out: pbBuffer=0x12848c00) returned 1 [0283.766] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0283.767] SetEvent (hEvent=0x1b8) returned 1 [0283.781] ReadFile (in: hFile=0x45c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12855d1c*=0xa472, lpOverlapped=0x0) returned 1 [0283.783] GetFileType (hFile=0x45c) returned 0x1 [0283.783] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0283.784] WriteFile (in: hFile=0x45c, lpBuffer=0x129d6000*, nNumberOfBytesToWrite=0xa472, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x129d6000*, lpNumberOfBytesWritten=0x12855d00*=0xa472, lpOverlapped=0x12855d0c) returned 1 [0283.784] GetFileType (hFile=0x45c) returned 0x1 [0283.784] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xa472, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0283.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0283.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0283.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0283.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848cb8 | out: pbBuffer=0x12848cb8) returned 1 [0283.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\-iNHujDwVSFtWaHT.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-inhujdwvsftwaht.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.797] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0283.797] WriteFile (in: hFile=0x460, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0283.797] CloseHandle (hObject=0x460) returned 1 [0283.797] CloseHandle (hObject=0x45c) returned 1 [0283.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848cd0 | out: pbBuffer=0x12848cd0) returned 1 [0283.797] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\-iNHujDwVSFtWaHT.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-inhujdwvsftwaht.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[8E3631035FC6BC5C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[8e3631035fc6bc5c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1m3AdHRfakiQWrz520K.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1m3adhrfakiqwrz520k.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e0facc0, ftCreationTime.dwHighDateTime=0x1d82769, ftLastAccessTime.dwLowDateTime=0x9e1e2af0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x9e1e2af0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0xb1b5)) returned 1 [0283.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\3KlVispw4PwdDalH1e5.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3klvispw4pwddalh1e5.ots"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e11e8e0, ftCreationTime.dwHighDateTime=0x1d81b30, ftLastAccessTime.dwLowDateTime=0xd6132b90, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0xd6132b90, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x16318)) returned 1 [0283.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1m3AdHRfakiQWrz520K.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1m3adhrfakiqwrz520k.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0283.802] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0283.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1m3AdHRfakiQWrz520K.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1m3adhrfakiqwrz520k.docx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e0facc0, ftCreationTime.dwHighDateTime=0x1d82769, ftLastAccessTime.dwLowDateTime=0x9e1e2af0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x9e1e2af0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0xb1b5)) returned 1 [0283.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6100 | out: pbBuffer=0x12ac6100) returned 1 [0283.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849280 | out: pbBuffer=0x12849280) returned 1 [0283.803] ReadFile (in: hFile=0x45c, lpBuffer=0x129e2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e2000*, lpNumberOfBytesRead=0x12855d1c*=0xb1b5, lpOverlapped=0x0) returned 1 [0283.804] GetFileType (hFile=0x45c) returned 0x1 [0283.804] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0283.805] WriteFile (in: hFile=0x45c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0xb1b5, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12855d00*=0xb1b5, lpOverlapped=0x12855d0c) returned 1 [0283.805] GetFileType (hFile=0x45c) returned 0x1 [0283.805] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xb1b5, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0283.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0283.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0283.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0283.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849338 | out: pbBuffer=0x12849338) returned 1 [0283.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1m3AdHRfakiQWrz520K.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1m3adhrfakiqwrz520k.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.806] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0283.806] WriteFile (in: hFile=0x460, lpBuffer=0x12c2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0283.807] CloseHandle (hObject=0x460) returned 1 [0283.807] CloseHandle (hObject=0x45c) returned 1 [0283.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849350 | out: pbBuffer=0x12849350) returned 1 [0283.807] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1m3AdHRfakiQWrz520K.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1m3adhrfakiqwrz520k.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[3EE4C9F114AB7188]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[3ee4c9f114ab7188]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0283.809] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\3KlVispw4PwdDalH1e5.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3klvispw4pwddalh1e5.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0283.810] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0283.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\3KlVispw4PwdDalH1e5.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3klvispw4pwddalh1e5.ots"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e11e8e0, ftCreationTime.dwHighDateTime=0x1d81b30, ftLastAccessTime.dwLowDateTime=0xd6132b90, ftLastAccessTime.dwHighDateTime=0x1d827a4, ftLastWriteTime.dwLowDateTime=0xd6132b90, ftLastWriteTime.dwHighDateTime=0x1d827a4, nFileSizeHigh=0x0, nFileSizeLow=0x16318)) returned 1 [0283.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6320 | out: pbBuffer=0x12ac6320) returned 1 [0283.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849398 | out: pbBuffer=0x12849398) returned 1 [0283.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\7b-tUwDy4MhvYA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7b-tuwdy4mhvya.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40ec680, ftCreationTime.dwHighDateTime=0x1d8119f, ftLastAccessTime.dwLowDateTime=0x478a4e70, ftLastAccessTime.dwHighDateTime=0x1d81ff3, ftLastWriteTime.dwLowDateTime=0x478a4e70, ftLastWriteTime.dwHighDateTime=0x1d81ff3, nFileSizeHigh=0x0, nFileSizeLow=0x17c82)) returned 1 [0283.811] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0283.960] SwitchToThread () returned 1 [0283.988] SetEvent (hEvent=0x1b8) returned 1 [0283.988] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0284.049] SetEvent (hEvent=0x1b8) returned 1 [0284.049] SetEvent (hEvent=0x104) returned 1 [0284.049] GetFileType (hFile=0x460) returned 0x1 [0284.049] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.049] WriteFile (in: hFile=0x460, lpBuffer=0x12da4000*, nNumberOfBytesToWrite=0x17c82, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12da4000*, lpNumberOfBytesWritten=0x12851d00*=0x17c82, lpOverlapped=0x12851d0c) returned 1 [0284.050] GetFileType (hFile=0x460) returned 0x1 [0284.050] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x17c82, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0284.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0284.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0284.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129141f0 | out: pbBuffer=0x129141f0) returned 1 [0284.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\7b-tUwDy4MhvYA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7b-tuwdy4mhvya.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0284.054] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0284.054] WriteFile (in: hFile=0x1a4, lpBuffer=0x12c2ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ea00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0284.054] CloseHandle (hObject=0x1a4) returned 1 [0284.055] CloseHandle (hObject=0x460) returned 1 [0284.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914228 | out: pbBuffer=0x12914228) returned 1 [0284.055] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\7b-tUwDy4MhvYA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\7b-tuwdy4mhvya.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[56ECB4F35431041E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[56ecb4f35431041e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.057] SetEvent (hEvent=0x19c) returned 1 [0284.057] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0284.396] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0284.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0284.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0284.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0284.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a090 | out: pbBuffer=0x12a9a090) returned 1 [0284.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\3KlVispw4PwdDalH1e5.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3klvispw4pwddalh1e5.ots"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0284.623] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0284.623] WriteFile (in: hFile=0x42c, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0284.624] CloseHandle (hObject=0x42c) returned 1 [0284.624] CloseHandle (hObject=0x45c) returned 1 [0284.624] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0a8 | out: pbBuffer=0x12a9a0a8) returned 1 [0284.624] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\3KlVispw4PwdDalH1e5.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3klvispw4pwddalh1e5.ots"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[D3B4A4427ACD119D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[d3b4a4427acd119d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.626] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0289.325] SetEvent (hEvent=0x104) returned 1 [0289.325] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0289.730] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0289.779] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0290.036] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffacc, ulCount=0x10, ulNumEntriesRemoved=0x334ffab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffacc, ulNumEntriesRemoved=0x334ffab0) returned 0 [0290.036] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffacc, ulCount=0x10, ulNumEntriesRemoved=0x334ffab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x334ffacc, ulNumEntriesRemoved=0x334ffab0) returned 1 [0290.402] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x12c2e014, lpcbTransfer=0x334ffaac, fWait=0, lpdwFlags=0x334ffabc | out: lpcbTransfer=0x334ffaac, lpdwFlags=0x334ffabc) returned 1 [0290.569] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x1709, buf=0x12afe19a*)), lpNumberOfBytesRecvd=0x12c2e034*=0x13d3, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0 [0290.938] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x1292350a, cbCertEncoded=0x6c2) returned 0xbc6898 [0290.939] CertOpenStore (lpszStoreProvider=0x2, dwEncodingType=0x0, hCryptProv=0x0, dwFlags=0x4, pvPara=0x0) returned 0x3366ec08 [0290.939] CertAddCertificateContextToStore (in: hCertStore=0x3366ec08, pCertContext=0xbc6898, dwAddDisposition=0x4, ppStoreContext=0x12b71a08 | out: ppStoreContext=0x12b71a08) returned 1 [0290.939] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x12923bcf, cbCertEncoded=0x4d4) returned 0xbc6b18 [0290.939] CertAddCertificateContextToStore (in: hCertStore=0x3366ec08, pCertContext=0xbc6b18, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0290.939] CertFreeCertificateContext (pCertContext=0xbc6b18) returned 1 [0290.940] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x129240a6, cbCertEncoded=0x481) returned 0xbc6b18 [0290.940] CertAddCertificateContextToStore (in: hCertStore=0x3366ec08, pCertContext=0xbc6b18, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0290.940] CertFreeCertificateContext (pCertContext=0xbc6b18) returned 1 [0290.940] CertCreateCertificateContext (dwCertEncodingType=0x10001, pbCertEncoded=0x1292452a, cbCertEncoded=0x404) returned 0xbc6e88 [0290.940] CertAddCertificateContextToStore (in: hCertStore=0x3366ec08, pCertContext=0xbc6e88, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0290.940] CertFreeCertificateContext (pCertContext=0xbc6e88) returned 1 [0290.940] CertCloseStore (hCertStore=0x3366ec08, dwFlags=0x0) returned 1 [0290.940] CertFreeCertificateContext (pCertContext=0xbc6898) returned 1 [0290.959] CertGetCertificateChain (in: hChainEngine=0x0, pCertContext=0xbc6ac8, pTime=0x12b71a54, hAdditionalStore=0x3366ec08, pChainPara=0x12b71ab4, dwFlags=0x0, pvReserved=0x0, ppChainContext=0x12b71a60 | out: ppChainContext=0x12b71a60) returned 1 [0291.239] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x4, pChainContext=0xbe6d30, pPolicyPara=0x12b719c0, pPolicyStatus=0x12b71a08 | out: pPolicyStatus=0x12b71a08) returned 1 [0291.240] CertFreeCertificateChain (pChainContext=0xbe6d30) [0291.240] CertFreeCertificateContext (pCertContext=0xbc6ac8) returned 1 [0291.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a40240 | out: pbBuffer=0x12a40240) returned 1 [0291.527] SetEvent (hEvent=0x3f8) returned 1 [0291.527] SetEvent (hEvent=0xfc) returned 1 [0291.527] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0291.580] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0291.580] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0291.623] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0291.623] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0291.673] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0291.673] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0291.739] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0291.739] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0291.740] SetEvent (hEvent=0x110) returned 1 [0291.740] SetEvent (hEvent=0x1b8) returned 1 [0291.740] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0291.818] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0291.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\RnsshiYYS.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\rnsshiyys.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0291.819] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0291.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\RnsshiYYS.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\rnsshiyys.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c138e40, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0x9c949710, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x9c949710, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x17013)) returned 1 [0291.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0291.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0291.819] ReadFile (in: hFile=0x45c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12855d1c*=0x17013, lpOverlapped=0x0) returned 1 [0291.822] GetFileType (hFile=0x45c) returned 0x1 [0291.822] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.822] WriteFile (in: hFile=0x45c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x17013, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x17013, lpOverlapped=0x12855d0c) returned 1 [0291.823] GetFileType (hFile=0x45c) returned 0x1 [0291.823] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x17013, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0291.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0291.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0291.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0291.824] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\RnsshiYYS.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\rnsshiyys.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0291.825] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0291.825] WriteFile (in: hFile=0x464, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0291.825] CloseHandle (hObject=0x464) returned 1 [0291.948] CloseHandle (hObject=0x45c) returned 1 [0292.029] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129141b0 | out: pbBuffer=0x129141b0) returned 1 [0292.029] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\RnsshiYYS.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\rnsshiyys.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[79DF10A86854FE9A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[79df10a86854fe9a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0292.991] SetEvent (hEvent=0x1b8) returned 1 [0292.991] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VSK0g_Xxq B8pyfX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vsk0g_xxq b8pyfx.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0292.993] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0292.993] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VSK0g_Xxq B8pyfX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vsk0g_xxq b8pyfx.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad03220, ftCreationTime.dwHighDateTime=0x1d81c1e, ftLastAccessTime.dwLowDateTime=0xdfa830b0, ftLastAccessTime.dwHighDateTime=0x1d8206f, ftLastWriteTime.dwLowDateTime=0xdfa830b0, ftLastWriteTime.dwHighDateTime=0x1d8206f, nFileSizeHigh=0x0, nFileSizeLow=0xef11)) returned 1 [0292.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0292.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914228 | out: pbBuffer=0x12914228) returned 1 [0292.993] ReadFile (in: hFile=0x45c, lpBuffer=0x12bce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bce000*, lpNumberOfBytesRead=0x12855d1c*=0xef11, lpOverlapped=0x0) returned 1 [0292.998] GetFileType (hFile=0x45c) returned 0x1 [0292.998] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.998] WriteFile (in: hFile=0x45c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xef11, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12855d00*=0xef11, lpOverlapped=0x12855d0c) returned 1 [0292.999] GetFileType (hFile=0x45c) returned 0x1 [0292.999] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xef11, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0292.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0292.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0292.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0293.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129143f0 | out: pbBuffer=0x129143f0) returned 1 [0293.000] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VSK0g_Xxq B8pyfX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vsk0g_xxq b8pyfx.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.000] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.000] WriteFile (in: hFile=0x470, lpBuffer=0x12c1a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c1a000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.001] CloseHandle (hObject=0x470) returned 1 [0293.016] CloseHandle (hObject=0x45c) returned 1 [0293.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914408 | out: pbBuffer=0x12914408) returned 1 [0293.091] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VSK0g_Xxq B8pyfX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vsk0g_xxq b8pyfx.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[1ABF5610657A71C3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[1abf5610657a71c3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.220] SetEvent (hEvent=0x19c) returned 1 [0293.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\BXHo2RbAttrCH2QVm.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\bxho2rbattrch2qvm.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.222] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\BXHo2RbAttrCH2QVm.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\bxho2rbattrch2qvm.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3edc0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x9a33b5d0, ftLastAccessTime.dwHighDateTime=0x1d82322, ftLastWriteTime.dwLowDateTime=0x9a33b5d0, ftLastWriteTime.dwHighDateTime=0x1d82322, nFileSizeHigh=0x0, nFileSizeLow=0x1641f)) returned 1 [0293.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128445a0 | out: pbBuffer=0x128445a0) returned 1 [0293.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e8 | out: pbBuffer=0x128483e8) returned 1 [0293.223] ReadFile (in: hFile=0x468, lpBuffer=0x129d0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d0000*, lpNumberOfBytesRead=0x12855d1c*=0x1641f, lpOverlapped=0x0) returned 1 [0293.226] GetFileType (hFile=0x468) returned 0x1 [0293.226] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.226] WriteFile (in: hFile=0x468, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x1641f, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x1641f, lpOverlapped=0x12855d0c) returned 1 [0293.227] GetFileType (hFile=0x468) returned 0x1 [0293.227] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x1641f, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0293.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0293.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0293.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b0 | out: pbBuffer=0x128484b0) returned 1 [0293.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\BXHo2RbAttrCH2QVm.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\bxho2rbattrch2qvm.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.228] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.228] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.228] CloseHandle (hObject=0x470) returned 1 [0293.235] CloseHandle (hObject=0x468) returned 1 [0293.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848508 | out: pbBuffer=0x12848508) returned 1 [0293.248] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\BXHo2RbAttrCH2QVm.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\bxho2rbattrch2qvm.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[230CBCFC07D06515]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[230cbcfc07d06515]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.374] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.403] SetEvent (hEvent=0xfc) returned 1 [0293.448] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.459] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.465] SetEvent (hEvent=0xfc) returned 1 [0293.465] SetEvent (hEvent=0x454) returned 1 [0293.465] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\rO-xa.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ro-xa.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.468] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.468] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\rO-xa.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ro-xa.pps"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe778d310, ftCreationTime.dwHighDateTime=0x1d81e28, ftLastAccessTime.dwLowDateTime=0x3a6cfbb0, ftLastAccessTime.dwHighDateTime=0x1d82611, ftLastWriteTime.dwLowDateTime=0x3a6cfbb0, ftLastWriteTime.dwHighDateTime=0x1d82611, nFileSizeHigh=0x0, nFileSizeLow=0x4e78)) returned 1 [0293.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0293.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0293.469] ReadFile (in: hFile=0x45c, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12855d1c*=0x4e78, lpOverlapped=0x0) returned 1 [0293.470] GetFileType (hFile=0x45c) returned 0x1 [0293.470] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.470] WriteFile (in: hFile=0x45c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x4e78, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x4e78, lpOverlapped=0x12855d0c) returned 1 [0293.471] GetFileType (hFile=0x45c) returned 0x1 [0293.471] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x4e78, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.471] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0293.471] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0293.471] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0293.471] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0293.471] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\rO-xa.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ro-xa.pps"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.472] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.472] WriteFile (in: hFile=0x464, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.472] CloseHandle (hObject=0x464) returned 1 [0293.472] CloseHandle (hObject=0x45c) returned 1 [0293.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0293.473] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\rO-xa.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\ro-xa.pps"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[293978BF60742E52]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[293978bf60742e52]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.476] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192)) returned 1 [0293.476] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6240 | out: pbBuffer=0x12ac6240) returned 1 [0293.477] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0293.477] ReadFile (in: hFile=0x45c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x192, lpOverlapped=0x0) returned 1 [0293.478] GetFileType (hFile=0x45c) returned 0x1 [0293.478] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.478] WriteFile (in: hFile=0x45c, lpBuffer=0x1288cb60*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1288cb60*, lpNumberOfBytesWritten=0x12855d00*=0x192, lpOverlapped=0x12855d0c) returned 1 [0293.479] GetFileType (hFile=0x45c) returned 0x1 [0293.479] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x192, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0293.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0293.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0293.479] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0293.480] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.480] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.480] WriteFile (in: hFile=0x464, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.523] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.537] SetEvent (hEvent=0x454) returned 1 [0293.537] CloseHandle (hObject=0x464) returned 1 [0293.538] CloseHandle (hObject=0x45c) returned 1 [0293.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848550 | out: pbBuffer=0x12848550) returned 1 [0293.538] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[AD433738546A8BEA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[ad433738546a8bea]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.540] SwitchToThread () returned 1 [0293.577] SwitchToThread () returned 1 [0293.579] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.605] SetEvent (hEvent=0xfc) returned 1 [0293.605] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yV xDCB5D.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yv xdcb5d.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cc9cd70, ftCreationTime.dwHighDateTime=0x1d7e298, ftLastAccessTime.dwLowDateTime=0x49d4bef0, ftLastAccessTime.dwHighDateTime=0x1d8081e, ftLastWriteTime.dwLowDateTime=0x49d4bef0, ftLastWriteTime.dwHighDateTime=0x1d8081e, nFileSizeHigh=0x0, nFileSizeLow=0x956)) returned 1 [0293.605] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yWM-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ywm-.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757659f0, ftCreationTime.dwHighDateTime=0x1d7f523, ftLastAccessTime.dwLowDateTime=0x4b847e0, ftLastAccessTime.dwHighDateTime=0x1d7faa6, ftLastWriteTime.dwLowDateTime=0x4b847e0, ftLastWriteTime.dwHighDateTime=0x1d7faa6, nFileSizeHigh=0x0, nFileSizeLow=0x205f)) returned 1 [0293.605] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zfK8pBoO-F9HXS4.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfk8pboo-f9hxs4.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63829830, ftCreationTime.dwHighDateTime=0x1d7f618, ftLastAccessTime.dwLowDateTime=0x62c620e0, ftLastAccessTime.dwHighDateTime=0x1d808ee, ftLastWriteTime.dwLowDateTime=0x62c620e0, ftLastWriteTime.dwHighDateTime=0x1d808ee, nFileSizeHigh=0x0, nFileSizeLow=0x6e92)) returned 1 [0293.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yWM-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ywm-.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.607] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yWM-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ywm-.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757659f0, ftCreationTime.dwHighDateTime=0x1d7f523, ftLastAccessTime.dwLowDateTime=0x4b847e0, ftLastAccessTime.dwHighDateTime=0x1d7faa6, ftLastWriteTime.dwLowDateTime=0x4b847e0, ftLastWriteTime.dwHighDateTime=0x1d7faa6, nFileSizeHigh=0x0, nFileSizeLow=0x205f)) returned 1 [0293.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928680 | out: pbBuffer=0x12928680) returned 1 [0293.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d70 | out: pbBuffer=0x12810d70) returned 1 [0293.607] ReadFile (in: hFile=0x464, lpBuffer=0x129bc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129bc000*, lpNumberOfBytesRead=0x12855d1c*=0x205f, lpOverlapped=0x0) returned 1 [0293.609] GetFileType (hFile=0x464) returned 0x1 [0293.609] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.609] WriteFile (in: hFile=0x464, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x205f, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x12855d00*=0x205f, lpOverlapped=0x12855d0c) returned 1 [0293.609] GetFileType (hFile=0x464) returned 0x1 [0293.609] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x205f, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0293.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0293.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0293.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e28 | out: pbBuffer=0x12810e28) returned 1 [0293.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yWM-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ywm-.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.610] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.610] WriteFile (in: hFile=0x44c, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.611] CloseHandle (hObject=0x44c) returned 1 [0293.618] CloseHandle (hObject=0x464) returned 1 [0293.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810e40 | out: pbBuffer=0x12810e40) returned 1 [0293.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yWM-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ywm-.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[C9D91A8772A905CB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[c9d91a8772a905cb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.697] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.965] SetEvent (hEvent=0x454) returned 1 [0293.965] SetEvent (hEvent=0x420) returned 1 [0293.965] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.972] SetEvent (hEvent=0x454) returned 1 [0293.972] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0293.977] SetEvent (hEvent=0x454) returned 1 [0293.977] SetEvent (hEvent=0x420) returned 1 [0293.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0293.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x44c [0293.978] GetFileInformationByHandle (in: hFile=0x44c, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0293.978] GetFileInformationByHandleEx (in: hFile=0x44c, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0293.978] CloseHandle (hObject=0x44c) returned 1 [0293.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music" (normalized: "c:\\users\\rdhj0cnfevzx\\music"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf525123f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf525123f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0293.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music" (normalized: "c:\\users\\rdhj0cnfevzx\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.979] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf525123f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf525123f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefb38 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf525123f, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf525123f, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe18ebbd0, ftCreationTime.dwHighDateTime=0x1d81e7e, ftLastAccessTime.dwLowDateTime=0x304caf0, ftLastAccessTime.dwHighDateTime=0x1d82147, ftLastWriteTime.dwLowDateTime=0x304caf0, ftLastWriteTime.dwHighDateTime=0x1d82147, nFileSizeHigh=0x0, nFileSizeLow=0x16a6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ePgspsq.mp3", cAlternateFileName="")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898c5210, ftCreationTime.dwHighDateTime=0x1d822d6, ftLastAccessTime.dwLowDateTime=0x387be70, ftLastAccessTime.dwHighDateTime=0x1d82759, ftLastWriteTime.dwLowDateTime=0x387be70, ftLastWriteTime.dwHighDateTime=0x1d82759, nFileSizeHigh=0x0, nFileSizeLow=0x460e, dwReserved0=0x0, dwReserved1=0x0, cFileName="gwNm.mp3", cAlternateFileName="")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef95a360, ftCreationTime.dwHighDateTime=0x1d820f4, ftLastAccessTime.dwLowDateTime=0xdcafae90, ftLastAccessTime.dwHighDateTime=0x1d825bc, ftLastWriteTime.dwLowDateTime=0xdcafae90, ftLastWriteTime.dwHighDateTime=0x1d825bc, nFileSizeHigh=0x0, nFileSizeLow=0x744f, dwReserved0=0x0, dwReserved1=0x0, cFileName="l7c1KEt1ofl0.wav", cAlternateFileName="L7C1KE~1.WAV")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7757f5b0, ftCreationTime.dwHighDateTime=0x1d81f69, ftLastAccessTime.dwLowDateTime=0xdf173090, ftLastAccessTime.dwHighDateTime=0x1d8252b, ftLastWriteTime.dwLowDateTime=0xdf173090, ftLastWriteTime.dwHighDateTime=0x1d8252b, nFileSizeHigh=0x0, nFileSizeLow=0x134d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="RYDrQDTRXvUSDGogJnR.m4a", cAlternateFileName="RYDRQD~1.M4A")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de3c260, ftCreationTime.dwHighDateTime=0x1d819cf, ftLastAccessTime.dwLowDateTime=0xcb7f2be0, ftLastAccessTime.dwHighDateTime=0x1d81f55, ftLastWriteTime.dwLowDateTime=0xcb7f2be0, ftLastWriteTime.dwHighDateTime=0x1d81f55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sHIg88ciyWN69", cAlternateFileName="SHIG88~1")) returned 1 [0293.979] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.979] FindClose (in: hFindFile=0xbefb38 | out: hFindFile=0xbefb38) returned 1 [0293.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.981] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0293.981] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0293.982] CloseHandle (hObject=0x44c) returned 1 [0293.982] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\RYDrQDTRXvUSDGogJnR.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rydrqdtrxvusdgogjnr.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7757f5b0, ftCreationTime.dwHighDateTime=0x1d81f69, ftLastAccessTime.dwLowDateTime=0xdf173090, ftLastAccessTime.dwHighDateTime=0x1d8252b, ftLastWriteTime.dwLowDateTime=0xdf173090, ftLastWriteTime.dwHighDateTime=0x1d8252b, nFileSizeHigh=0x0, nFileSizeLow=0x134d6)) returned 1 [0293.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\local settings"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.983] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*", lpFindFileData=0x12855a44 | out: lpFindFileData=0x12855a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0293.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\RYDrQDTRXvUSDGogJnR.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rydrqdtrxvusdgogjnr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.984] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.984] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\RYDrQDTRXvUSDGogJnR.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rydrqdtrxvusdgogjnr.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7757f5b0, ftCreationTime.dwHighDateTime=0x1d81f69, ftLastAccessTime.dwLowDateTime=0xdf173090, ftLastAccessTime.dwHighDateTime=0x1d8252b, ftLastWriteTime.dwLowDateTime=0xdf173090, ftLastWriteTime.dwHighDateTime=0x1d8252b, nFileSizeHigh=0x0, nFileSizeLow=0x134d6)) returned 1 [0293.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844b60 | out: pbBuffer=0x12844b60) returned 1 [0293.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848eb8 | out: pbBuffer=0x12848eb8) returned 1 [0293.984] ReadFile (in: hFile=0x44c, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12855d1c*=0x134d6, lpOverlapped=0x0) returned 1 [0293.987] GetFileType (hFile=0x44c) returned 0x1 [0293.987] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.987] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x134d6, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12855d00*=0x134d6, lpOverlapped=0x12855d0c) returned 1 [0293.988] GetFileType (hFile=0x44c) returned 0x1 [0293.988] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x134d6, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.988] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0293.988] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0293.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0293.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849000 | out: pbBuffer=0x12849000) returned 1 [0293.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\RYDrQDTRXvUSDGogJnR.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rydrqdtrxvusdgogjnr.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.989] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.989] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.989] CloseHandle (hObject=0x45c) returned 1 [0293.989] CloseHandle (hObject=0x44c) returned 1 [0293.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849018 | out: pbBuffer=0x12849018) returned 1 [0293.990] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\RYDrQDTRXvUSDGogJnR.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\rydrqdtrxvusdgogjnr.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\#_THIS_FILE_IS_ENCRYPTED_[CA7833D816D0C0CA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\#_this_file_is_encrypted_[ca7833d816d0c0ca]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.991] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0293.992] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ePgspsq.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\epgspsq.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe18ebbd0, ftCreationTime.dwHighDateTime=0x1d81e7e, ftLastAccessTime.dwLowDateTime=0x304caf0, ftLastAccessTime.dwHighDateTime=0x1d82147, ftLastWriteTime.dwLowDateTime=0x304caf0, ftLastWriteTime.dwHighDateTime=0x1d82147, nFileSizeHigh=0x0, nFileSizeLow=0x16a6f)) returned 1 [0293.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.992] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.992] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0293.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d80 | out: pbBuffer=0x12844d80) returned 1 [0293.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849aa0 | out: pbBuffer=0x12849aa0) returned 1 [0293.993] ReadFile (in: hFile=0x44c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x1f8, lpOverlapped=0x0) returned 1 [0293.994] GetFileType (hFile=0x44c) returned 0x1 [0293.994] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.994] WriteFile (in: hFile=0x44c, lpBuffer=0x12a48600*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a48600*, lpNumberOfBytesWritten=0x12855d00*=0x1f8, lpOverlapped=0x12855d0c) returned 1 [0293.995] GetFileType (hFile=0x44c) returned 0x1 [0293.995] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1f8, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0293.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0293.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0293.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849b58 | out: pbBuffer=0x12849b58) returned 1 [0293.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.996] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.996] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.011] CloseHandle (hObject=0x45c) returned 1 [0294.011] CloseHandle (hObject=0x44c) returned 1 [0294.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849b70 | out: pbBuffer=0x12849b70) returned 1 [0294.012] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\#_THIS_FILE_IS_ENCRYPTED_[27BE2EF8EF4F5FEA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\#_this_file_is_encrypted_[27be2ef8ef4f5fea]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.013] SetEvent (hEvent=0x420) returned 1 [0294.013] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ePgspsq.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\epgspsq.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.015] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ePgspsq.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\epgspsq.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe18ebbd0, ftCreationTime.dwHighDateTime=0x1d81e7e, ftLastAccessTime.dwLowDateTime=0x304caf0, ftLastAccessTime.dwHighDateTime=0x1d82147, ftLastWriteTime.dwLowDateTime=0x304caf0, ftLastWriteTime.dwHighDateTime=0x1d82147, nFileSizeHigh=0x0, nFileSizeLow=0x16a6f)) returned 1 [0294.015] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845160 | out: pbBuffer=0x12845160) returned 1 [0294.015] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849bb8 | out: pbBuffer=0x12849bb8) returned 1 [0294.015] ReadFile (in: hFile=0x44c, lpBuffer=0x129dc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129dc000*, lpNumberOfBytesRead=0x12855d1c*=0x16a6f, lpOverlapped=0x0) returned 1 [0294.020] GetFileType (hFile=0x44c) returned 0x1 [0294.020] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.020] WriteFile (in: hFile=0x44c, lpBuffer=0x12dd8000*, nNumberOfBytesToWrite=0x16a6f, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12dd8000*, lpNumberOfBytesWritten=0x12855d00*=0x16a6f, lpOverlapped=0x12855d0c) returned 1 [0294.021] GetFileType (hFile=0x44c) returned 0x1 [0294.021] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x16a6f, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0294.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0294.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0294.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849c70 | out: pbBuffer=0x12849c70) returned 1 [0294.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ePgspsq.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\epgspsq.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0294.022] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.022] WriteFile (in: hFile=0x45c, lpBuffer=0x12dd1900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1900*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.022] CloseHandle (hObject=0x45c) returned 1 [0294.022] CloseHandle (hObject=0x44c) returned 1 [0294.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849c88 | out: pbBuffer=0x12849c88) returned 1 [0294.022] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ePgspsq.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\epgspsq.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\#_THIS_FILE_IS_ENCRYPTED_[E49742B36D8134C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\#_this_file_is_encrypted_[e49742b36d8134c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\gwNm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gwnm.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898c5210, ftCreationTime.dwHighDateTime=0x1d822d6, ftLastAccessTime.dwLowDateTime=0x387be70, ftLastAccessTime.dwHighDateTime=0x1d82759, ftLastWriteTime.dwLowDateTime=0x387be70, ftLastWriteTime.dwHighDateTime=0x1d82759, nFileSizeHigh=0x0, nFileSizeLow=0x460e)) returned 1 [0294.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\l7c1KEt1ofl0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\l7c1ket1ofl0.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef95a360, ftCreationTime.dwHighDateTime=0x1d820f4, ftLastAccessTime.dwLowDateTime=0xdcafae90, ftLastAccessTime.dwHighDateTime=0x1d825bc, ftLastWriteTime.dwLowDateTime=0xdcafae90, ftLastWriteTime.dwHighDateTime=0x1d825bc, nFileSizeHigh=0x0, nFileSizeLow=0x744f)) returned 1 [0294.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\gwNm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gwnm.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.060] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\gwNm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gwnm.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898c5210, ftCreationTime.dwHighDateTime=0x1d822d6, ftLastAccessTime.dwLowDateTime=0x387be70, ftLastAccessTime.dwHighDateTime=0x1d82759, ftLastWriteTime.dwLowDateTime=0x387be70, ftLastWriteTime.dwHighDateTime=0x1d82759, nFileSizeHigh=0x0, nFileSizeLow=0x460e)) returned 1 [0294.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845440 | out: pbBuffer=0x12845440) returned 1 [0294.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8cf0 | out: pbBuffer=0x128e8cf0) returned 1 [0294.061] ReadFile (in: hFile=0x474, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12855d1c*=0x460e, lpOverlapped=0x0) returned 1 [0294.062] GetFileType (hFile=0x474) returned 0x1 [0294.062] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.063] WriteFile (in: hFile=0x474, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x460e, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x460e, lpOverlapped=0x12855d0c) returned 1 [0294.063] GetFileType (hFile=0x474) returned 0x1 [0294.063] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x460e, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.063] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0294.063] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835101 | out: pbBuffer=0x12835101) returned 1 [0294.063] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0294.068] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.068] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0294.068] SetEvent (hEvent=0x110) returned 1 [0294.068] SetEvent (hEvent=0xfc) returned 1 [0294.069] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0294.069] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8da8 | out: pbBuffer=0x128e8da8) returned 1 [0294.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\gwNm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gwnm.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0294.069] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.070] WriteFile (in: hFile=0x45c, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.070] CloseHandle (hObject=0x45c) returned 1 [0294.070] CloseHandle (hObject=0x474) returned 1 [0294.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8dc0 | out: pbBuffer=0x128e8dc0) returned 1 [0294.070] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\gwNm.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gwnm.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\#_THIS_FILE_IS_ENCRYPTED_[61CE8DD4A80B8E7C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\#_this_file_is_encrypted_[61ce8dd4a80b8e7c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.072] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\87Y4wkljoS5G5e jTi.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\87y4wkljos5g5e jti.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.073] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\87Y4wkljoS5G5e jTi.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\87y4wkljos5g5e jti.wav"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5be94010, ftCreationTime.dwHighDateTime=0x1d819a9, ftLastAccessTime.dwLowDateTime=0x15024340, ftLastAccessTime.dwHighDateTime=0x1d828ae, ftLastWriteTime.dwLowDateTime=0x15024340, ftLastWriteTime.dwHighDateTime=0x1d828ae, nFileSizeHigh=0x0, nFileSizeLow=0x2b79)) returned 1 [0294.073] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845680 | out: pbBuffer=0x12845680) returned 1 [0294.073] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e08 | out: pbBuffer=0x128e8e08) returned 1 [0294.073] ReadFile (in: hFile=0x474, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x2b79, lpOverlapped=0x0) returned 1 [0294.075] GetFileType (hFile=0x474) returned 0x1 [0294.075] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.075] WriteFile (in: hFile=0x474, lpBuffer=0x128a8000*, nNumberOfBytesToWrite=0x2b79, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x128a8000*, lpNumberOfBytesWritten=0x12855d00*=0x2b79, lpOverlapped=0x12855d0c) returned 1 [0294.075] GetFileType (hFile=0x474) returned 0x1 [0294.076] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x2b79, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0294.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835501 | out: pbBuffer=0x12835501) returned 1 [0294.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835601 | out: pbBuffer=0x12835601) returned 1 [0294.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8ec0 | out: pbBuffer=0x128e8ec0) returned 1 [0294.076] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\87Y4wkljoS5G5e jTi.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\87y4wkljos5g5e jti.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0294.077] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0294.077] WriteFile (in: hFile=0x45c, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.077] CloseHandle (hObject=0x45c) returned 1 [0294.077] CloseHandle (hObject=0x474) returned 1 [0294.077] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ed8 | out: pbBuffer=0x128e8ed8) returned 1 [0294.077] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\87Y4wkljoS5G5e jTi.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\87y4wkljos5g5e jti.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[F56216D955A2306C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[f56216d955a2306c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.080] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0294.083] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.083] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0294.131] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0294.139] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0294.139] SetEvent (hEvent=0x110) returned 1 [0294.139] SetEvent (hEvent=0xf4) returned 1 [0294.139] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0294.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b292860, ftCreationTime.dwHighDateTime=0x1d81e86, ftLastAccessTime.dwLowDateTime=0x7d6a6650, ftLastAccessTime.dwHighDateTime=0x1d82733, ftLastWriteTime.dwLowDateTime=0x7d6a6650, ftLastWriteTime.dwHighDateTime=0x1d82733, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b292860, ftCreationTime.dwHighDateTime=0x1d81e86, ftLastAccessTime.dwLowDateTime=0x7d6a6650, ftLastAccessTime.dwHighDateTime=0x1d82733, ftLastWriteTime.dwLowDateTime=0x7d6a6650, ftLastWriteTime.dwHighDateTime=0x1d82733, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b292860, ftCreationTime.dwHighDateTime=0x1d81e86, ftLastAccessTime.dwLowDateTime=0x7d6a6650, ftLastAccessTime.dwHighDateTime=0x1d82733, ftLastWriteTime.dwLowDateTime=0x7d6a6650, ftLastWriteTime.dwHighDateTime=0x1d82733, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa094a000, ftCreationTime.dwHighDateTime=0x1d822a6, ftLastAccessTime.dwLowDateTime=0x847877a0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0x847877a0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0xcba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8rDhX6jXWlt2.m4a", cAlternateFileName="8RDHX6~1.M4A")) returned 1 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78f58a10, ftCreationTime.dwHighDateTime=0x1d819cc, ftLastAccessTime.dwLowDateTime=0x452d1cf0, ftLastAccessTime.dwHighDateTime=0x1d82095, ftLastWriteTime.dwLowDateTime=0x452d1cf0, ftLastWriteTime.dwHighDateTime=0x1d82095, nFileSizeHigh=0x0, nFileSizeLow=0xa19e, dwReserved0=0x0, dwReserved1=0x0, cFileName="GAqLsn0Nsu6JaA.wav", cAlternateFileName="GAQLSN~1.WAV")) returned 1 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b193250, ftCreationTime.dwHighDateTime=0x1d81f89, ftLastAccessTime.dwLowDateTime=0x3fc75380, ftLastAccessTime.dwHighDateTime=0x1d82562, ftLastWriteTime.dwLowDateTime=0x3fc75380, ftLastWriteTime.dwHighDateTime=0x1d82562, nFileSizeHigh=0x0, nFileSizeLow=0xffa3, dwReserved0=0x0, dwReserved1=0x0, cFileName="kGKQHWwboj.mp3", cAlternateFileName="KGKQHW~1.MP3")) returned 1 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7593a70, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0xd77a6e80, ftLastAccessTime.dwHighDateTime=0x1d8292a, ftLastWriteTime.dwLowDateTime=0xd77a6e80, ftLastWriteTime.dwHighDateTime=0x1d8292a, nFileSizeHigh=0x0, nFileSizeLow=0x2f8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="V1Kjf7_qFmmvMrp_Ea.wav", cAlternateFileName="V1KJF7~1.WAV")) returned 1 [0294.142] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.142] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.142] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.144] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0294.144] WriteFile (in: hFile=0x468, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0294.145] CloseHandle (hObject=0x468) returned 1 [0294.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\8rDhX6jXWlt2.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\8rdhx6jxwlt2.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa094a000, ftCreationTime.dwHighDateTime=0x1d822a6, ftLastAccessTime.dwLowDateTime=0x847877a0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0x847877a0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0xcba0)) returned 1 [0294.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\GAqLsn0Nsu6JaA.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\gaqlsn0nsu6jaa.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78f58a10, ftCreationTime.dwHighDateTime=0x1d819cc, ftLastAccessTime.dwLowDateTime=0x452d1cf0, ftLastAccessTime.dwHighDateTime=0x1d82095, ftLastWriteTime.dwLowDateTime=0x452d1cf0, ftLastWriteTime.dwHighDateTime=0x1d82095, nFileSizeHigh=0x0, nFileSizeLow=0xa19e)) returned 1 [0294.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\V1Kjf7_qFmmvMrp_Ea.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\v1kjf7_qfmmvmrp_ea.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7593a70, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0xd77a6e80, ftLastAccessTime.dwHighDateTime=0x1d8292a, ftLastWriteTime.dwLowDateTime=0xd77a6e80, ftLastWriteTime.dwHighDateTime=0x1d8292a, nFileSizeHigh=0x0, nFileSizeLow=0x2f8c)) returned 1 [0294.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\kGKQHWwboj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\kgkqhwwboj.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b193250, ftCreationTime.dwHighDateTime=0x1d81f89, ftLastAccessTime.dwLowDateTime=0x3fc75380, ftLastAccessTime.dwHighDateTime=0x1d82562, ftLastWriteTime.dwLowDateTime=0x3fc75380, ftLastWriteTime.dwHighDateTime=0x1d82562, nFileSizeHigh=0x0, nFileSizeLow=0xffa3)) returned 1 [0294.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\V1Kjf7_qFmmvMrp_Ea.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\v1kjf7_qfmmvmrp_ea.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.147] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\V1Kjf7_qFmmvMrp_Ea.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\v1kjf7_qfmmvmrp_ea.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7593a70, ftCreationTime.dwHighDateTime=0x1d82439, ftLastAccessTime.dwLowDateTime=0xd77a6e80, ftLastAccessTime.dwHighDateTime=0x1d8292a, ftLastWriteTime.dwLowDateTime=0xd77a6e80, ftLastWriteTime.dwHighDateTime=0x1d8292a, nFileSizeHigh=0x0, nFileSizeLow=0x2f8c)) returned 1 [0294.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7100 | out: pbBuffer=0x12ac7100) returned 1 [0294.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915440 | out: pbBuffer=0x12915440) returned 1 [0294.148] ReadFile (in: hFile=0x468, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a2fd1c*=0x2f8c, lpOverlapped=0x0) returned 1 [0294.149] GetFileType (hFile=0x468) returned 0x1 [0294.149] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.149] WriteFile (in: hFile=0x468, lpBuffer=0x128ab000*, nNumberOfBytesToWrite=0x2f8c, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x128ab000*, lpNumberOfBytesWritten=0x12a2fd00*=0x2f8c, lpOverlapped=0x12a2fd0c) returned 1 [0294.150] GetFileType (hFile=0x468) returned 0x1 [0294.150] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x2f8c, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0294.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0294.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0294.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129154f8 | out: pbBuffer=0x129154f8) returned 1 [0294.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\V1Kjf7_qFmmvMrp_Ea.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\v1kjf7_qfmmvmrp_ea.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.151] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.151] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.152] CloseHandle (hObject=0x464) returned 1 [0294.152] CloseHandle (hObject=0x468) returned 1 [0294.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915510 | out: pbBuffer=0x12915510) returned 1 [0294.152] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\V1Kjf7_qFmmvMrp_Ea.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\v1kjf7_qfmmvmrp_ea.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\#_THIS_FILE_IS_ENCRYPTED_[621656CECA299A9C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\#_this_file_is_encrypted_[621656ceca299a9c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\kGKQHWwboj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\kgkqhwwboj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.154] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\kGKQHWwboj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\kgkqhwwboj.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b193250, ftCreationTime.dwHighDateTime=0x1d81f89, ftLastAccessTime.dwLowDateTime=0x3fc75380, ftLastAccessTime.dwHighDateTime=0x1d82562, ftLastWriteTime.dwLowDateTime=0x3fc75380, ftLastWriteTime.dwHighDateTime=0x1d82562, nFileSizeHigh=0x0, nFileSizeLow=0xffa3)) returned 1 [0294.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7320 | out: pbBuffer=0x12ac7320) returned 1 [0294.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915558 | out: pbBuffer=0x12915558) returned 1 [0294.155] ReadFile (in: hFile=0x468, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x12a2fd1c*=0xffa3, lpOverlapped=0x0) returned 1 [0294.184] GetFileType (hFile=0x468) returned 0x1 [0294.184] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.185] WriteFile (in: hFile=0x468, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xffa3, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a2fd00*=0xffa3, lpOverlapped=0x12a2fd0c) returned 1 [0294.185] GetFileType (hFile=0x468) returned 0x1 [0294.185] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffa3, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0294.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0294.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0294.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915610 | out: pbBuffer=0x12915610) returned 1 [0294.186] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\kGKQHWwboj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\kgkqhwwboj.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.241] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.241] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.242] CloseHandle (hObject=0x470) returned 1 [0294.242] CloseHandle (hObject=0x468) returned 1 [0294.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915628 | out: pbBuffer=0x12915628) returned 1 [0294.242] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\kGKQHWwboj.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\kgkqhwwboj.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\#_THIS_FILE_IS_ENCRYPTED_[D8867C7688BC3AEC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\#_this_file_is_encrypted_[d8867c7688bc3aec]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.243] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.280] SwitchToThread () returned 1 [0294.282] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.291] SetEvent (hEvent=0x454) returned 1 [0294.291] SetEvent (hEvent=0xf4) returned 1 [0294.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\0q12e.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\0q12e.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.292] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\0q12e.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\0q12e.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e041b0, ftCreationTime.dwHighDateTime=0x1d82757, ftLastAccessTime.dwLowDateTime=0x5afd6590, ftLastAccessTime.dwHighDateTime=0x1d828b4, ftLastWriteTime.dwLowDateTime=0x5afd6590, ftLastWriteTime.dwHighDateTime=0x1d828b4, nFileSizeHigh=0x0, nFileSizeLow=0xed5d)) returned 1 [0294.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0294.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0294.293] ReadFile (in: hFile=0x464, lpBuffer=0x12d1c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d1c000*, lpNumberOfBytesRead=0x12853d1c*=0xed5d, lpOverlapped=0x0) returned 1 [0294.295] GetFileType (hFile=0x464) returned 0x1 [0294.295] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.295] WriteFile (in: hFile=0x464, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0xed5d, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12853d00*=0xed5d, lpOverlapped=0x12853d0c) returned 1 [0294.295] GetFileType (hFile=0x464) returned 0x1 [0294.295] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xed5d, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0294.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0294.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0294.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0294.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\0q12e.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\0q12e.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.296] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0294.297] WriteFile (in: hFile=0x468, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.297] CloseHandle (hObject=0x468) returned 1 [0294.297] CloseHandle (hObject=0x464) returned 1 [0294.297] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0294.297] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\0q12e.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\0q12e.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\#_THIS_FILE_IS_ENCRYPTED_[2B61695A555D7ED5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\#_this_file_is_encrypted_[2b61695a555d7ed5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\hI0FYGyj19rrjP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\hi0fygyj19rrjp.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.299] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\hI0FYGyj19rrjP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\hi0fygyj19rrjp.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1e9fa70, ftCreationTime.dwHighDateTime=0x1d81add, ftLastAccessTime.dwLowDateTime=0xca494350, ftLastAccessTime.dwHighDateTime=0x1d8296e, ftLastWriteTime.dwLowDateTime=0xca494350, ftLastWriteTime.dwHighDateTime=0x1d8296e, nFileSizeHigh=0x0, nFileSizeLow=0xab7a)) returned 1 [0294.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6200 | out: pbBuffer=0x12ac6200) returned 1 [0294.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914320 | out: pbBuffer=0x12914320) returned 1 [0294.299] ReadFile (in: hFile=0x464, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a31d1c*=0xab7a, lpOverlapped=0x0) returned 1 [0294.302] GetFileType (hFile=0x464) returned 0x1 [0294.302] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.302] WriteFile (in: hFile=0x464, lpBuffer=0x12a32000*, nNumberOfBytesToWrite=0xab7a, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a32000*, lpNumberOfBytesWritten=0x12a31d00*=0xab7a, lpOverlapped=0x12a31d0c) returned 1 [0294.302] GetFileType (hFile=0x464) returned 0x1 [0294.303] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xab7a, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0294.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0294.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0294.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914458 | out: pbBuffer=0x12914458) returned 1 [0294.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\hI0FYGyj19rrjP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\hi0fygyj19rrjp.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.304] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.304] WriteFile (in: hFile=0x468, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.304] CloseHandle (hObject=0x468) returned 1 [0294.304] CloseHandle (hObject=0x464) returned 1 [0294.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129144a0 | out: pbBuffer=0x129144a0) returned 1 [0294.304] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\hI0FYGyj19rrjP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\hi0fygyj19rrjp.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\#_THIS_FILE_IS_ENCRYPTED_[FA912E8644A6F5AE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\#_this_file_is_encrypted_[fa912e8644a6f5ae]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.306] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ba0490, ftCreationTime.dwHighDateTime=0x1d82164, ftLastAccessTime.dwLowDateTime=0x1c82fcb0, ftLastAccessTime.dwHighDateTime=0x1d8282f, ftLastWriteTime.dwLowDateTime=0x1c82fcb0, ftLastWriteTime.dwHighDateTime=0x1d8282f, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.306] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ba0490, ftCreationTime.dwHighDateTime=0x1d82164, ftLastAccessTime.dwLowDateTime=0x1c82fcb0, ftLastAccessTime.dwHighDateTime=0x1d8282f, ftLastWriteTime.dwLowDateTime=0x1c82fcb0, ftLastWriteTime.dwHighDateTime=0x1d8282f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.307] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ba0490, ftCreationTime.dwHighDateTime=0x1d82164, ftLastAccessTime.dwLowDateTime=0x1c82fcb0, ftLastAccessTime.dwHighDateTime=0x1d8282f, ftLastWriteTime.dwLowDateTime=0x1c82fcb0, ftLastWriteTime.dwHighDateTime=0x1d8282f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.307] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1aa8aa0, ftCreationTime.dwHighDateTime=0x1d82039, ftLastAccessTime.dwLowDateTime=0x3f934b80, ftLastAccessTime.dwHighDateTime=0x1d828e1, ftLastWriteTime.dwLowDateTime=0x3f934b80, ftLastWriteTime.dwHighDateTime=0x1d828e1, nFileSizeHigh=0x0, nFileSizeLow=0xa5c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="-b5_MxngD.mp3", cAlternateFileName="-B5_MX~1.MP3")) returned 1 [0294.307] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb639290, ftCreationTime.dwHighDateTime=0x1d81ad9, ftLastAccessTime.dwLowDateTime=0x491d9c60, ftLastAccessTime.dwHighDateTime=0x1d82548, ftLastWriteTime.dwLowDateTime=0x491d9c60, ftLastWriteTime.dwHighDateTime=0x1d82548, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jBuxsRgKfwyyGq2T", cAlternateFileName="JBUXSR~1")) returned 1 [0294.307] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2cd00c0, ftCreationTime.dwHighDateTime=0x1d8211a, ftLastAccessTime.dwLowDateTime=0xfbd585f0, ftLastAccessTime.dwHighDateTime=0x1d828a1, ftLastWriteTime.dwLowDateTime=0xfbd585f0, ftLastWriteTime.dwHighDateTime=0x1d828a1, nFileSizeHigh=0x0, nFileSizeLow=0xf25d, dwReserved0=0x0, dwReserved1=0x0, cFileName="YvsVfer.wav", cAlternateFileName="")) returned 1 [0294.307] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.307] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.309] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0294.309] WriteFile (in: hFile=0x464, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0294.310] CloseHandle (hObject=0x464) returned 1 [0294.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\-b5_MxngD.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\-b5_mxngd.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1aa8aa0, ftCreationTime.dwHighDateTime=0x1d82039, ftLastAccessTime.dwLowDateTime=0x3f934b80, ftLastAccessTime.dwHighDateTime=0x1d828e1, ftLastWriteTime.dwLowDateTime=0x3f934b80, ftLastWriteTime.dwHighDateTime=0x1d828e1, nFileSizeHigh=0x0, nFileSizeLow=0xa5c5)) returned 1 [0294.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\YvsVfer.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\yvsvfer.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2cd00c0, ftCreationTime.dwHighDateTime=0x1d8211a, ftLastAccessTime.dwLowDateTime=0xfbd585f0, ftLastAccessTime.dwHighDateTime=0x1d828a1, ftLastWriteTime.dwLowDateTime=0xfbd585f0, ftLastWriteTime.dwHighDateTime=0x1d828a1, nFileSizeHigh=0x0, nFileSizeLow=0xf25d)) returned 1 [0294.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb639290, ftCreationTime.dwHighDateTime=0x1d81ad9, ftLastAccessTime.dwLowDateTime=0x491d9c60, ftLastAccessTime.dwHighDateTime=0x1d82548, ftLastWriteTime.dwLowDateTime=0x491d9c60, ftLastWriteTime.dwHighDateTime=0x1d82548, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.312] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb639290, ftCreationTime.dwHighDateTime=0x1d81ad9, ftLastAccessTime.dwLowDateTime=0x491d9c60, ftLastAccessTime.dwHighDateTime=0x1d82548, ftLastWriteTime.dwLowDateTime=0x491d9c60, ftLastWriteTime.dwHighDateTime=0x1d82548, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.312] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb639290, ftCreationTime.dwHighDateTime=0x1d81ad9, ftLastAccessTime.dwLowDateTime=0x491d9c60, ftLastAccessTime.dwHighDateTime=0x1d82548, ftLastWriteTime.dwLowDateTime=0x491d9c60, ftLastWriteTime.dwHighDateTime=0x1d82548, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.312] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b6ab9f0, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xb5874010, ftLastAccessTime.dwHighDateTime=0x1d82726, ftLastWriteTime.dwLowDateTime=0xb5874010, ftLastWriteTime.dwHighDateTime=0x1d82726, nFileSizeHigh=0x0, nFileSizeLow=0x1599c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0v2fbPeHHc5.wav", cAlternateFileName="0V2FBP~1.WAV")) returned 1 [0294.312] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ecf30, ftCreationTime.dwHighDateTime=0x1d81d23, ftLastAccessTime.dwLowDateTime=0xc049c310, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0xc049c310, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0xa5da, dwReserved0=0x0, dwReserved1=0x0, cFileName="8tQs6RJIu7FUhxm4YpVB.m4a", cAlternateFileName="8TQS6R~1.M4A")) returned 1 [0294.312] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc2e730, ftCreationTime.dwHighDateTime=0x1d8263f, ftLastAccessTime.dwLowDateTime=0xf7fca8c0, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf7fca8c0, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0x1462e, dwReserved0=0x0, dwReserved1=0x0, cFileName="qvUP67bV7Qm2qYTbl.m4a", cAlternateFileName="QVUP67~1.M4A")) returned 1 [0294.313] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb535960, ftCreationTime.dwHighDateTime=0x1d82415, ftLastAccessTime.dwLowDateTime=0xd65839c0, ftLastAccessTime.dwHighDateTime=0x1d82776, ftLastWriteTime.dwLowDateTime=0xd65839c0, ftLastWriteTime.dwHighDateTime=0x1d82776, nFileSizeHigh=0x0, nFileSizeLow=0xcbef, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssRbLKtGO.mp3", cAlternateFileName="SSRBLK~1.MP3")) returned 1 [0294.313] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.315] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.315] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.315] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.316] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0294.316] WriteFile (in: hFile=0x464, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0294.318] CloseHandle (hObject=0x464) returned 1 [0294.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\0v2fbPeHHc5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\0v2fbpehhc5.wav"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b6ab9f0, ftCreationTime.dwHighDateTime=0x1d82348, ftLastAccessTime.dwLowDateTime=0xb5874010, ftLastAccessTime.dwHighDateTime=0x1d82726, ftLastWriteTime.dwLowDateTime=0xb5874010, ftLastWriteTime.dwHighDateTime=0x1d82726, nFileSizeHigh=0x0, nFileSizeLow=0x1599c)) returned 1 [0294.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\8tQs6RJIu7FUhxm4YpVB.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\8tqs6rjiu7fuhxm4ypvb.m4a"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ecf30, ftCreationTime.dwHighDateTime=0x1d81d23, ftLastAccessTime.dwLowDateTime=0xc049c310, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0xc049c310, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0xa5da)) returned 1 [0294.319] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\qvUP67bV7Qm2qYTbl.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\qvup67bv7qm2qytbl.m4a"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc2e730, ftCreationTime.dwHighDateTime=0x1d8263f, ftLastAccessTime.dwLowDateTime=0xf7fca8c0, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf7fca8c0, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0x1462e)) returned 1 [0294.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\8tQs6RJIu7FUhxm4YpVB.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\8tqs6rjiu7fuhxm4ypvb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.320] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\8tQs6RJIu7FUhxm4YpVB.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\8tqs6rjiu7fuhxm4ypvb.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ecf30, ftCreationTime.dwHighDateTime=0x1d81d23, ftLastAccessTime.dwLowDateTime=0xc049c310, ftLastAccessTime.dwHighDateTime=0x1d8255f, ftLastWriteTime.dwLowDateTime=0xc049c310, ftLastWriteTime.dwHighDateTime=0x1d8255f, nFileSizeHigh=0x0, nFileSizeLow=0xa5da)) returned 1 [0294.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7500 | out: pbBuffer=0x12ac7500) returned 1 [0294.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915dd0 | out: pbBuffer=0x12915dd0) returned 1 [0294.320] ReadFile (in: hFile=0x464, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a31d1c*=0xa5da, lpOverlapped=0x0) returned 1 [0294.322] GetFileType (hFile=0x464) returned 0x1 [0294.322] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.322] WriteFile (in: hFile=0x464, lpBuffer=0x129da000*, nNumberOfBytesToWrite=0xa5da, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x129da000*, lpNumberOfBytesWritten=0x12a31d00*=0xa5da, lpOverlapped=0x12a31d0c) returned 1 [0294.323] GetFileType (hFile=0x464) returned 0x1 [0294.323] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa5da, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0294.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0294.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0294.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915e88 | out: pbBuffer=0x12915e88) returned 1 [0294.324] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\8tQs6RJIu7FUhxm4YpVB.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\8tqs6rjiu7fuhxm4ypvb.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.324] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.324] WriteFile (in: hFile=0x468, lpBuffer=0x12ac2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.324] CloseHandle (hObject=0x468) returned 1 [0294.324] CloseHandle (hObject=0x464) returned 1 [0294.324] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915ea0 | out: pbBuffer=0x12915ea0) returned 1 [0294.325] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\8tQs6RJIu7FUhxm4YpVB.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\8tqs6rjiu7fuhxm4ypvb.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\#_THIS_FILE_IS_ENCRYPTED_[B8FCCEE1B6D631BE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\#_this_file_is_encrypted_[b8fccee1b6d631be]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.326] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\qvUP67bV7Qm2qYTbl.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\qvup67bv7qm2qytbl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.327] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.327] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\qvUP67bV7Qm2qYTbl.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\qvup67bv7qm2qytbl.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc2e730, ftCreationTime.dwHighDateTime=0x1d8263f, ftLastAccessTime.dwLowDateTime=0xf7fca8c0, ftLastAccessTime.dwHighDateTime=0x1d82976, ftLastWriteTime.dwLowDateTime=0xf7fca8c0, ftLastWriteTime.dwHighDateTime=0x1d82976, nFileSizeHigh=0x0, nFileSizeLow=0x1462e)) returned 1 [0294.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7920 | out: pbBuffer=0x12ac7920) returned 1 [0294.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915ee8 | out: pbBuffer=0x12915ee8) returned 1 [0294.328] ReadFile (in: hFile=0x464, lpBuffer=0x129e6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e6000*, lpNumberOfBytesRead=0x12a31d1c*=0x1462e, lpOverlapped=0x0) returned 1 [0294.330] GetFileType (hFile=0x464) returned 0x1 [0294.349] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.389] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.389] WriteFile (in: hFile=0x464, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x1462e, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a31d00*=0x1462e, lpOverlapped=0x12a31d0c) returned 1 [0294.390] GetFileType (hFile=0x464) returned 0x1 [0294.390] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x1462e, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.390] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.499] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\AAv4QIyj5Va9vKdwbEiS.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\aav4qiyj5va9vkdwbeis.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.500] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\AAv4QIyj5Va9vKdwbEiS.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\aav4qiyj5va9vkdwbeis.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba8f4a0, ftCreationTime.dwHighDateTime=0x1d82604, ftLastAccessTime.dwLowDateTime=0x9a62bf20, ftLastAccessTime.dwHighDateTime=0x1d826d2, ftLastWriteTime.dwLowDateTime=0x9a62bf20, ftLastWriteTime.dwHighDateTime=0x1d826d2, nFileSizeHigh=0x0, nFileSizeLow=0x16a91)) returned 1 [0294.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0294.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10008 | out: pbBuffer=0x12b10008) returned 1 [0294.501] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0294.501] SetEvent (hEvent=0x420) returned 1 [0294.501] SetEvent (hEvent=0xfc) returned 1 [0294.502] ReadFile (in: hFile=0x44c, lpBuffer=0x12cd2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd2000*, lpNumberOfBytesRead=0x12a31d1c*=0x16a91, lpOverlapped=0x0) returned 1 [0294.504] GetFileType (hFile=0x44c) returned 0x1 [0294.504] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.504] WriteFile (in: hFile=0x44c, lpBuffer=0x129cc000*, nNumberOfBytesToWrite=0x16a91, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x129cc000*, lpNumberOfBytesWritten=0x12a31d00*=0x16a91, lpOverlapped=0x12a31d0c) returned 1 [0294.505] GetFileType (hFile=0x44c) returned 0x1 [0294.505] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x16a91, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0294.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0294.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0294.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b100c0 | out: pbBuffer=0x12b100c0) returned 1 [0294.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\AAv4QIyj5Va9vKdwbEiS.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\aav4qiyj5va9vkdwbeis.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.506] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.506] WriteFile (in: hFile=0x464, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.506] CloseHandle (hObject=0x464) returned 1 [0294.507] CloseHandle (hObject=0x44c) returned 1 [0294.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b100d8 | out: pbBuffer=0x12b100d8) returned 1 [0294.507] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\AAv4QIyj5Va9vKdwbEiS.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\aav4qiyj5va9vkdwbeis.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[2E9C5F0430687367]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[2e9c5f0430687367]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.662] SetEvent (hEvent=0x420) returned 1 [0294.662] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\C8Z4l7tj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\c8z4l7tj.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.663] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.663] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\C8Z4l7tj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\c8z4l7tj.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcc9da30, ftCreationTime.dwHighDateTime=0x1d819bd, ftLastAccessTime.dwLowDateTime=0xd8c67420, ftLastAccessTime.dwHighDateTime=0x1d81a50, ftLastWriteTime.dwLowDateTime=0xd8c67420, ftLastWriteTime.dwHighDateTime=0x1d81a50, nFileSizeHigh=0x0, nFileSizeLow=0x18677)) returned 1 [0294.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0294.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0294.663] ReadFile (in: hFile=0x44c, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12a31d1c*=0x18677, lpOverlapped=0x0) returned 1 [0294.665] GetFileType (hFile=0x44c) returned 0x1 [0294.665] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.666] WriteFile (in: hFile=0x44c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x18677, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12a31d00*=0x18677, lpOverlapped=0x12a31d0c) returned 1 [0294.666] GetFileType (hFile=0x44c) returned 0x1 [0294.666] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x18677, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0294.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0294.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0294.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0294.667] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\C8Z4l7tj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\c8z4l7tj.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.667] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.667] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.667] CloseHandle (hObject=0x464) returned 1 [0294.667] CloseHandle (hObject=0x44c) returned 1 [0294.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d0 | out: pbBuffer=0x128484d0) returned 1 [0294.668] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\C8Z4l7tj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\c8z4l7tj.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[6C7BC8C76A254914]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[6c7bc8c76a254914]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.768] SetEvent (hEvent=0x19c) returned 1 [0294.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\CRVSGs15zk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\crvsgs15zk.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.769] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\CRVSGs15zk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\crvsgs15zk.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d559f0, ftCreationTime.dwHighDateTime=0x1d81fc8, ftLastAccessTime.dwLowDateTime=0x79b53e40, ftLastAccessTime.dwHighDateTime=0x1d826ca, ftLastWriteTime.dwLowDateTime=0x79b53e40, ftLastWriteTime.dwHighDateTime=0x1d826ca, nFileSizeHigh=0x0, nFileSizeLow=0x11d2f)) returned 1 [0294.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b20 | out: pbBuffer=0x12928b20) returned 1 [0294.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487c0 | out: pbBuffer=0x128487c0) returned 1 [0294.770] ReadFile (in: hFile=0x44c, lpBuffer=0x12bf8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf8000*, lpNumberOfBytesRead=0x12a31d1c*=0x11d2f, lpOverlapped=0x0) returned 1 [0294.771] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0294.773] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0294.773] SetEvent (hEvent=0x110) returned 1 [0294.773] SetEvent (hEvent=0x19c) returned 1 [0294.774] GetFileType (hFile=0x44c) returned 0x1 [0294.774] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.774] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x11d2f, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a31d00*=0x11d2f, lpOverlapped=0x12a31d0c) returned 1 [0294.774] GetFileType (hFile=0x44c) returned 0x1 [0294.774] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x11d2f, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ba01 | out: pbBuffer=0x1286ba01) returned 1 [0294.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bb01 | out: pbBuffer=0x1286bb01) returned 1 [0294.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bc01 | out: pbBuffer=0x1286bc01) returned 1 [0294.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128488a8 | out: pbBuffer=0x128488a8) returned 1 [0294.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\CRVSGs15zk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\crvsgs15zk.bmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.776] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.776] WriteFile (in: hFile=0x464, lpBuffer=0x12ac3900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac3900*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.776] CloseHandle (hObject=0x464) returned 1 [0294.776] CloseHandle (hObject=0x44c) returned 1 [0294.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128488d0 | out: pbBuffer=0x128488d0) returned 1 [0294.776] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\CRVSGs15zk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\crvsgs15zk.bmp"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[E42B39B52EFC5AB8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[e42b39b52efc5ab8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.799] SetEvent (hEvent=0x110) returned 1 [0294.799] SetEvent (hEvent=0x420) returned 1 [0294.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\Ne3h82xciV8B.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ne3h82xciv8b.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.800] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\Ne3h82xciV8B.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ne3h82xciv8b.png"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212f8210, ftCreationTime.dwHighDateTime=0x1d819bb, ftLastAccessTime.dwLowDateTime=0xa3b62a30, ftLastAccessTime.dwHighDateTime=0x1d82439, ftLastWriteTime.dwLowDateTime=0xa3b62a30, ftLastWriteTime.dwHighDateTime=0x1d82439, nFileSizeHigh=0x0, nFileSizeLow=0x1749d)) returned 1 [0294.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0294.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0294.800] ReadFile (in: hFile=0x44c, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12a31d1c*=0x1749d, lpOverlapped=0x0) returned 1 [0294.803] GetFileType (hFile=0x44c) returned 0x1 [0294.803] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.803] WriteFile (in: hFile=0x44c, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x1749d, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a31d00*=0x1749d, lpOverlapped=0x12a31d0c) returned 1 [0294.804] GetFileType (hFile=0x44c) returned 0x1 [0294.804] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1749d, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0294.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0294.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0294.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0294.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\Ne3h82xciV8B.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ne3h82xciv8b.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.805] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.805] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.805] CloseHandle (hObject=0x464) returned 1 [0294.805] CloseHandle (hObject=0x44c) returned 1 [0294.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0294.806] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\Ne3h82xciV8B.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ne3h82xciv8b.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[33104CA553573414]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[33104ca553573414]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.848] SetEvent (hEvent=0x420) returned 1 [0294.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lM7esgOy36--LKPovnS.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lm7esgoy36--lkpovns.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.849] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lM7esgOy36--LKPovnS.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lm7esgoy36--lkpovns.png"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b498f0, ftCreationTime.dwHighDateTime=0x1d82766, ftLastAccessTime.dwLowDateTime=0x62c08ff0, ftLastAccessTime.dwHighDateTime=0x1d82819, ftLastWriteTime.dwLowDateTime=0x62c08ff0, ftLastWriteTime.dwHighDateTime=0x1d82819, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1)) returned 1 [0294.849] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929440 | out: pbBuffer=0x12929440) returned 1 [0294.849] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e30 | out: pbBuffer=0x12848e30) returned 1 [0294.849] ReadFile (in: hFile=0x44c, lpBuffer=0x12bd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bd8000*, lpNumberOfBytesRead=0x12a31d1c*=0x4ae1, lpOverlapped=0x0) returned 1 [0294.850] GetFileType (hFile=0x44c) returned 0x1 [0294.850] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.850] WriteFile (in: hFile=0x44c, lpBuffer=0x12a34000*, nNumberOfBytesToWrite=0x4ae1, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a34000*, lpNumberOfBytesWritten=0x12a31d00*=0x4ae1, lpOverlapped=0x12a31d0c) returned 1 [0294.851] GetFileType (hFile=0x44c) returned 0x1 [0294.851] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x4ae1, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0294.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0294.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0294.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848f68 | out: pbBuffer=0x12848f68) returned 1 [0294.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lM7esgOy36--LKPovnS.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lm7esgoy36--lkpovns.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.852] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.852] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.852] CloseHandle (hObject=0x470) returned 1 [0294.852] CloseHandle (hObject=0x44c) returned 1 [0294.852] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848fa0 | out: pbBuffer=0x12848fa0) returned 1 [0294.852] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lM7esgOy36--LKPovnS.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lm7esgoy36--lkpovns.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[9DF837F25A624106]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[9df837f25a624106]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.896] SetEvent (hEvent=0x110) returned 1 [0294.896] SetEvent (hEvent=0xf4) returned 1 [0294.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lt1XE8WJFN.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lt1xe8wjfn.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.898] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lt1XE8WJFN.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lt1xe8wjfn.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c372530, ftCreationTime.dwHighDateTime=0x1d81a35, ftLastAccessTime.dwLowDateTime=0xda911920, ftLastAccessTime.dwHighDateTime=0x1d81b9c, ftLastWriteTime.dwLowDateTime=0xda911920, ftLastWriteTime.dwHighDateTime=0x1d81b9c, nFileSizeHigh=0x0, nFileSizeLow=0xc797)) returned 1 [0294.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6c20 | out: pbBuffer=0x12ac6c20) returned 1 [0294.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b103c8 | out: pbBuffer=0x12b103c8) returned 1 [0294.898] ReadFile (in: hFile=0x44c, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12a31d1c*=0xc797, lpOverlapped=0x0) returned 1 [0294.900] GetFileType (hFile=0x44c) returned 0x1 [0294.900] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.900] WriteFile (in: hFile=0x44c, lpBuffer=0x12c18000*, nNumberOfBytesToWrite=0xc797, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12c18000*, lpNumberOfBytesWritten=0x12a31d00*=0xc797, lpOverlapped=0x12a31d0c) returned 1 [0294.901] GetFileType (hFile=0x44c) returned 0x1 [0294.901] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xc797, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0294.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0294.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0294.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b10480 | out: pbBuffer=0x12b10480) returned 1 [0294.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lt1XE8WJFN.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lt1xe8wjfn.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.902] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0294.902] WriteFile (in: hFile=0x464, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.902] CloseHandle (hObject=0x464) returned 1 [0294.907] CloseHandle (hObject=0x44c) returned 1 [0294.918] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10498 | out: pbBuffer=0x12b10498) returned 1 [0294.919] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lt1XE8WJFN.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lt1xe8wjfn.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[665F6FF0830D5E3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[665f6ff0830d5e3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.953] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0294.969] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.058] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\kZ6dxGYg30pcqd Y9si.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\kz6dxgyg30pcqd y9si.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.061] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0295.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\kZ6dxGYg30pcqd Y9si.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\kz6dxgyg30pcqd y9si.png"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28090b80, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x779b5910, ftLastAccessTime.dwHighDateTime=0x1d827f5, ftLastWriteTime.dwLowDateTime=0x779b5910, ftLastWriteTime.dwHighDateTime=0x1d827f5, nFileSizeHigh=0x0, nFileSizeLow=0x182f6)) returned 1 [0295.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0295.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10008 | out: pbBuffer=0x12b10008) returned 1 [0295.061] ReadFile (in: hFile=0x468, lpBuffer=0x12e18000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e18000*, lpNumberOfBytesRead=0x12a2dd1c*=0x182f6, lpOverlapped=0x0) returned 1 [0295.067] GetFileType (hFile=0x468) returned 0x1 [0295.067] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0295.067] WriteFile (in: hFile=0x468, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x182f6, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a2dd00*=0x182f6, lpOverlapped=0x12a2dd0c) returned 1 [0295.067] GetFileType (hFile=0x468) returned 0x1 [0295.067] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x182f6, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0295.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0295.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0295.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0295.068] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b100c0 | out: pbBuffer=0x12b100c0) returned 1 [0295.068] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\kZ6dxGYg30pcqd Y9si.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\kz6dxgyg30pcqd y9si.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.068] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0295.068] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.068] CloseHandle (hObject=0x44c) returned 1 [0295.079] CloseHandle (hObject=0x468) returned 1 [0295.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b100d8 | out: pbBuffer=0x12b100d8) returned 1 [0295.197] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\kZ6dxGYg30pcqd Y9si.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\kz6dxgyg30pcqd y9si.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[BD5064380903BA28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[bd5064380903ba28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5116540, ftCreationTime.dwHighDateTime=0x1d81e29, ftLastAccessTime.dwLowDateTime=0x979dca50, ftLastAccessTime.dwHighDateTime=0x1d82051, ftLastWriteTime.dwLowDateTime=0x979dca50, ftLastWriteTime.dwHighDateTime=0x1d82051, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.402] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5116540, ftCreationTime.dwHighDateTime=0x1d81e29, ftLastAccessTime.dwLowDateTime=0x979dca50, ftLastAccessTime.dwHighDateTime=0x1d82051, ftLastWriteTime.dwLowDateTime=0x979dca50, ftLastWriteTime.dwHighDateTime=0x1d82051, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbf00f8 [0295.403] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5116540, ftCreationTime.dwHighDateTime=0x1d81e29, ftLastAccessTime.dwLowDateTime=0x979dca50, ftLastAccessTime.dwHighDateTime=0x1d82051, ftLastWriteTime.dwLowDateTime=0x979dca50, ftLastWriteTime.dwHighDateTime=0x1d82051, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.403] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64e6e160, ftCreationTime.dwHighDateTime=0x1d82663, ftLastAccessTime.dwLowDateTime=0xaa70d6a0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xaa70d6a0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0xccac, dwReserved0=0x0, dwReserved1=0x0, cFileName="e_97_0vFDSHFIYI.mp4", cAlternateFileName="E_97_0~1.MP4")) returned 1 [0295.403] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57b12a60, ftCreationTime.dwHighDateTime=0x1d827fc, ftLastAccessTime.dwLowDateTime=0x18571200, ftLastAccessTime.dwHighDateTime=0x1d8284a, ftLastWriteTime.dwLowDateTime=0x18571200, ftLastWriteTime.dwHighDateTime=0x1d8284a, nFileSizeHigh=0x0, nFileSizeLow=0xa8db, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZeqlJkWcoM.swf", cAlternateFileName="ZEQLJK~1.SWF")) returned 1 [0295.403] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.403] FindClose (in: hFindFile=0xbf00f8 | out: hFindFile=0xbf00f8) returned 1 [0295.403] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0295.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.423] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0295.423] WriteFile (in: hFile=0x474, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0295.427] CloseHandle (hObject=0x474) returned 1 [0295.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\ZeqlJkWcoM.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\zeqljkwcom.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57b12a60, ftCreationTime.dwHighDateTime=0x1d827fc, ftLastAccessTime.dwLowDateTime=0x18571200, ftLastAccessTime.dwHighDateTime=0x1d8284a, ftLastWriteTime.dwLowDateTime=0x18571200, ftLastWriteTime.dwHighDateTime=0x1d8284a, nFileSizeHigh=0x0, nFileSizeLow=0xa8db)) returned 1 [0295.427] SetEvent (hEvent=0xfc) returned 1 [0295.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\D4qc7P\\qMxUAz dkUsN0xXlyTcs\\e_97_0vFDSHFIYI.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\d4qc7p\\qmxuaz dkusn0xxlytcs\\e_97_0vfdshfiyi.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64e6e160, ftCreationTime.dwHighDateTime=0x1d82663, ftLastAccessTime.dwLowDateTime=0xaa70d6a0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xaa70d6a0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0xccac)) returned 1 [0295.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\WU3RCvcI 3_paA2c.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\wu3rcvci 3_paa2c.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc338e250, ftCreationTime.dwHighDateTime=0x1d81f41, ftLastAccessTime.dwLowDateTime=0x5f3ca8d0, ftLastAccessTime.dwHighDateTime=0x1d828a7, ftLastWriteTime.dwLowDateTime=0x5f3ca8d0, ftLastWriteTime.dwHighDateTime=0x1d828a7, nFileSizeHigh=0x0, nFileSizeLow=0x183a1)) returned 1 [0295.428] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\fYzIaG IKDN5QJud404V.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\fyziag ikdn5qjud404v.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824c8360, ftCreationTime.dwHighDateTime=0x1d81b6c, ftLastAccessTime.dwLowDateTime=0x722864f0, ftLastAccessTime.dwHighDateTime=0x1d8274b, ftLastWriteTime.dwLowDateTime=0x722864f0, ftLastWriteTime.dwHighDateTime=0x1d8274b, nFileSizeHigh=0x0, nFileSizeLow=0x159d7)) returned 1 [0295.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\WU3RCvcI 3_paA2c.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\wu3rcvci 3_paa2c.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.429] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.429] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\WU3RCvcI 3_paA2c.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\wu3rcvci 3_paa2c.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc338e250, ftCreationTime.dwHighDateTime=0x1d81f41, ftLastAccessTime.dwLowDateTime=0x5f3ca8d0, ftLastAccessTime.dwHighDateTime=0x1d828a7, ftLastWriteTime.dwLowDateTime=0x5f3ca8d0, ftLastWriteTime.dwHighDateTime=0x1d828a7, nFileSizeHigh=0x0, nFileSizeLow=0x183a1)) returned 1 [0295.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845760 | out: pbBuffer=0x12845760) returned 1 [0295.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849450 | out: pbBuffer=0x12849450) returned 1 [0295.429] ReadFile (in: hFile=0x474, lpBuffer=0x12e10000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e10000*, lpNumberOfBytesRead=0x12a2bd1c*=0x183a1, lpOverlapped=0x0) returned 1 [0295.433] GetFileType (hFile=0x474) returned 0x1 [0295.433] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.433] WriteFile (in: hFile=0x474, lpBuffer=0x12cc4000*, nNumberOfBytesToWrite=0x183a1, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12cc4000*, lpNumberOfBytesWritten=0x12a2bd00*=0x183a1, lpOverlapped=0x12a2bd0c) returned 1 [0295.434] GetFileType (hFile=0x474) returned 0x1 [0295.434] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x183a1, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.434] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0295.434] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0295.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0295.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128495a8 | out: pbBuffer=0x128495a8) returned 1 [0295.435] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\WU3RCvcI 3_paA2c.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\wu3rcvci 3_paa2c.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.435] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.435] WriteFile (in: hFile=0x44c, lpBuffer=0x12a34000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a34000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.435] CloseHandle (hObject=0x44c) returned 1 [0295.436] CloseHandle (hObject=0x474) returned 1 [0295.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128495d0 | out: pbBuffer=0x128495d0) returned 1 [0295.436] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\WU3RCvcI 3_paA2c.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\wu3rcvci 3_paa2c.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\#_THIS_FILE_IS_ENCRYPTED_[DEBA596CA0CD3058]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\#_this_file_is_encrypted_[deba596ca0cd3058]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.438] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\fYzIaG IKDN5QJud404V.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\fyziag ikdn5qjud404v.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.438] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\fYzIaG IKDN5QJud404V.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\fyziag ikdn5qjud404v.avi"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824c8360, ftCreationTime.dwHighDateTime=0x1d81b6c, ftLastAccessTime.dwLowDateTime=0x722864f0, ftLastAccessTime.dwHighDateTime=0x1d8274b, ftLastWriteTime.dwLowDateTime=0x722864f0, ftLastWriteTime.dwHighDateTime=0x1d8274b, nFileSizeHigh=0x0, nFileSizeLow=0x159d7)) returned 1 [0295.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845980 | out: pbBuffer=0x12845980) returned 1 [0295.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849628 | out: pbBuffer=0x12849628) returned 1 [0295.439] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0295.443] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.443] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0295.443] SetEvent (hEvent=0x110) returned 1 [0295.443] SetEvent (hEvent=0xfc) returned 1 [0295.444] ReadFile (in: hFile=0x474, lpBuffer=0x12cde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cde000*, lpNumberOfBytesRead=0x12a2bd1c*=0x159d7, lpOverlapped=0x0) returned 1 [0295.447] GetFileType (hFile=0x474) returned 0x1 [0295.447] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.447] WriteFile (in: hFile=0x474, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x159d7, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a2bd00*=0x159d7, lpOverlapped=0x12a2bd0c) returned 1 [0295.448] GetFileType (hFile=0x474) returned 0x1 [0295.448] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x159d7, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0295.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0295.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0295.449] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128496e0 | out: pbBuffer=0x128496e0) returned 1 [0295.449] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\fYzIaG IKDN5QJud404V.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\fyziag ikdn5qjud404v.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.449] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.449] WriteFile (in: hFile=0x470, lpBuffer=0x12a34500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a34500*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.449] CloseHandle (hObject=0x470) returned 1 [0295.449] CloseHandle (hObject=0x474) returned 1 [0295.449] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496f8 | out: pbBuffer=0x128496f8) returned 1 [0295.450] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\fYzIaG IKDN5QJud404V.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\fyziag ikdn5qjud404v.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\#_THIS_FILE_IS_ENCRYPTED_[990BD122C0C9E4F3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\#_this_file_is_encrypted_[990bd122c0c9e4f3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.452] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x0 [0295.454] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0295.499] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.499] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0295.503] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.503] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb28, ulCount=0x10, ulNumEntriesRemoved=0x334ffb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb28, ulNumEntriesRemoved=0x334ffb0c) returned 0 [0295.503] SetEvent (hEvent=0x110) returned 1 [0295.503] SetEvent (hEvent=0xfc) returned 1 [0295.503] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0295.522] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.523] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\hb3lLJEau DoZzoV_lZ0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\hb3lljeau dozzov_lz0.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.555] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\hb3lLJEau DoZzoV_lZ0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\hb3lljeau dozzov_lz0.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b89a100, ftCreationTime.dwHighDateTime=0x1d82463, ftLastAccessTime.dwLowDateTime=0xba75a9b0, ftLastAccessTime.dwHighDateTime=0x1d82495, ftLastWriteTime.dwLowDateTime=0xba75a9b0, ftLastWriteTime.dwHighDateTime=0x1d82495, nFileSizeHigh=0x0, nFileSizeLow=0x9b7e)) returned 1 [0295.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e220 | out: pbBuffer=0x1280e220) returned 1 [0295.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0295.555] ReadFile (in: hFile=0x474, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12a2bd1c*=0x9b7e, lpOverlapped=0x0) returned 1 [0295.558] GetFileType (hFile=0x474) returned 0x1 [0295.558] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.558] WriteFile (in: hFile=0x474, lpBuffer=0x12906000*, nNumberOfBytesToWrite=0x9b7e, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12906000*, lpNumberOfBytesWritten=0x12a2bd00*=0x9b7e, lpOverlapped=0x12a2bd0c) returned 1 [0295.576] GetFileType (hFile=0x474) returned 0x1 [0295.576] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x9b7e, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0295.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0295.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0295.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914390 | out: pbBuffer=0x12914390) returned 1 [0295.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\hb3lLJEau DoZzoV_lZ0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\hb3lljeau dozzov_lz0.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0295.578] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.578] WriteFile (in: hFile=0x45c, lpBuffer=0x12a34000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a34000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.599] CloseHandle (hObject=0x45c) returned 1 [0295.599] CloseHandle (hObject=0x474) returned 1 [0295.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129144f8 | out: pbBuffer=0x129144f8) returned 1 [0295.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\hb3lLJEau DoZzoV_lZ0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\hb3lljeau dozzov_lz0.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\#_THIS_FILE_IS_ENCRYPTED_[CC43E9BF2A3E42C6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\#_this_file_is_encrypted_[cc43e9bf2a3e42c6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.633] SetEvent (hEvent=0x420) returned 1 [0295.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\YNrRjI3FU86r44y.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\ynrrji3fu86r44y.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0295.635] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.635] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\YNrRjI3FU86r44y.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\ynrrji3fu86r44y.flv"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x427a8020, ftCreationTime.dwHighDateTime=0x1d81d60, ftLastAccessTime.dwLowDateTime=0xb16f8f20, ftLastAccessTime.dwHighDateTime=0x1d81dc9, ftLastWriteTime.dwLowDateTime=0xb16f8f20, ftLastWriteTime.dwHighDateTime=0x1d81dc9, nFileSizeHigh=0x0, nFileSizeLow=0x693c)) returned 1 [0295.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844620 | out: pbBuffer=0x12844620) returned 1 [0295.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145a0 | out: pbBuffer=0x129145a0) returned 1 [0295.635] ReadFile (in: hFile=0x468, lpBuffer=0x129fe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129fe000*, lpNumberOfBytesRead=0x12a2bd1c*=0x693c, lpOverlapped=0x0) returned 1 [0295.636] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0x1) returned 0x102 [0295.638] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0295.638] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x334ffb20, ulCount=0x10, ulNumEntriesRemoved=0x334ffb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x334ffb20, ulNumEntriesRemoved=0x334ffb04) returned 0 [0295.638] SetEvent (hEvent=0x110) returned 1 [0295.638] SetEvent (hEvent=0x420) returned 1 [0295.638] GetFileType (hFile=0x468) returned 0x1 [0295.638] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.639] WriteFile (in: hFile=0x468, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x693c, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a2bd00*=0x693c, lpOverlapped=0x12a2bd0c) returned 1 [0295.647] GetFileType (hFile=0x468) returned 0x1 [0295.647] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x693c, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0295.647] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) Thread: id = 9 os_tid = 0x104c Thread: id = 10 os_tid = 0x3f0 [0125.999] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3392ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3392ff30*=0x3c8) returned 1 [0125.999] VirtualQuery (in: lpAddress=0x3392ff40, lpBuffer=0x3392ff40, dwLength=0x1c | out: lpBuffer=0x3392ff40*(BaseAddress=0x3392f000, AllocationBase=0x33830000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0125.999] SwitchToThread () returned 1 [0126.083] SetEvent (hEvent=0x104) returned 1 [0126.083] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3cc [0126.083] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x744f) returned 0x0 [0126.480] SetEvent (hEvent=0x104) returned 1 [0126.480] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x38e6) returned 0x102 [0136.954] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffb) returned 0x102 [0147.578] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x11bbd) returned 0x0 [0157.624] SetEvent (hEvent=0x1b8) returned 1 [0157.624] SetEvent (hEvent=0x3f4) returned 1 [0157.635] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xf471) returned 0x102 [0167.637] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xcd55) returned 0x102 [0177.759] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xa5cb) returned 0x0 [0180.186] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0180.191] SetEvent (hEvent=0x3f4) returned 1 [0180.191] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x26be) returned 0x102 [0190.206] SetEvent (hEvent=0xf4) returned 1 [0190.206] SetEvent (hEvent=0x3f4) returned 1 [0190.206] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x752c) returned 0x0 [0196.639] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x270c) returned 0x102 [0206.655] SetEvent (hEvent=0xfc) returned 1 [0206.655] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x34eb) returned 0x0 [0208.693] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x270e) returned 0x102 [0218.795] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0218.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0219.067] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0219.067] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0219.068] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0219.068] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0219.068] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0219.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0219.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0219.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0219.238] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0219.238] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0219.239] CloseHandle (hObject=0x438) returned 1 [0219.239] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1478f592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1478f592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x149cb731, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0219.624] SetEvent (hEvent=0x420) returned 1 [0219.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0219.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0219.792] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0219.837] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6915b22f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="af", cAlternateFileName="")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69941380, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="am-et", cAlternateFileName="")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c2263c9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2263c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c416268, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c711399, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c711399, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4efe5598, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7329ea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7329ea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f863ecc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f863ecc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0220.071] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f96ed39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f96ed39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fa075cf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa075cf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4fa075cf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fc43cb2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501ed543, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x501ed543, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50390d5d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50390d5d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50390d5d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x505a6c82, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505f317e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x505f317e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5082f572, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50855780, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50855780, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50914269, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5096097b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5096097b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ade11a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50ade11a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50fc8d11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5103b5e0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5103b5e0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x511def4c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c2bee50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="is", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4cfdbdcf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5b5174, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ka", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5050e68c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="km-kh", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50b9ce08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kok", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ky", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x517161bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5125164f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5125164f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x512e9fc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0220.072] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0220.073] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52990592, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0220.073] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53b98171, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0220.073] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55f81a48, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mk", cAlternateFileName="")) returned 1 [0220.073] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5678da05, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ml-in", cAlternateFileName="")) returned 1 [0220.073] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56fbfa3c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mn", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57a07ba6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mr", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b3b2896, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ms", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51336474, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51336474, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x514da01f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51598aff, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51598aff, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51788816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cf8febe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0220.128] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d5ac1b2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-no", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd6ba86, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ne-np", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e23074d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e80018f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nn-no", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ec78c0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nso-za", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518475c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518475c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519eadfe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ff65328, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="or-in", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x629b701d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x643f0dfd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64decb7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65560215, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="prs-af", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x661645b7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-br", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6761ad3f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67d68156, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68501b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0220.129] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aa9ab3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51aa9ab3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5456dd0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6928c707, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rw", cAlternateFileName="")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55880b0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55880b0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55b558b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ee912c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55ee912c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56931178, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d10fdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56d10fdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x571d59f7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57ef2857, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a649506, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a649506, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x624f252c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x641685fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x641685fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x494c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry.dll", cAlternateFileName="TELEME~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x650751e8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x650751e8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6596648d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x632c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VideoStreamingPlugin.dll", cAlternateFileName="VIDEOS~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6675a388, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6675a388, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x679d4966, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x684c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlmfds.dll", cAlternateFileName="")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68b901fc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 1 [0220.130] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0220.130] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0220.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0220.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0220.177] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0220.178] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0220.178] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0220.179] CloseHandle (hObject=0x42c) returned 1 [0220.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c2263c9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2263c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c416268, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0220.180] SetEvent (hEvent=0x420) returned 1 [0220.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c711399, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c711399, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4efe5598, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0220.224] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7329ea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7329ea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0220.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f863ecc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f863ecc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0222.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c711399, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c711399, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4efe5598, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0222.261] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929380 | out: pbBuffer=0x12929380) returned 1 [0222.261] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b228 | out: pbBuffer=0x12a9b228) returned 1 [0222.261] SwitchToThread () returned 1 [0222.473] ReadFile (in: hFile=0x15c, lpBuffer=0x12d32000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d32000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0222.573] GetFileType (hFile=0x15c) returned 0x1 [0222.573] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0222.574] WriteFile (in: hFile=0x15c, lpBuffer=0x12cd0000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12cd0000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0222.574] GetFileType (hFile=0x15c) returned 0x1 [0222.575] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0223.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0223.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0223.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b2f0 | out: pbBuffer=0x12a9b2f0) returned 1 [0223.429] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0223.430] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0223.430] WriteFile (in: hFile=0x44c, lpBuffer=0x1285af00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285af00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0223.487] CloseHandle (hObject=0x44c) returned 1 [0223.488] CloseHandle (hObject=0x42c) returned 1 [0223.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b308 | out: pbBuffer=0x12a9b308) returned 1 [0224.006] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[C388F4E48BC57C14]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[c388f4e48bc57c14]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa075cf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4fa075cf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fc43cb2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0224.497] SetEvent (hEvent=0x1b8) returned 1 [0224.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501ed543, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x501ed543, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50390d5d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0224.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50390d5d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50390d5d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x505a6c82, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0224.566] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0224.624] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0224.698] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0224.726] SetEvent (hEvent=0x420) returned 1 [0224.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0224.727] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0224.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50855780, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50855780, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50914269, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0224.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98800 | out: pbBuffer=0x12a98800) returned 1 [0224.727] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34990 | out: pbBuffer=0x12c34990) returned 1 [0224.728] ReadFile (in: hFile=0x450, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12b05d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.735] GetFileType (hFile=0x450) returned 0x1 [0224.735] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.736] WriteFile (in: hFile=0x450, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12b05d00*=0x20000, lpOverlapped=0x12b05d0c) returned 1 [0224.736] GetFileType (hFile=0x450) returned 0x1 [0224.737] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0224.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0224.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0224.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34a48 | out: pbBuffer=0x12c34a48) returned 1 [0224.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0224.738] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0224.738] WriteFile (in: hFile=0x438, lpBuffer=0x12a72000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a72000*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.742] CloseHandle (hObject=0x438) returned 1 [0224.747] SetEvent (hEvent=0x110) returned 1 [0224.747] CloseHandle (hObject=0x450) returned 1 [0224.849] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34a60 | out: pbBuffer=0x12c34a60) returned 1 [0224.849] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[8B385CF1F4900546]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[8b385cf1f4900546]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.006] SwitchToThread () returned 1 [0225.015] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.094] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.173] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.525] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.557] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.567] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0225.766] SetEvent (hEvent=0x420) returned 1 [0225.768] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0225.782] SetEvent (hEvent=0x420) returned 1 [0225.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12827180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0225.794] CloseHandle (hObject=0x1a0) returned 1 [0225.794] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0225.831] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3392fb28, ulCount=0x10, ulNumEntriesRemoved=0x3392fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb28, ulNumEntriesRemoved=0x3392fb0c) returned 0 [0225.831] SetEvent (hEvent=0x3f4) returned 1 [0225.832] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0225.837] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0229.085] SetEvent (hEvent=0xfc) returned 1 [0229.085] SwitchToThread () returned 1 [0229.171] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0229.247] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0229.287] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0229.290] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3392fb28, ulCount=0x10, ulNumEntriesRemoved=0x3392fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb28, ulNumEntriesRemoved=0x3392fb0c) returned 0 [0229.290] SetEvent (hEvent=0x110) returned 1 [0229.302] SetEvent (hEvent=0xfc) returned 1 [0229.302] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0229.342] GetFileType (hFile=0x44c) returned 0x1 [0229.342] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.342] WriteFile (in: hFile=0x44c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0229.343] GetFileType (hFile=0x44c) returned 0x1 [0229.343] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.343] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0229.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0229.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0229.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80b0 | out: pbBuffer=0x128e80b0) returned 1 [0229.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.345] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.345] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.346] CloseHandle (hObject=0x438) returned 1 [0229.346] CloseHandle (hObject=0x44c) returned 1 [0229.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80c8 | out: pbBuffer=0x128e80c8) returned 1 [0229.346] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\#_THIS_FILE_IS_ENCRYPTED_[694F8161E9025711]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\#_this_file_is_encrypted_[694f8161e9025711]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.348] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509f95ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0229.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0229.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8110 | out: pbBuffer=0x128e8110) returned 1 [0229.349] ReadFile (in: hFile=0x44c, lpBuffer=0x1295a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesRead=0x12be9d1c*=0x172c0, lpOverlapped=0x0) returned 1 [0229.405] GetFileType (hFile=0x44c) returned 0x1 [0229.405] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.405] WriteFile (in: hFile=0x44c, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x172c0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12be9d00*=0x172c0, lpOverlapped=0x12be9d0c) returned 1 [0229.406] GetFileType (hFile=0x44c) returned 0x1 [0229.406] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x172c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0229.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0229.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0229.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8418 | out: pbBuffer=0x128e8418) returned 1 [0229.408] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.408] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.408] WriteFile (in: hFile=0x458, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.408] CloseHandle (hObject=0x458) returned 1 [0229.410] CloseHandle (hObject=0x44c) returned 1 [0229.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8430 | out: pbBuffer=0x128e8430) returned 1 [0229.410] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\#_THIS_FILE_IS_ENCRYPTED_[6CC1EBF988AE0715]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\#_this_file_is_encrypted_[6cc1ebf988ae0715]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.411] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.412] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x513cef43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0229.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928680 | out: pbBuffer=0x12928680) returned 1 [0229.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8478 | out: pbBuffer=0x128e8478) returned 1 [0229.412] ReadFile (in: hFile=0x44c, lpBuffer=0x12b60000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b60000*, lpNumberOfBytesRead=0x12be9d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0229.420] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0229.568] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0229.693] GetFileType (hFile=0x44c) returned 0x1 [0229.693] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.693] WriteFile (in: hFile=0x44c, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12be9d00*=0x15cc0, lpOverlapped=0x12be9d0c) returned 1 [0229.694] GetFileType (hFile=0x44c) returned 0x1 [0229.694] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0229.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0229.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0229.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0229.694] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.694] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.695] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.695] CloseHandle (hObject=0x458) returned 1 [0229.695] CloseHandle (hObject=0x44c) returned 1 [0229.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810238 | out: pbBuffer=0x12810238) returned 1 [0229.695] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\#_THIS_FILE_IS_ENCRYPTED_[62C198272128061B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\#_this_file_is_encrypted_[62c198272128061b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52eedb83, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.794] SetEvent (hEvent=0x110) returned 1 [0229.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.795] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52eedb83, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0229.795] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52eedb83, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.795] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eedb83, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53935b56, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.795] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.795] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0229.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.795] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.809] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.810] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.811] CloseHandle (hObject=0x438) returned 1 [0229.811] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eedb83, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53935b56, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0229.816] SetEvent (hEvent=0x3f4) returned 1 [0229.816] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55a96ece, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.817] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.817] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55a96ece, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0229.818] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55a96ece, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.818] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a96ece, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55d1f366, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.818] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.818] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0229.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.819] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.819] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.820] CloseHandle (hObject=0x42c) returned 1 [0229.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a96ece, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55d1f366, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x562eeec6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.826] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x562eeec6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0229.826] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x562eeec6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.826] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562eeec6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5668283e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.826] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.826] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0229.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.827] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.827] WriteFile (in: hFile=0x438, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.829] CloseHandle (hObject=0x438) returned 1 [0229.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562eeec6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5668283e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0229.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.011] SetEvent (hEvent=0x110) returned 1 [0230.011] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.012] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0230.012] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.012] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b938ba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56f011c0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.012] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.012] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0230.012] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.013] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.013] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.029] SetEvent (hEvent=0x110) returned 1 [0230.029] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.029] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.031] CloseHandle (hObject=0x438) returned 1 [0230.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b938ba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56f011c0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0230.034] SetEvent (hEvent=0x1d0) returned 1 [0230.034] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57438001, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.039] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57438001, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0230.039] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57438001, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.039] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57438001, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5783de52, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.040] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.040] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0230.040] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.041] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.041] WriteFile (in: hFile=0x438, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.043] CloseHandle (hObject=0x438) returned 1 [0230.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57438001, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5783de52, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0230.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x58a9209a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.070] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x58a9209a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0230.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x58a9209a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a9209a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5acd7b5a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.071] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0230.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.071] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.071] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.077] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.077] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.079] CloseHandle (hObject=0x3e4) returned 1 [0230.079] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a9209a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5acd7b5a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0230.083] SetEvent (hEvent=0x110) returned 1 [0230.083] SetEvent (hEvent=0x40c) returned 1 [0230.083] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5bdd475a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.084] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5bdd475a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0230.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5bdd475a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bdd475a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cb63e92, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.084] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0230.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.086] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.086] WriteFile (in: hFile=0x438, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.087] CloseHandle (hObject=0x438) returned 1 [0230.087] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bdd475a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cb63e92, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0230.093] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51336474, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51336474, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x514da01f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0230.093] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51598aff, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51598aff, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51788816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0230.093] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d349bc1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0230.098] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0230.099] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d349bc1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0230.099] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d349bc1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0230.099] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d349bc1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d51389a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0230.099] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0230.099] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0230.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0230.099] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0230.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.101] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0230.101] WriteFile (in: hFile=0x42c, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0230.103] CloseHandle (hObject=0x42c) returned 1 [0230.103] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d349bc1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d51389a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.103] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.104] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.104] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51598aff, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51598aff, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51788816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0230.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0230.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496d0 | out: pbBuffer=0x128496d0) returned 1 [0230.104] ReadFile (in: hFile=0x42c, lpBuffer=0x12ca6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca6000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0230.141] GetFileType (hFile=0x42c) returned 0x1 [0230.141] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.142] WriteFile (in: hFile=0x42c, lpBuffer=0x12d6a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12d6a000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0230.142] GetFileType (hFile=0x42c) returned 0x1 [0230.142] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0230.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0230.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0230.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497a8 | out: pbBuffer=0x128497a8) returned 1 [0230.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.145] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.145] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.284] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0230.304] CloseHandle (hObject=0x3e4) returned 1 [0230.309] CloseHandle (hObject=0x42c) returned 1 [0230.331] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a158 | out: pbBuffer=0x12a9a158) returned 1 [0230.331] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[BEACB5858B32EBB4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[beacb5858b32ebb4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.743] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0230.789] SetEvent (hEvent=0x40c) returned 1 [0230.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.790] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f222205, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5fc90822, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0230.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0230.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0230.791] ReadFile (in: hFile=0x44c, lpBuffer=0x129b0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b0000*, lpNumberOfBytesRead=0x12829d1c*=0x16cc0, lpOverlapped=0x0) returned 1 [0230.857] GetFileType (hFile=0x44c) returned 0x1 [0230.857] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.857] WriteFile (in: hFile=0x44c, lpBuffer=0x129f0000*, nNumberOfBytesToWrite=0x16cc0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129f0000*, lpNumberOfBytesWritten=0x12829d00*=0x16cc0, lpOverlapped=0x12829d0c) returned 1 [0230.858] GetFileType (hFile=0x44c) returned 0x1 [0230.858] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x16cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0230.858] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0230.859] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0230.859] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0230.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.859] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.859] WriteFile (in: hFile=0x438, lpBuffer=0x12854000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12854000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.859] CloseHandle (hObject=0x438) returned 1 [0230.860] CloseHandle (hObject=0x44c) returned 1 [0230.860] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0230.860] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\#_THIS_FILE_IS_ENCRYPTED_[E41E929CF408A88A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\#_this_file_is_encrypted_[e41e929cf408a88a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.901] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0230.908] SetEvent (hEvent=0x3f4) returned 1 [0230.908] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.909] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.909] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e25c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6129e362, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0230.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0230.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0230.910] ReadFile (in: hFile=0x44c, lpBuffer=0x12a08000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a08000*, lpNumberOfBytesRead=0x12be3d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0231.617] SetEvent (hEvent=0x110) returned 1 [0231.618] GetFileType (hFile=0x44c) returned 0x1 [0231.618] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.618] WriteFile (in: hFile=0x44c, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12be3d00*=0x174c0, lpOverlapped=0x12be3d0c) returned 1 [0231.619] GetFileType (hFile=0x44c) returned 0x1 [0231.619] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.642] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0231.642] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0231.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0231.659] SetEvent (hEvent=0x1d0) returned 1 [0231.659] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0231.670] SetEvent (hEvent=0x1b8) returned 1 [0231.670] SetEvent (hEvent=0x40c) returned 1 [0231.670] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0231.676] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0231.677] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3392fb28, ulCount=0x10, ulNumEntriesRemoved=0x3392fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3392fb28, ulNumEntriesRemoved=0x3392fb0c) returned 0 [0231.677] SetEvent (hEvent=0x1b8) returned 1 [0231.677] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1) returned 0x0 [0231.685] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0231.767] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0231.778] SetEvent (hEvent=0x3f4) returned 1 [0231.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.778] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40775fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40775fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd410ff09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0231.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0231.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a028 | out: pbBuffer=0x12a9a028) returned 1 [0231.779] ReadFile (in: hFile=0x438, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12be5d1c*=0x16da, lpOverlapped=0x0) returned 1 [0231.789] GetFileType (hFile=0x438) returned 0x1 [0231.789] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.789] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x16da, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12be5d00*=0x16da, lpOverlapped=0x12be5d0c) returned 1 [0231.790] GetFileType (hFile=0x438) returned 0x1 [0231.790] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x16da, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0231.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0231.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0231.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0231.791] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.791] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.791] WriteFile (in: hFile=0x42c, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.791] CloseHandle (hObject=0x42c) returned 1 [0231.875] CloseHandle (hObject=0x438) returned 1 [0231.877] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0231.877] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[3191AA62ED9FB028]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[3191aa62ed9fb028]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.996] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0231.996] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc09dbdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc09dbdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc9dad7b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0231.997] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286e0 | out: pbBuffer=0x129286e0) returned 1 [0231.997] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2b8 | out: pbBuffer=0x12a9a2b8) returned 1 [0231.997] ReadFile (in: hFile=0x438, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12be7d1c*=0x140c0, lpOverlapped=0x0) returned 1 [0232.062] GetFileType (hFile=0x438) returned 0x1 [0232.062] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0232.062] WriteFile (in: hFile=0x438, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12be7d00*=0x140c0, lpOverlapped=0x12be7d0c) returned 1 [0232.063] GetFileType (hFile=0x438) returned 0x1 [0232.063] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0232.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0232.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0232.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0232.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a430 | out: pbBuffer=0x12a9a430) returned 1 [0232.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0232.065] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0232.065] WriteFile (in: hFile=0x3e4, lpBuffer=0x12aeef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aeef00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0232.065] CloseHandle (hObject=0x3e4) returned 1 [0232.078] CloseHandle (hObject=0x438) returned 1 [0232.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a558 | out: pbBuffer=0x12a9a558) returned 1 [0232.083] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[36051EC158236E34]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[36051ec158236e34]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0233.800] SetEvent (hEvent=0x1d0) returned 1 [0233.800] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xffffffff) returned 0x0 [0234.108] SetEvent (hEvent=0x40c) returned 1 [0234.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc081 | out: pbBuffer=0x12afc081) returned 1 [0234.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0234.510] SetEvent (hEvent=0xf4) returned 1 [0234.510] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x134cd) returned 0x0 [0235.987] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x270c) returned 0x102 [0245.988] SetEvent (hEvent=0x19c) returned 1 [0245.988] SetEvent (hEvent=0x40c) returned 1 [0245.988] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1377a) returned 0x102 [0255.999] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x1105f) returned 0x102 [0266.054] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xe918) returned 0x102 [0276.103] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0xc1d8) returned 0x102 [0286.200] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x9a75) returned 0x0 [0289.140] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x746b) returned 0x102 [0299.180] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x4d3e) returned 0x102 [0309.194] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x2615) Thread: id = 11 os_tid = 0x924 [0126.185] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33a6ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33a6ff30*=0x3dc) returned 1 [0126.185] VirtualQuery (in: lpAddress=0x33a6ff40, lpBuffer=0x33a6ff40, dwLength=0x1c | out: lpBuffer=0x33a6ff40*(BaseAddress=0x33a6f000, AllocationBase=0x33970000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0126.185] SetEvent (hEvent=0x104) returned 1 [0126.186] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e0 [0126.186] GetConsoleMode (in: hConsoleHandle=0x3e0, lpMode=0x12a95d0c | out: lpMode=0x12a95d0c) returned 0 [0126.187] GetFileAttributesExW (in: lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), fInfoLevelId=0x0, lpFileInformation=0x12a95ad0 | out: lpFileInformation=0x12a95ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0126.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0126.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0126.196] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x33a70000 [0126.197] ReadFile (in: hFile=0x3e0, lpBuffer=0x12aa4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a95d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa4000*, lpNumberOfBytesRead=0x12a95d1c*=0x1, lpOverlapped=0x0) returned 1 [0126.199] GetProcAddress (hModule=0x75600000, lpProcName="GetFileType") returned 0x75626aa0 [0126.199] GetFileType (hFile=0x3e0) returned 0x1 [0126.200] GetProcAddress (hModule=0x75600000, lpProcName="SetFilePointerEx") returned 0x75626c50 [0126.200] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a95ce4 | out: lpNewFilePointer=0x0) returned 1 [0126.200] WriteFile (in: hFile=0x3e0, lpBuffer=0x12a9a010*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x12a95d00, lpOverlapped=0x12a95d0c | out: lpBuffer=0x12a9a010*, lpNumberOfBytesWritten=0x12a95d00*=0x1, lpOverlapped=0x12a95d0c) returned 1 [0126.200] GetFileType (hFile=0x3e0) returned 0x1 [0126.200] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x1, lpNewFilePointer=0x0, dwMoveMethod=0x12a95ce4 | out: lpNewFilePointer=0x0) returned 1 [0126.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0126.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0126.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0127.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d8 | out: pbBuffer=0x12a9a0d8) returned 1 [0127.786] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0127.786] GetConsoleMode (in: hConsoleHandle=0x3d8, lpMode=0x12a95d0c | out: lpMode=0x12a95d0c) returned 0 [0127.786] WriteFile (in: hFile=0x3d8, lpBuffer=0x12bac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a95d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bac000*, lpNumberOfBytesWritten=0x12a95d0c*=0x276, lpOverlapped=0x0) returned 1 [0127.787] CloseHandle (hObject=0x3d8) returned 1 [0127.788] CloseHandle (hObject=0x3e0) returned 1 [0127.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0128.139] LoadLibraryExW (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x800) returned 0x75600000 [0128.385] GetProcAddress (hModule=0x75600000, lpProcName="MoveFileExW") returned 0x7561b2b0 [0128.386] MoveFileExW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\\\#_THIS_FILE_IS_ENCRYPTED_[4DDC4E26F3012C76]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\#_this_file_is_encrypted_[4ddc4e26f3012c76]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0128.805] SetEvent (hEvent=0x104) returned 1 [0129.251] VirtualAlloc (lpAddress=0x12bfc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bfc000 [0129.515] WSASend (in: s=0x3e4, lpBuffers=0x12b1c0b4*=((len=0x6b, buf=0x12bf1000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12b1c0a8, dwFlags=0x0, lpOverlapped=0x12b1c088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12b1c0a8*=0x6b, lpOverlapped=0x12b1c088) returned 0 [0129.517] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.518] VirtualAlloc (lpAddress=0x12bfe000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12bfe000 [0129.518] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.518] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.519] VirtualAlloc (lpAddress=0x12c16000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c16000 [0129.519] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0129.519] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3f4 [0129.519] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.107] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.107] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.107] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.185] SetEvent (hEvent=0x10c) returned 1 [0130.185] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.185] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.185] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.603] SetEvent (hEvent=0x10c) returned 1 [0130.603] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.603] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.603] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.786] SetEvent (hEvent=0x10c) returned 1 [0130.786] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.787] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.787] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.787] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.787] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.787] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.787] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.787] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.787] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.935] VirtualAlloc (lpAddress=0x12c40000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c40000 [0130.935] VirtualAlloc (lpAddress=0x12c42000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c42000 [0130.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44d760, lpParameter=0x12c40000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0130.936] CloseHandle (hObject=0x3d8) returned 1 [0130.936] SetEvent (hEvent=0x1b8) returned 1 [0130.936] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.961] SwitchToThread () returned 1 [0130.975] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0130.979] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.090] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.118] SetEvent (hEvent=0x1d0) returned 1 [0131.118] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.136] SetEvent (hEvent=0x1d0) returned 1 [0131.136] SetEvent (hEvent=0x3f8) returned 1 [0131.136] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0131.136] SwitchToThread () returned 1 [0131.151] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.165] SetEvent (hEvent=0x3f8) returned 1 [0131.165] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.165] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.166] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.166] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.166] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.586] SetEvent (hEvent=0x3f8) returned 1 [0131.586] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.586] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.586] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.612] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.657] SetEvent (hEvent=0x3f8) returned 1 [0131.670] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.671] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.672] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.672] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.672] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.706] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0131.815] SetEvent (hEvent=0x3f8) returned 1 [0131.816] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.816] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.826] ReadFile (in: hFile=0x408, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x12820eb8, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12820eb8*=0x2, lpOverlapped=0x0) returned 1 [0157.191] GetProcAddress (hModule=0x75600000, lpProcName="GetExitCodeProcess") returned 0x7561fdb0 [0157.191] GetExitCodeProcess (in: hProcess=0x424, lpExitCode=0x12927cfc | out: lpExitCode=0x12927cfc*=0x0) returned 1 [0157.390] GetProcAddress (hModule=0x75600000, lpProcName="GetProcessTimes") returned 0x75623dc0 [0157.390] GetProcessTimes (in: hProcess=0x424, lpCreationTime=0x12845a00, lpExitTime=0x12845a08, lpKernelTime=0x12845a10, lpUserTime=0x12845a18 | out: lpCreationTime=0x12845a00, lpExitTime=0x12845a08, lpKernelTime=0x12845a10, lpUserTime=0x12845a18) returned 1 [0157.421] CloseHandle (hObject=0x424) returned 1 [0157.538] SetEvent (hEvent=0x3cc) returned 1 [0157.539] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0157.803] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0158.712] SetEvent (hEvent=0x1d0) returned 1 [0158.722] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.724] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.724] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0158.837] SetEvent (hEvent=0x1d0) returned 1 [0158.837] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.837] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.838] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.838] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.838] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0158.949] SetEvent (hEvent=0x1d0) returned 1 [0158.954] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0158.954] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0158.954] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.269] SetEvent (hEvent=0x1d0) returned 1 [0159.269] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.270] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.271] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.487] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.593] SetEvent (hEvent=0x1d0) returned 1 [0159.593] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.593] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.594] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.594] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.594] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.742] SetEvent (hEvent=0x1d0) returned 1 [0159.742] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.742] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.743] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.743] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.743] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.846] SetEvent (hEvent=0x1d0) returned 1 [0159.847] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.847] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.847] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0159.946] SetEvent (hEvent=0x1d0) returned 1 [0159.946] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0159.947] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0159.947] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0160.118] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 0 [0160.119] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 1 [0176.609] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x33a6faac, fWait=0, lpdwFlags=0x33a6fabc | out: lpcbTransfer=0x33a6faac, lpdwFlags=0x33a6fabc) returned 1 [0176.657] SetEvent (hEvent=0xf4) returned 1 [0176.657] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0176.677] SetEvent (hEvent=0x420) returned 1 [0177.163] SetEvent (hEvent=0x19c) returned 1 [0177.163] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0180.195] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0180.483] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0180.483] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.483] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0180.525] SetEvent (hEvent=0x110) returned 1 [0180.525] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0180.525] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xd1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0180.525] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0180.525] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0180.525] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0180.526] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0180.527] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0180.528] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0180.528] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0180.528] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0180.529] WriteFile (in: hFile=0x428, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0180.530] CloseHandle (hObject=0x428) returned 1 [0180.530] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0180.530] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0180.546] SetEvent (hEvent=0x19c) returned 1 [0180.546] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0180.594] SetEvent (hEvent=0x420) returned 1 [0180.594] SetEvent (hEvent=0xf4) returned 1 [0180.594] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.043] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.114] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.115] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.115] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0da18e6, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8a0)) returned 1 [0181.115] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0181.115] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0181.116] ReadFile (in: hFile=0x3c4, lpBuffer=0x129ea000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ea000*, lpNumberOfBytesRead=0x12a63d1c*=0x8a0, lpOverlapped=0x0) returned 1 [0181.146] GetFileType (hFile=0x3c4) returned 0x1 [0181.147] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.147] WriteFile (in: hFile=0x3c4, lpBuffer=0x1286e000*, nNumberOfBytesToWrite=0x8a0, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x1286e000*, lpNumberOfBytesWritten=0x12a63d00*=0x8a0, lpOverlapped=0x12a63d0c) returned 1 [0181.147] GetFileType (hFile=0x3c4) returned 0x1 [0181.147] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x8a0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0181.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0181.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0181.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0181.148] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.148] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.148] WriteFile (in: hFile=0x428, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.148] CloseHandle (hObject=0x428) returned 1 [0181.160] CloseHandle (hObject=0x3c4) returned 1 [0181.182] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.203] SetEvent (hEvent=0x420) returned 1 [0181.203] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.387] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.436] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.529] SetEvent (hEvent=0x3f8) returned 1 [0181.529] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0181.529] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0181.728] SetEvent (hEvent=0x420) returned 1 [0181.728] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0182.163] SetEvent (hEvent=0x1d0) returned 1 [0182.163] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0182.214] SetEvent (hEvent=0x1d0) returned 1 [0182.214] SetEvent (hEvent=0xfc) returned 1 [0182.215] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.215] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.215] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f)) returned 1 [0182.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844080 | out: pbBuffer=0x12844080) returned 1 [0182.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0182.215] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x93f, lpOverlapped=0x0) returned 1 [0182.317] SetEvent (hEvent=0x110) returned 1 [0182.317] GetFileType (hFile=0x1a0) returned 0x1 [0182.317] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.318] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0x93f, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12829d00*=0x93f, lpOverlapped=0x12829d0c) returned 1 [0182.318] GetFileType (hFile=0x1a0) returned 0x1 [0182.318] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x93f, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0182.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0182.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0182.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a318 | out: pbBuffer=0x12a9a318) returned 1 [0182.319] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.320] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.320] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.320] CloseHandle (hObject=0x3c4) returned 1 [0182.321] CloseHandle (hObject=0x1a0) returned 1 [0182.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a330 | out: pbBuffer=0x12a9a330) returned 1 [0182.321] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[99FB2980437485AD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[99fb2980437485ad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.379] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.379] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.379] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ef40 | out: pbBuffer=0x1280ef40) returned 1 [0182.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8080 | out: pbBuffer=0x128e8080) returned 1 [0182.380] ReadFile (in: hFile=0x1a0, lpBuffer=0x129a6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a6000*, lpNumberOfBytesRead=0x12a61d1c*=0x0, lpOverlapped=0x0) returned 1 [0182.380] CloseHandle (hObject=0x1a0) returned 1 [0182.380] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.380] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db\\*", lpFindFileData=0x12a63a44 | out: lpFindFileData=0x12a63a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.380] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0182.395] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.395] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.395] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x967)) returned 1 [0182.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128440a0 | out: pbBuffer=0x128440a0) returned 1 [0182.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0182.396] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a63d1c*=0x967, lpOverlapped=0x0) returned 1 [0182.397] GetFileType (hFile=0x3c4) returned 0x1 [0182.397] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.397] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x967, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12a63d00*=0x967, lpOverlapped=0x12a63d0c) returned 1 [0182.397] GetFileType (hFile=0x3c4) returned 0x1 [0182.397] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x967, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0182.397] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0182.397] SetEvent (hEvent=0xf4) returned 1 [0182.398] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0182.398] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0182.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810130 | out: pbBuffer=0x12810130) returned 1 [0182.399] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.399] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.399] WriteFile (in: hFile=0x438, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.399] CloseHandle (hObject=0x438) returned 1 [0182.401] CloseHandle (hObject=0x3c4) returned 1 [0182.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810148 | out: pbBuffer=0x12810148) returned 1 [0182.401] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[0755F82E35FD798E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[0755f82e35fd798e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.402] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.402] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.402] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1)) returned 1 [0182.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844a80 | out: pbBuffer=0x12844a80) returned 1 [0182.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810190 | out: pbBuffer=0x12810190) returned 1 [0182.402] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a63d1c*=0x1b1, lpOverlapped=0x0) returned 1 [0182.403] GetFileType (hFile=0x3c4) returned 0x1 [0182.403] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.403] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a80540*, nNumberOfBytesToWrite=0x1b1, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12a80540*, lpNumberOfBytesWritten=0x12a63d00*=0x1b1, lpOverlapped=0x12a63d0c) returned 1 [0182.404] GetFileType (hFile=0x3c4) returned 0x1 [0182.404] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x1b1, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0182.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0182.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0182.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0182.404] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.404] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.405] WriteFile (in: hFile=0x438, lpBuffer=0x128ac500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac500*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.540] SetEvent (hEvent=0x110) returned 1 [0182.540] CloseHandle (hObject=0x438) returned 1 [0182.547] CloseHandle (hObject=0x3c4) returned 1 [0182.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0182.548] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[E8F0A05603BAC944]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[e8f0a05603bac944]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.549] SetEvent (hEvent=0x19c) returned 1 [0182.549] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.549] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.549] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5)) returned 1 [0182.549] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0182.549] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a048 | out: pbBuffer=0x12a9a048) returned 1 [0182.549] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a63d1c*=0x1f5, lpOverlapped=0x0) returned 1 [0182.551] GetFileType (hFile=0x3c4) returned 0x1 [0182.551] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.551] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c28200*, nNumberOfBytesToWrite=0x1f5, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12c28200*, lpNumberOfBytesWritten=0x12a63d00*=0x1f5, lpOverlapped=0x12a63d0c) returned 1 [0182.551] GetFileType (hFile=0x3c4) returned 0x1 [0182.551] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x1f5, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0182.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0182.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0182.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0182.552] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.552] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.552] WriteFile (in: hFile=0x438, lpBuffer=0x128aca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aca00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.604] CloseHandle (hObject=0x438) returned 1 [0182.606] CloseHandle (hObject=0x3c4) returned 1 [0182.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0182.606] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[AAD4492FAC4DAC28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[aad4492fac4dac28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.607] SetEvent (hEvent=0x19c) returned 1 [0182.608] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.608] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.608] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e)) returned 1 [0182.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0182.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0182.608] ReadFile (in: hFile=0x3c4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a63d1c*=0x6e, lpOverlapped=0x0) returned 1 [0182.609] GetFileType (hFile=0x3c4) returned 0x1 [0182.610] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.610] WriteFile (in: hFile=0x3c4, lpBuffer=0x128540e0*, nNumberOfBytesToWrite=0x6e, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x128540e0*, lpNumberOfBytesWritten=0x12a63d00*=0x6e, lpOverlapped=0x12a63d0c) returned 1 [0182.610] GetFileType (hFile=0x3c4) returned 0x1 [0182.610] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x6e, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0182.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b201 | out: pbBuffer=0x1286b201) returned 1 [0182.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b301 | out: pbBuffer=0x1286b301) returned 1 [0182.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a248 | out: pbBuffer=0x12a9a248) returned 1 [0182.611] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.611] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.611] WriteFile (in: hFile=0x438, lpBuffer=0x128acf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128acf00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.679] CloseHandle (hObject=0x438) returned 1 [0182.681] CloseHandle (hObject=0x3c4) returned 1 [0182.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0182.681] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), lpNewFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\#_THIS_FILE_IS_ENCRYPTED_[44BE36966166B9B4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\#_this_file_is_encrypted_[44be36966166b9b4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.683] SetEvent (hEvent=0x19c) returned 1 [0182.683] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.683] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.683] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106)) returned 1 [0182.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845020 | out: pbBuffer=0x12845020) returned 1 [0182.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2a8 | out: pbBuffer=0x12a9a2a8) returned 1 [0182.684] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d36000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d36000*, lpNumberOfBytesRead=0x12a63d1c*=0x106, lpOverlapped=0x0) returned 1 [0182.687] GetFileType (hFile=0x3c4) returned 0x1 [0182.688] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.688] WriteFile (in: hFile=0x3c4, lpBuffer=0x12922480*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12922480*, lpNumberOfBytesWritten=0x12a63d00*=0x106, lpOverlapped=0x12a63d0c) returned 1 [0182.688] GetFileType (hFile=0x3c4) returned 0x1 [0182.688] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x106, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.688] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0182.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b581 | out: pbBuffer=0x1286b581) returned 1 [0182.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b681 | out: pbBuffer=0x1286b681) returned 1 [0182.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a360 | out: pbBuffer=0x12a9a360) returned 1 [0182.689] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.689] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0182.690] WriteFile (in: hFile=0x438, lpBuffer=0x128ad400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ad400*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.732] CloseHandle (hObject=0x438) returned 1 [0182.733] CloseHandle (hObject=0x3c4) returned 1 [0182.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a378 | out: pbBuffer=0x12a9a378) returned 1 [0182.734] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), lpNewFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\#_THIS_FILE_IS_ENCRYPTED_[9DC305D35B50F53F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\#_this_file_is_encrypted_[9dc305d35b50f53f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.735] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0182.884] SetEvent (hEvent=0xfc) returned 1 [0182.884] SetEvent (hEvent=0x420) returned 1 [0182.885] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0182.941] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.942] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0182.942] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x1b027600, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae)) returned 1 [0182.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0182.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0182.942] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0182.963] GetFileType (hFile=0x1a0) returned 0x1 [0182.963] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0182.963] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0182.964] GetFileType (hFile=0x1a0) returned 0x1 [0182.964] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0182.964] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0182.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0182.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0182.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0182.967] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0182.967] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0182.967] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0182.996] CloseHandle (hObject=0x448) returned 1 [0183.879] CloseHandle (hObject=0x1a0) returned 1 [0183.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810360 | out: pbBuffer=0x12810360) returned 1 [0183.880] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[6D4D00FECC3423B7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[6d4d00fecc3423b7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.015] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0184.138] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0186.221] SetEvent (hEvent=0x1d0) returned 1 [0186.221] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0186.790] SetEvent (hEvent=0xfc) returned 1 [0186.790] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0186.811] SetEvent (hEvent=0xfc) returned 1 [0186.811] SetEvent (hEvent=0x3f8) returned 1 [0186.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0186.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0186.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914088 | out: pbBuffer=0x12914088) returned 1 [0186.812] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0186.812] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12b17d0c | out: lpMode=0x12b17d0c) returned 0 [0186.812] WriteFile (in: hFile=0x448, lpBuffer=0x12a70000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b17d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a70000*, lpNumberOfBytesWritten=0x12b17d0c*=0x276, lpOverlapped=0x0) returned 1 [0186.935] CloseHandle (hObject=0x448) returned 1 [0187.027] CloseHandle (hObject=0x3c4) returned 1 [0187.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0b8 | out: pbBuffer=0x12a9a0b8) returned 1 [0187.028] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\#_THIS_FILE_IS_ENCRYPTED_[9BD37722C17DA038]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\#_this_file_is_encrypted_[9bd37722c17da038]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.029] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.033] SetEvent (hEvent=0x420) returned 1 [0187.034] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.034] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.034] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5b500, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x4f5b500, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x4f5b500, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x55f0fd)) returned 1 [0187.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0187.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0187.035] ReadFile (in: hFile=0x3c4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.051] GetFileType (hFile=0x3c4) returned 0x1 [0187.051] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.051] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0187.052] GetFileType (hFile=0x3c4) returned 0x1 [0187.052] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0187.052] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0187.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0187.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102b8 | out: pbBuffer=0x128102b8) returned 1 [0187.053] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.053] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.053] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a60a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60a00*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.151] CloseHandle (hObject=0x1a0) returned 1 [0187.654] CloseHandle (hObject=0x3c4) returned 1 [0187.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0187.655] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[46E68FC1FBA99B1F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[46e68fc1fba99b1f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.656] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.656] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.657] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0187.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848048 | out: pbBuffer=0x12848048) returned 1 [0187.657] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.678] GetFileType (hFile=0x3c4) returned 0x1 [0187.678] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.678] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0187.679] GetFileType (hFile=0x3c4) returned 0x1 [0187.679] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0187.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0187.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0187.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483d0 | out: pbBuffer=0x128483d0) returned 1 [0187.680] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.680] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.680] WriteFile (in: hFile=0x448, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.681] CloseHandle (hObject=0x448) returned 1 [0187.681] CloseHandle (hObject=0x3c4) returned 1 [0187.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e8 | out: pbBuffer=0x128483e8) returned 1 [0187.681] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[95BAD82EFC43A907]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[95bad82efc43a907]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.682] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.723] SetEvent (hEvent=0x420) returned 1 [0187.723] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.724] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.724] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0187.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848440 | out: pbBuffer=0x12848440) returned 1 [0187.724] ReadFile (in: hFile=0x428, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.760] GetFileType (hFile=0x428) returned 0x1 [0187.760] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.760] WriteFile (in: hFile=0x428, lpBuffer=0x129d6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x129d6000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0187.761] GetFileType (hFile=0x428) returned 0x1 [0187.761] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0187.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0187.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0187.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848518 | out: pbBuffer=0x12848518) returned 1 [0187.762] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.762] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.762] WriteFile (in: hFile=0x42c, lpBuffer=0x12916500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916500*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.763] CloseHandle (hObject=0x42c) returned 1 [0187.763] CloseHandle (hObject=0x428) returned 1 [0187.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848540 | out: pbBuffer=0x12848540) returned 1 [0187.763] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[6A78DECE2ED74034]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[6a78dece2ed74034]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.765] SwitchToThread () returned 1 [0187.778] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.778] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.778] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x12d31ad0 | out: lpFileInformation=0x12d31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0187.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844900 | out: pbBuffer=0x12844900) returned 1 [0187.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848588 | out: pbBuffer=0x12848588) returned 1 [0187.781] ReadFile (in: hFile=0x428, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12d31d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.800] GetFileType (hFile=0x428) returned 0x1 [0187.801] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.801] WriteFile (in: hFile=0x428, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d31d00, lpOverlapped=0x12d31d0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12d31d00*=0x20000, lpOverlapped=0x12d31d0c) returned 1 [0187.802] GetFileType (hFile=0x428) returned 0x1 [0187.802] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0187.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0187.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0187.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486a0 | out: pbBuffer=0x128486a0) returned 1 [0187.803] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.803] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.803] WriteFile (in: hFile=0x3c4, lpBuffer=0x12916a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916a00*, lpNumberOfBytesWritten=0x12d31d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.804] CloseHandle (hObject=0x3c4) returned 1 [0187.804] CloseHandle (hObject=0x428) returned 1 [0187.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486b8 | out: pbBuffer=0x128486b8) returned 1 [0187.804] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[0D405231CFAFDA97]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[0d405231cfafda97]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.805] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.839] SetEvent (hEvent=0x1d0) returned 1 [0187.839] SetEvent (hEvent=0xfc) returned 1 [0187.839] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.855] SetEvent (hEvent=0x420) returned 1 [0187.855] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.860] SetEvent (hEvent=0x420) returned 1 [0187.860] SetEvent (hEvent=0x19c) returned 1 [0187.860] WriteFile (in: hFile=0x428, lpBuffer=0x12d24000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0187.862] CloseHandle (hObject=0x428) returned 1 [0187.862] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc3166700, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520)) returned 1 [0187.863] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.863] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.863] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.863] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0187.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa0211772, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0187.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0187.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.864] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0187.864] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.864] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.864] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.877] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.877] WriteFile (in: hFile=0x448, lpBuffer=0x12d25300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d25300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.879] CloseHandle (hObject=0x448) returned 1 [0187.879] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa0211772, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272)) returned 1 [0187.881] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398)) returned 1 [0187.907] SetEvent (hEvent=0x19c) returned 1 [0187.907] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.907] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.908] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0187.908] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.908] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa4f13e84, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0187.908] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0187.908] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.908] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0187.908] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.908] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.909] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.922] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.922] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d26600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d26600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.923] CloseHandle (hObject=0x1a0) returned 1 [0187.923] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa4f13e84, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e)) returned 1 [0187.924] SetEvent (hEvent=0x19c) returned 1 [0187.924] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080)) returned 1 [0187.924] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution" (normalized: "c:\\programdata\\softwaredistribution"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.925] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution" (normalized: "c:\\programdata\\softwaredistribution"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.925] FindFirstFileW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 1 [0187.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.926] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.926] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.926] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.926] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.928] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0187.928] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d27900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12d27900*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0187.929] CloseHandle (hObject=0x1a0) returned 1 [0187.929] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.959] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.960] FindFirstFileW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0187.960] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.960] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.960] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0187.960] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.960] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.960] CreateFileW (lpFileName="C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.961] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.962] WriteFile (in: hFile=0x438, lpBuffer=0x12d28c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d28c00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.963] CloseHandle (hObject=0x438) returned 1 [0187.963] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Start Menu" (normalized: "c:\\programdata\\start menu"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.964] CreateFileW (lpFileName="C:\\ProgramData\\Start Menu" (normalized: "c:\\programdata\\start menu"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0187.964] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282bbb0 | out: lpFileInformation=0x1282bbb0) returned 1 [0187.964] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282bba8, dwBufferSize=0x8 | out: lpFileInformation=0x1282bba8) returned 1 [0187.964] CloseHandle (hObject=0x438) returned 1 [0187.964] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Templates" (normalized: "c:\\programdata\\templates"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.965] CreateFileW (lpFileName="C:\\ProgramData\\Templates" (normalized: "c:\\programdata\\templates"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0187.965] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282bbb0 | out: lpFileInformation=0x1282bbb0) returned 1 [0187.965] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282bba8, dwBufferSize=0x8 | out: lpFileInformation=0x1282bba8) returned 1 [0187.965] CloseHandle (hObject=0x438) returned 1 [0187.965] CreateFileW (lpFileName="C:\\ProgramData\\Start Menu" (normalized: "c:\\programdata\\start menu"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.965] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0187.966] CreateFileW (lpFileName="C:\\ProgramData\\Templates" (normalized: "c:\\programdata\\templates"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.966] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Templates\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0187.966] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate" (normalized: "c:\\programdata\\usoprivate"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.966] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate" (normalized: "c:\\programdata\\usoprivate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.967] FindFirstFileW (in: lpFileName="C:\\ProgramData\\USOPrivate\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0187.967] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.967] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93b46a46, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b46a46, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0187.967] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.967] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0187.967] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.967] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.967] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.969] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0187.969] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0187.971] CloseHandle (hObject=0x438) returned 1 [0187.971] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore" (normalized: "c:\\programdata\\usoprivate\\updatestore"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93b47df4, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b47df4, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0187.971] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore" (normalized: "c:\\programdata\\usoprivate\\updatestore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.971] FindFirstFileW (in: lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93b47df4, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b47df4, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.972] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93b47df4, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b47df4, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.972] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93900d5f, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b3bb89, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1 [0187.972] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.972] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.972] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\updatestore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.972] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\updatestore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.972] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoprivate\\updatestore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.979] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.979] WriteFile (in: hFile=0x438, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.981] CloseHandle (hObject=0x438) returned 1 [0187.981] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93900d5f, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b3bb89, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x349)) returned 1 [0187.982] SetEvent (hEvent=0x19c) returned 1 [0187.982] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared" (normalized: "c:\\programdata\\usoshared"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0187.982] CreateFileW (lpFileName="C:\\ProgramData\\USOShared" (normalized: "c:\\programdata\\usoshared"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.982] FindFirstFileW (in: lpFileName="C:\\ProgramData\\USOShared\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0187.982] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.982] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xda6031, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xda6031, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0187.983] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.983] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0187.983] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.983] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.983] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.984] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0187.984] WriteFile (in: hFile=0x438, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0187.986] CloseHandle (hObject=0x438) returned 1 [0187.986] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs" (normalized: "c:\\programdata\\usoshared\\logs"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xe2287c, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0187.986] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs" (normalized: "c:\\programdata\\usoshared\\logs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0187.987] FindFirstFileW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xe2287c, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xe2287c, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xbae5ed1a, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x3a5fe900, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x6178db96, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf801cbae, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0x1f56df07, ftLastWriteTime.dwHighDateTime=0x1d75218, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0187.987] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0187.988] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0187.988] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0187.988] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0187.988] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\logs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0187.988] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0187.988] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\usoshared\\logs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.989] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0187.989] WriteFile (in: hFile=0x438, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0187.991] CloseHandle (hObject=0x438) returned 1 [0187.991] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.001.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xbae5ed1a, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0187.991] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x3a5fe900, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x6178db96, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0187.992] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf801cbae, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0x1f56df07, ftLastWriteTime.dwHighDateTime=0x1d75218, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0187.992] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0187.992] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0187.992] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x3a5fe900, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x6178db96, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0187.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a981a0 | out: pbBuffer=0x12a981a0) returned 1 [0187.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8d70 | out: pbBuffer=0x128e8d70) returned 1 [0187.993] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0187.996] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0187.996] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0187.997] SetEvent (hEvent=0x110) returned 1 [0187.997] SetEvent (hEvent=0x19c) returned 1 [0187.997] ReadFile (in: hFile=0x438, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12d5fd1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.079] GetFileType (hFile=0x438) returned 0x1 [0188.080] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.080] WriteFile (in: hFile=0x438, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12d5fd00*=0x3000, lpOverlapped=0x12d5fd0c) returned 1 [0188.080] GetFileType (hFile=0x438) returned 0x1 [0188.080] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0188.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0188.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0188.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8e28 | out: pbBuffer=0x128e8e28) returned 1 [0188.081] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.081] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.081] WriteFile (in: hFile=0x43c, lpBuffer=0x12c34000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c34000*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0188.082] CloseHandle (hObject=0x43c) returned 1 [0188.082] CloseHandle (hObject=0x438) returned 1 [0188.082] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e40 | out: pbBuffer=0x128e8e40) returned 1 [0188.082] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[8F286484990EE63E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[8f286484990ee63e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.084] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.084] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.084] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf801cbae, ftLastAccessTime.dwHighDateTime=0x1d75217, ftLastWriteTime.dwLowDateTime=0x1f56df07, ftLastWriteTime.dwHighDateTime=0x1d75218, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a983e0 | out: pbBuffer=0x12a983e0) returned 1 [0188.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e88 | out: pbBuffer=0x128e8e88) returned 1 [0188.085] ReadFile (in: hFile=0x438, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12d5fd1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.127] GetFileType (hFile=0x438) returned 0x1 [0188.127] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.128] WriteFile (in: hFile=0x438, lpBuffer=0x12a3a000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12a3a000*, lpNumberOfBytesWritten=0x12d5fd00*=0x3000, lpOverlapped=0x12d5fd0c) returned 1 [0188.128] GetFileType (hFile=0x438) returned 0x1 [0188.128] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0188.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0188.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0188.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485f0 | out: pbBuffer=0x128485f0) returned 1 [0188.129] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.129] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.129] WriteFile (in: hFile=0x448, lpBuffer=0x12a58f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58f00*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0188.129] CloseHandle (hObject=0x448) returned 1 [0188.130] CloseHandle (hObject=0x438) returned 1 [0188.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848608 | out: pbBuffer=0x12848608) returned 1 [0188.130] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[75814366F6B2DB66]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[75814366f6b2db66]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.131] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0188.184] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.185] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.185] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0188.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0188.185] ReadFile (in: hFile=0x43c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12d5fd1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.194] GetFileType (hFile=0x43c) returned 0x1 [0188.194] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.194] WriteFile (in: hFile=0x43c, lpBuffer=0x12c1c000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12c1c000*, lpNumberOfBytesWritten=0x12d5fd00*=0x3000, lpOverlapped=0x12d5fd0c) returned 1 [0188.195] GetFileType (hFile=0x43c) returned 0x1 [0188.195] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0188.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0188.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0188.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0188.196] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.196] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.196] WriteFile (in: hFile=0x42c, lpBuffer=0x12c24000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24000*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0188.196] CloseHandle (hObject=0x42c) returned 1 [0188.200] CloseHandle (hObject=0x43c) returned 1 [0188.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0188.206] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[EC63E9FB0BE17096]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[ec63e9fb0be17096]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.413] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0188.418] SetEvent (hEvent=0x3f8) returned 1 [0188.418] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.419] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.419] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98500 | out: pbBuffer=0x12a98500) returned 1 [0188.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0188.419] ReadFile (in: hFile=0x448, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12d35d1c*=0x1000, lpOverlapped=0x0) returned 1 [0188.425] GetFileType (hFile=0x448) returned 0x1 [0188.425] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.425] WriteFile (in: hFile=0x448, lpBuffer=0x12a42000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12a42000*, lpNumberOfBytesWritten=0x12d35d00*=0x1000, lpOverlapped=0x12d35d0c) returned 1 [0188.426] GetFileType (hFile=0x448) returned 0x1 [0188.426] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0188.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0188.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0188.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0188.427] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.427] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.427] WriteFile (in: hFile=0x43c, lpBuffer=0x12c34a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c34a00*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.428] CloseHandle (hObject=0x43c) returned 1 [0188.431] CloseHandle (hObject=0x448) returned 1 [0188.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0188.439] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[FFAF724266F716D6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[ffaf724266f716d6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.663] SetEvent (hEvent=0xfc) returned 1 [0188.663] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.663] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.663] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844080 | out: pbBuffer=0x12844080) returned 1 [0188.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e30 | out: pbBuffer=0x128e8e30) returned 1 [0188.664] ReadFile (in: hFile=0x438, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12d35d1c*=0x1000, lpOverlapped=0x0) returned 1 [0188.670] GetFileType (hFile=0x438) returned 0x1 [0188.670] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.670] WriteFile (in: hFile=0x438, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12d35d00*=0x1000, lpOverlapped=0x12d35d0c) returned 1 [0188.670] GetFileType (hFile=0x438) returned 0x1 [0188.670] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0188.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0188.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0188.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8ee8 | out: pbBuffer=0x128e8ee8) returned 1 [0188.671] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0188.671] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.671] WriteFile (in: hFile=0x428, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.671] CloseHandle (hObject=0x428) returned 1 [0188.682] CloseHandle (hObject=0x438) returned 1 [0188.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8f00 | out: pbBuffer=0x128e8f00) returned 1 [0188.690] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[4CC94F006FD95547]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[4cc94f006fd95547]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.812] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6)) returned 1 [0188.829] SetEvent (hEvent=0xfc) returned 1 [0188.829] GetFileAttributesExW (in: lpFileName="C:\\Recovery" (normalized: "c:\\recovery"), fInfoLevelId=0x0, lpFileInformation=0x1282bc84 | out: lpFileInformation=0x1282bc84*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.830] CreateFileW (lpFileName="C:\\Recovery" (normalized: "c:\\recovery"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.830] FindFirstFileW (in: lpFileName="C:\\Recovery\\*", lpFindFileData=0x1282bb5c | out: lpFindFileData=0x1282bb5c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0188.831] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.831] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 1 [0188.831] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.831] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0188.831] GetFileAttributesExW (in: lpFileName="C:\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\recovery\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b824 | out: lpFileInformation=0x1282b824*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.831] CreateFileW (lpFileName="C:\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.831] CreateFileW (lpFileName="C:\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.832] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282ba34 | out: lpMode=0x1282ba34) returned 0 [0188.832] WriteFile (in: hFile=0x438, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282ba34, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282ba34*=0x118a, lpOverlapped=0x0) returned 1 [0188.835] CloseHandle (hObject=0x438) returned 1 [0188.835] GetFileAttributesExW (in: lpFileName="C:\\Recovery\\WindowsRE" (normalized: "c:\\recovery\\windowsre"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.835] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE" (normalized: "c:\\recovery\\windowsre"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.835] FindFirstFileW (in: lpFileName="C:\\Recovery\\WindowsRE\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbaa998b0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x136e0f4d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0188.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xbadba904, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReAgent.xml", cAlternateFileName="")) returned 1 [0188.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xe1aeb488, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xe1aeb488, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x1f0b6c28, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x11b68298, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0188.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.836] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.836] GetFileAttributesExW (in: lpFileName="C:\\System Volume Information" (normalized: "c:\\system volume information"), fInfoLevelId=0x0, lpFileInformation=0x1282bc84 | out: lpFileInformation=0x1282bc84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.837] CreateFileW (lpFileName="C:\\System Volume Information" (normalized: "c:\\system volume information"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.837] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*", lpFindFileData=0x1282bb5c | out: lpFindFileData=0x1282bb5c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0188.837] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1282bc84 | out: lpFileInformation=0x1282bc84*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.837] CreateFileW (lpFileName="C:\\Users" (normalized: "c:\\users"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.837] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x1282bb5c | out: lpFindFileData=0x1282bb5c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 1 [0188.838] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bba0 | out: lpFindFileData=0x1282bba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.838] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.838] GetFileAttributesExW (in: lpFileName="C:\\Users\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b824 | out: lpFileInformation=0x1282b824*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.838] CreateFileW (lpFileName="C:\\Users\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.839] CreateFileW (lpFileName="C:\\Users\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.839] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282ba34 | out: lpMode=0x1282ba34) returned 0 [0188.839] WriteFile (in: hFile=0x438, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282ba34, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282ba34*=0x118a, lpOverlapped=0x0) returned 1 [0188.841] CloseHandle (hObject=0x438) returned 1 [0188.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users" (normalized: "c:\\users\\all users"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.842] CreateFileW (lpFileName="C:\\Users\\All Users" (normalized: "c:\\users\\all users"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0188.842] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282bbb0 | out: lpFileInformation=0x1282bbb0) returned 1 [0188.842] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282bba8, dwBufferSize=0x8 | out: lpFileInformation=0x1282bba8) returned 1 [0188.842] CloseHandle (hObject=0x438) returned 1 [0188.842] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.847] FindFirstFileW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0188.847] SetEvent (hEvent=0xfc) returned 1 [0188.847] CreateFileW (lpFileName="C:\\Users\\All Users" (normalized: "c:\\users\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.847] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb1e07827, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0188.848] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0188.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default" (normalized: "c:\\users\\default"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.849] CreateFileW (lpFileName="C:\\Users\\Default" (normalized: "c:\\users\\default"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.849] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.858] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0188.859] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0188.860] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.860] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.862] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.863] CreateFileW (lpFileName="C:\\Users\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.864] CreateFileW (lpFileName="C:\\Users\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.864] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0188.864] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0188.866] CloseHandle (hObject=0x438) returned 1 [0188.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData" (normalized: "c:\\users\\default\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.867] CreateFileW (lpFileName="C:\\Users\\Default\\AppData" (normalized: "c:\\users\\default\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.867] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0188.868] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.868] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0188.868] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0188.868] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.868] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0188.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.868] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.868] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.869] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0188.869] WriteFile (in: hFile=0x438, lpBuffer=0x12a5a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a5a000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0188.871] CloseHandle (hObject=0x438) returned 1 [0188.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local" (normalized: "c:\\users\\default\\appdata\\local"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.872] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local" (normalized: "c:\\users\\default\\appdata\\local"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.872] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.879] SetEvent (hEvent=0x110) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0188.879] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.879] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.884] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.886] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.886] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.886] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0188.886] WriteFile (in: hFile=0x438, lpBuffer=0x12a5b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a5b300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0188.888] CloseHandle (hObject=0x438) returned 1 [0188.888] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data" (normalized: "c:\\users\\default\\appdata\\local\\application data"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.888] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data" (normalized: "c:\\users\\default\\appdata\\local\\application data"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0188.889] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282ba84 | out: lpFileInformation=0x1282ba84) returned 1 [0188.889] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282ba7c, dwBufferSize=0x8 | out: lpFileInformation=0x1282ba7c) returned 1 [0188.889] CloseHandle (hObject=0x438) returned 1 [0188.889] SetEvent (hEvent=0x19c) returned 1 [0188.889] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History" (normalized: "c:\\users\\default\\appdata\\local\\history"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.890] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History" (normalized: "c:\\users\\default\\appdata\\local\\history"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0188.890] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282ba84 | out: lpFileInformation=0x1282ba84) returned 1 [0188.890] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282ba7c, dwBufferSize=0x8 | out: lpFileInformation=0x1282ba7c) returned 1 [0188.890] CloseHandle (hObject=0x438) returned 1 [0188.890] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft" (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.890] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft" (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.890] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.891] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.891] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0188.891] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0188.891] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0188.891] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.891] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.892] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.892] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.898] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0188.898] WriteFile (in: hFile=0x438, lpBuffer=0x12a5c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a5c600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0188.900] CloseHandle (hObject=0x438) returned 1 [0188.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.901] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.901] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0188.902] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.902] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0188.902] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.902] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0188.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.902] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.902] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.903] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0188.903] WriteFile (in: hFile=0x438, lpBuffer=0x12a5d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a5d900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0188.904] CloseHandle (hObject=0x438) returned 1 [0188.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.905] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.906] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0188.907] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.907] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.907] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0188.908] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.908] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.908] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.908] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0188.908] WriteFile (in: hFile=0x438, lpBuffer=0x12a5ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5ec00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0188.910] CloseHandle (hObject=0x438) returned 1 [0188.910] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.910] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.911] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameExplorer", cAlternateFileName="GAMEEX~1")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3757c8c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3757c8c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shell", cAlternateFileName="")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinX", cAlternateFileName="")) returned 1 [0188.915] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.915] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.918] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.918] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0188.919] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.919] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0188.919] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x377dee7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973d55c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0188.919] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.919] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0188.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp" (normalized: "c:\\users\\default\\appdata\\local\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.919] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp" (normalized: "c:\\users\\default\\appdata\\local\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.919] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0188.920] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.920] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.920] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0188.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.920] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.920] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\local\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.921] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0188.921] WriteFile (in: hFile=0x438, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0188.923] CloseHandle (hObject=0x438) returned 1 [0188.923] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.923] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0188.923] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282ba84 | out: lpFileInformation=0x1282ba84) returned 1 [0188.923] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282ba7c, dwBufferSize=0x8 | out: lpFileInformation=0x1282ba7c) returned 1 [0188.924] CloseHandle (hObject=0x438) returned 1 [0188.924] SetEvent (hEvent=0xfc) returned 1 [0188.924] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming" (normalized: "c:\\users\\default\\appdata\\roaming"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.924] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming" (normalized: "c:\\users\\default\\appdata\\roaming"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.924] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0188.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0188.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.925] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0188.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.925] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.925] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.926] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0188.926] WriteFile (in: hFile=0x438, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0188.928] CloseHandle (hObject=0x438) returned 1 [0188.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.932] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.933] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0188.933] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.933] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0188.933] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0188.933] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.933] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0188.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.934] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.934] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.934] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0188.934] WriteFile (in: hFile=0x438, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0188.943] CloseHandle (hObject=0x438) returned 1 [0188.943] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.944] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0188.944] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.944] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0188.944] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.944] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0188.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.944] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.945] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0188.945] WriteFile (in: hFile=0x438, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0188.946] CloseHandle (hObject=0x438) returned 1 [0188.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.947] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.947] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0188.947] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0188.947] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf6600cb, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee52126, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0188.947] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fff9e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x251fff9e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="")) returned 1 [0188.947] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252261fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252261fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 1 [0188.947] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0188.948] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0188.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0188.948] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0188.948] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.956] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0188.956] WriteFile (in: hFile=0x438, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0188.958] CloseHandle (hObject=0x438) returned 1 [0188.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fff9e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x251fff9e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160)) returned 1 [0188.965] SetEvent (hEvent=0x420) returned 1 [0188.965] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252261fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252261fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e)) returned 1 [0188.980] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf6600cb, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee52126, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94)) returned 1 [0188.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0188.982] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.982] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0189.057] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.057] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37a4145, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37a4145, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0189.058] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.058] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0189.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Application Data" (normalized: "c:\\users\\default\\application data"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.060] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data" (normalized: "c:\\users\\default\\application data"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.060] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.060] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.060] CloseHandle (hObject=0x1a0) returned 1 [0189.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Cookies" (normalized: "c:\\users\\default\\cookies"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.061] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies" (normalized: "c:\\users\\default\\cookies"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.061] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.061] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.061] CloseHandle (hObject=0x1a0) returned 1 [0189.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Desktop" (normalized: "c:\\users\\default\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.061] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop" (normalized: "c:\\users\\default\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.061] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.062] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.062] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.062] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\desktop\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.062] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.062] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.063] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.063] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d24000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.065] CloseHandle (hObject=0x1a0) returned 1 [0189.065] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Documents" (normalized: "c:\\users\\default\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.065] CreateFileW (lpFileName="C:\\Users\\Default\\Documents" (normalized: "c:\\users\\default\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.065] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0189.076] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.076] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0189.076] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0189.076] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0189.076] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.076] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0189.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\documents\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.078] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.078] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.079] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.079] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d25300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d25300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.080] CloseHandle (hObject=0x1a0) returned 1 [0189.080] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music" (normalized: "c:\\users\\default\\documents\\my music"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.081] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music" (normalized: "c:\\users\\default\\documents\\my music"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.081] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.081] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.081] CloseHandle (hObject=0x1a0) returned 1 [0189.081] SetEvent (hEvent=0x420) returned 1 [0189.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures" (normalized: "c:\\users\\default\\documents\\my pictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.082] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures" (normalized: "c:\\users\\default\\documents\\my pictures"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.082] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.082] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.082] CloseHandle (hObject=0x1a0) returned 1 [0189.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos" (normalized: "c:\\users\\default\\documents\\my videos"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.082] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos" (normalized: "c:\\users\\default\\documents\\my videos"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.083] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.083] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.083] CloseHandle (hObject=0x1a0) returned 1 [0189.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Downloads" (normalized: "c:\\users\\default\\downloads"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.084] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads" (normalized: "c:\\users\\default\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.084] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0189.084] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.084] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.084] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0189.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\downloads\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.085] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.085] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.085] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.089] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d26600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d26600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.090] CloseHandle (hObject=0x1a0) returned 1 [0189.090] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Favorites" (normalized: "c:\\users\\default\\favorites"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.090] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites" (normalized: "c:\\users\\default\\favorites"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.091] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0189.091] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.091] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.091] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0189.091] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\favorites\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.091] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.091] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.092] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.092] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d27900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d27900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.112] CloseHandle (hObject=0x1a0) returned 1 [0189.113] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Links" (normalized: "c:\\users\\default\\links"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.120] CreateFileW (lpFileName="C:\\Users\\Default\\Links" (normalized: "c:\\users\\default\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.121] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0189.121] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.121] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.121] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0189.121] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\links\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.121] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.122] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.122] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.122] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d28c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d28c00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.124] CloseHandle (hObject=0x1a0) returned 1 [0189.124] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Local Settings" (normalized: "c:\\users\\default\\local settings"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.125] CreateFileW (lpFileName="C:\\Users\\Default\\Local Settings" (normalized: "c:\\users\\default\\local settings"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.125] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.125] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.125] CloseHandle (hObject=0x1a0) returned 1 [0189.125] SetEvent (hEvent=0xf4) returned 1 [0189.125] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Music" (normalized: "c:\\users\\default\\music"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.126] CreateFileW (lpFileName="C:\\Users\\Default\\Music" (normalized: "c:\\users\\default\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.126] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0189.126] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.126] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.126] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0189.126] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\music\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.126] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.126] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.127] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.127] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.128] CloseHandle (hObject=0x1a0) returned 1 [0189.128] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\My Documents" (normalized: "c:\\users\\default\\my documents"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.129] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents" (normalized: "c:\\users\\default\\my documents"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.129] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.129] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.129] CloseHandle (hObject=0x1a0) returned 1 [0189.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0189.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0189.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0189.141] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.159] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.220] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.220] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x128b3d0c | out: lpMode=0x128b3d0c) returned 0 [0189.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x128b3ad0 | out: lpFileInformation=0x128b3ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0189.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0189.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0189.221] ReadFile (in: hFile=0x43c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x128b3d1c*=0x20000, lpOverlapped=0x0) returned 1 [0189.243] GetFileType (hFile=0x43c) returned 0x1 [0189.243] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128b3ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.243] WriteFile (in: hFile=0x43c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x128b3d00, lpOverlapped=0x128b3d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x128b3d00*=0x20000, lpOverlapped=0x128b3d0c) returned 1 [0189.244] GetFileType (hFile=0x43c) returned 0x1 [0189.244] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x128b3ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0189.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0189.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0189.244] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.245] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x128b3d0c | out: lpMode=0x128b3d0c) returned 0 [0189.245] WriteFile (in: hFile=0x1a0, lpBuffer=0x12afa000*, nNumberOfBytesToWrite=0x1ca, lpNumberOfBytesWritten=0x128b3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa000*, lpNumberOfBytesWritten=0x128b3d0c*=0x1ca, lpOverlapped=0x0) returned 1 [0189.246] CloseHandle (hObject=0x1a0) returned 1 [0189.252] CloseHandle (hObject=0x43c) returned 1 [0189.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0189.259] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[28211028693C65E9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[28211028693c65e9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.334] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.354] SetEvent (hEvent=0xfc) returned 1 [0189.354] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu" (normalized: "c:\\users\\default\\start menu"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.355] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.355] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo" (normalized: "c:\\users\\default\\sendto"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.355] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.355] CreateFileW (lpFileName="C:\\Users\\Default\\Templates" (normalized: "c:\\users\\default\\templates"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.355] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Desktop" (normalized: "c:\\users\\public\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.355] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop" (normalized: "c:\\users\\public\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.355] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.356] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.356] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.356] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.356] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\desktop\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.356] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.356] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.357] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.357] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a4c000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.358] CloseHandle (hObject=0x1a0) returned 1 [0189.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents" (normalized: "c:\\users\\public\\documents"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.358] CreateFileW (lpFileName="C:\\Users\\Public\\Documents" (normalized: "c:\\users\\public\\documents"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.359] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0189.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0189.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0189.361] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.361] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\documents\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.363] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.363] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\documents\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.363] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.363] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a4d300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.364] CloseHandle (hObject=0x1a0) returned 1 [0189.364] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.365] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.365] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.365] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.365] CloseHandle (hObject=0x1a0) returned 1 [0189.365] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures" (normalized: "c:\\users\\public\\documents\\my pictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.365] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures" (normalized: "c:\\users\\public\\documents\\my pictures"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.365] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.366] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.366] CloseHandle (hObject=0x1a0) returned 1 [0189.366] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos" (normalized: "c:\\users\\public\\documents\\my videos"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.366] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos" (normalized: "c:\\users\\public\\documents\\my videos"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.366] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bae8 | out: lpFileInformation=0x1282bae8) returned 1 [0189.366] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bae0, dwBufferSize=0x8 | out: lpFileInformation=0x1282bae0) returned 1 [0189.366] CloseHandle (hObject=0x1a0) returned 1 [0189.366] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures" (normalized: "c:\\users\\public\\documents\\my pictures"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.366] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.367] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos" (normalized: "c:\\users\\public\\documents\\my videos"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.367] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116)) returned 1 [0189.367] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Downloads" (normalized: "c:\\users\\public\\downloads"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.367] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads" (normalized: "c:\\users\\public\\downloads"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.367] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0189.367] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.368] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.368] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.368] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0189.368] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\downloads\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.368] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.368] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\downloads\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.369] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.369] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a4e600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.370] CloseHandle (hObject=0x1a0) returned 1 [0189.371] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.413] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.533] SetEvent (hEvent=0x19c) returned 1 [0189.533] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.538] SetEvent (hEvent=0x19c) returned 1 [0189.538] SetEvent (hEvent=0xf4) returned 1 [0189.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries" (normalized: "c:\\users\\public\\libraries"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.538] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries" (normalized: "c:\\users\\public\\libraries"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.539] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0189.539] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.539] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.539] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0189.539] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.539] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0189.539] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\libraries\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.539] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\libraries\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.539] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\libraries\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.551] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.551] WriteFile (in: hFile=0x43c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.553] CloseHandle (hObject=0x43c) returned 1 [0189.554] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7)) returned 1 [0189.562] SetEvent (hEvent=0xf4) returned 1 [0189.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf)) returned 1 [0189.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Music" (normalized: "c:\\users\\public\\music"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.563] CreateFileW (lpFileName="C:\\Users\\Public\\Music" (normalized: "c:\\users\\public\\music"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.563] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0189.563] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.563] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.563] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.563] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0189.564] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\music\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.564] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.564] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\music\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.565] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.565] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.567] CloseHandle (hObject=0x1a0) returned 1 [0189.567] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.567] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Pictures" (normalized: "c:\\users\\public\\pictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.568] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures" (normalized: "c:\\users\\public\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.568] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.568] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.568] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.568] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.568] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\pictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.569] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.569] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.569] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.569] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.571] CloseHandle (hObject=0x1a0) returned 1 [0189.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Videos" (normalized: "c:\\users\\public\\videos"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.584] CreateFileW (lpFileName="C:\\Users\\Public\\Videos" (normalized: "c:\\users\\public\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.584] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.584] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.584] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.584] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.584] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.585] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\videos\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.585] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.585] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.585] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.585] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.587] CloseHandle (hObject=0x448) returned 1 [0189.587] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.588] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.588] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a980c0 | out: pbBuffer=0x12a980c0) returned 1 [0189.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810190 | out: pbBuffer=0x12810190) returned 1 [0189.588] ReadFile (in: hFile=0x448, lpBuffer=0x12a24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a24000*, lpNumberOfBytesRead=0x12a73d1c*=0x17c, lpOverlapped=0x0) returned 1 [0189.590] GetFileType (hFile=0x448) returned 0x1 [0189.590] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.590] WriteFile (in: hFile=0x448, lpBuffer=0x128f2000*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x128f2000*, lpNumberOfBytesWritten=0x12a73d00*=0x17c, lpOverlapped=0x12a73d0c) returned 1 [0189.590] GetFileType (hFile=0x448) returned 0x1 [0189.590] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x17c, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0189.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0189.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0189.591] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810248 | out: pbBuffer=0x12810248) returned 1 [0189.591] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0189.591] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.591] WriteFile (in: hFile=0x42c, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.633] CloseHandle (hObject=0x42c) returned 1 [0189.634] CloseHandle (hObject=0x448) returned 1 [0189.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810270 | out: pbBuffer=0x12810270) returned 1 [0189.634] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[9FCA7E4D2A5B2345]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\pictures\\#_this_file_is_encrypted_[9fca7e4d2a5b2345]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\application data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.635] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\*", lpFindFileData=0x12a73a44 | out: lpFindFileData=0x12a73a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.636] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x241f3052, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.636] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.636] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.636] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.637] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3bbf8cb3, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0x3bbf8cb3, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0189.637] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0189.637] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44b2fe5, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0189.637] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.637] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.637] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.638] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0189.638] WriteFile (in: hFile=0x448, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0189.639] CloseHandle (hObject=0x448) returned 1 [0189.639] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb439aee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.640] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.640] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb439aee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0189.640] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb439aee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.640] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb43ae8c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 1 [0189.640] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.640] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0189.640] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.641] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0189.641] WriteFile (in: hFile=0x448, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0189.643] CloseHandle (hObject=0x448) returned 1 [0189.643] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb43ae8c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x14)) returned 1 [0189.643] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.644] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.644] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.670] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.670] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.672] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0189.672] WriteFile (in: hFile=0x448, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0189.673] CloseHandle (hObject=0x448) returned 1 [0189.673] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44b2fe5, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0189.673] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.674] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44b2fe5, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44b2fe5, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23a0d188, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23a0d188, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc449e3a7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x600000, dwReserved0=0x0, dwReserved1=0x0, cFileName="store.vol", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc44b2fe5, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44e79be, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmp.edb", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xe9d47116, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.chk", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc44661a2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.log", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00001.jrs", cAlternateFileName="USSRES~1.JRS")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00002.jrs", cAlternateFileName="USSRES~2.JRS")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USStmp.log", cAlternateFileName="")) returned 1 [0189.674] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.674] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.674] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.675] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.675] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.675] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0189.675] WriteFile (in: hFile=0x448, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0189.677] CloseHandle (hObject=0x448) returned 1 [0189.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.chk"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xe9d47116, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0189.682] SetEvent (hEvent=0xf4) returned 1 [0189.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.log"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc44661a2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0189.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0189.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0189.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.683] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0189.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a989c0 | out: pbBuffer=0x12a989c0) returned 1 [0189.683] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811ac0 | out: pbBuffer=0x12811ac0) returned 1 [0189.683] ReadFile (in: hFile=0x448, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a6fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0189.691] GetFileType (hFile=0x448) returned 0x1 [0189.691] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.691] WriteFile (in: hFile=0x448, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x12a6fd00*=0x20000, lpOverlapped=0x12a6fd0c) returned 1 [0189.692] GetFileType (hFile=0x448) returned 0x1 [0189.692] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0189.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0189.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0189.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811b78 | out: pbBuffer=0x12811b78) returned 1 [0189.693] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.693] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0189.693] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c20500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20500*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.825] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0189.864] CloseHandle (hObject=0x1a0) returned 1 [0189.864] CloseHandle (hObject=0x448) returned 1 [0189.864] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0190.167] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0190.332] SetEvent (hEvent=0xf4) returned 1 [0190.332] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0190.454] SetEvent (hEvent=0x1d0) returned 1 [0190.454] SetEvent (hEvent=0x19c) returned 1 [0190.454] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0192.708] SwitchToThread () returned 1 [0193.545] SwitchToThread () returned 1 [0193.694] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{36D9A683-961C-11EC-B0BF-000FF3E16138}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\{36d9a683-961c-11ec-b0bf-000ff3e16138}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0193.695] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{36D9A683-961C-11EC-B0BF-000FF3E16138}.dat\\*", lpFindFileData=0x12a73a44 | out: lpFindFileData=0x12a73a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0193.695] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0194.814] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0195.082] SetEvent (hEvent=0x40c) returned 1 [0195.082] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0195.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0195.152] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0195.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4137bbef, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x431128d7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x514)) returned 1 [0195.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0195.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0195.154] ReadFile (in: hFile=0x1a0, lpBuffer=0x12a04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a04000*, lpNumberOfBytesRead=0x12a6fd1c*=0x514, lpOverlapped=0x0) returned 1 [0195.344] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0195.498] GetFileType (hFile=0x1a0) returned 0x1 [0195.498] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0195.508] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c90000*, nNumberOfBytesToWrite=0x514, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c90000*, lpNumberOfBytesWritten=0x12a6fd00*=0x514, lpOverlapped=0x12a6fd0c) returned 1 [0195.508] GetFileType (hFile=0x1a0) returned 0x1 [0195.508] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x514, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0195.722] SetEvent (hEvent=0x40c) returned 1 [0195.722] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0196.725] SetEvent (hEvent=0xfc) returned 1 [0196.725] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0196.736] SetEvent (hEvent=0xfc) returned 1 [0196.736] SetEvent (hEvent=0x40c) returned 1 [0196.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0196.736] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0196.736] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\07_tv_recorded_in_the_last_week.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x410)) returned 1 [0196.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0196.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0196.737] ReadFile (in: hFile=0x15c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6dd1c*=0x410, lpOverlapped=0x0) returned 1 [0196.768] GetFileType (hFile=0x15c) returned 0x1 [0196.768] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0196.768] WriteFile (in: hFile=0x15c, lpBuffer=0x12890480*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12890480*, lpNumberOfBytesWritten=0x12a6dd00*=0x410, lpOverlapped=0x12a6dd0c) returned 1 [0196.768] GetFileType (hFile=0x15c) returned 0x1 [0196.768] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x410, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0196.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0196.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0196.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0196.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0196.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0196.770] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0196.770] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.770] CloseHandle (hObject=0x438) returned 1 [0196.774] CloseHandle (hObject=0x15c) returned 1 [0196.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0196.777] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[CB4DA5E170F08FBB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[cb4da5e170f08fbb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.971] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0196.978] SetEvent (hEvent=0xfc) returned 1 [0196.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0196.978] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0196.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\11_all_pictures.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x249)) returned 1 [0196.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0196.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810190 | out: pbBuffer=0x12810190) returned 1 [0196.978] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a6dd1c*=0x249, lpOverlapped=0x0) returned 1 [0196.980] GetFileType (hFile=0x1a0) returned 0x1 [0196.980] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0196.980] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a5a780*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a5a780*, lpNumberOfBytesWritten=0x12a6dd00*=0x249, lpOverlapped=0x12a6dd0c) returned 1 [0196.980] GetFileType (hFile=0x1a0) returned 0x1 [0196.980] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x249, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0196.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0196.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0196.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0196.981] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810248 | out: pbBuffer=0x12810248) returned 1 [0196.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\11_all_pictures.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0196.982] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0196.982] WriteFile (in: hFile=0x15c, lpBuffer=0x12ceea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ceea00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.985] CloseHandle (hObject=0x15c) returned 1 [0196.997] CloseHandle (hObject=0x1a0) returned 1 [0197.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810270 | out: pbBuffer=0x12810270) returned 1 [0197.000] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\11_all_pictures.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[A581A03FDDA2C30A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[a581a03fdda2c30a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\033a5e2e-f52b-4392-a855-eb1b603352f7"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.174] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\033a5e2e-f52b-4392-a855-eb1b603352f7"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e03b9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e03b9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e03b9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xaff)) returned 1 [0197.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e260 | out: pbBuffer=0x1280e260) returned 1 [0197.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a048 | out: pbBuffer=0x12a9a048) returned 1 [0197.175] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d50000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d50000*, lpNumberOfBytesRead=0x12a4bd1c*=0xaff, lpOverlapped=0x0) returned 1 [0197.183] GetFileType (hFile=0x3c4) returned 0x1 [0197.183] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.183] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xaff, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12a4bd00*=0xaff, lpOverlapped=0x12a4bd0c) returned 1 [0197.183] GetFileType (hFile=0x3c4) returned 0x1 [0197.183] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xaff, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0197.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0197.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0197.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0197.186] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\033a5e2e-f52b-4392-a855-eb1b603352f7"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.186] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.186] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a64000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a64000*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.187] CloseHandle (hObject=0x1a0) returned 1 [0197.187] CloseHandle (hObject=0x3c4) returned 1 [0197.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0197.187] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\033a5e2e-f52b-4392-a855-eb1b603352f7"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FC148018AC4986DA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[fc148018ac4986da]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.371] SetEvent (hEvent=0x110) returned 1 [0197.371] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0197.376] SetEvent (hEvent=0x19c) returned 1 [0197.376] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0bb3d81c-e14e-48a8-9e37-42996bd92c45"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0197.376] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.376] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0bb3d81c-e14e-48a8-9e37-42996bd92c45"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5398c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b5398c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b54d17, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5ba7)) returned 1 [0197.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e260 | out: pbBuffer=0x1280e260) returned 1 [0197.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0197.377] ReadFile (in: hFile=0x15c, lpBuffer=0x12cee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesRead=0x12a4bd1c*=0x5ba7, lpOverlapped=0x0) returned 1 [0197.381] GetFileType (hFile=0x15c) returned 0x1 [0197.381] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.381] WriteFile (in: hFile=0x15c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x5ba7, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a4bd00*=0x5ba7, lpOverlapped=0x12a4bd0c) returned 1 [0197.382] GetFileType (hFile=0x15c) returned 0x1 [0197.382] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x5ba7, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0197.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0197.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0197.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848728 | out: pbBuffer=0x12848728) returned 1 [0197.383] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0bb3d81c-e14e-48a8-9e37-42996bd92c45"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.383] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.383] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.383] CloseHandle (hObject=0x3c4) returned 1 [0197.385] CloseHandle (hObject=0x15c) returned 1 [0197.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848750 | out: pbBuffer=0x12848750) returned 1 [0197.389] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0bb3d81c-e14e-48a8-9e37-42996bd92c45"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FED09DD3CD625782]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[fed09dd3cd625782]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.610] SetEvent (hEvent=0x110) returned 1 [0197.610] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0197.618] SetEvent (hEvent=0x1d0) returned 1 [0197.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\149ef4f4-82e0-49bf-99db-2ea4a1b5fd74"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0197.619] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\149ef4f4-82e0-49bf-99db-2ea4a1b5fd74"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84be520, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84be520, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84bf915, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1193)) returned 1 [0197.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e980 | out: pbBuffer=0x1280e980) returned 1 [0197.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ce0 | out: pbBuffer=0x12848ce0) returned 1 [0197.619] ReadFile (in: hFile=0x15c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a73d1c*=0x1193, lpOverlapped=0x0) returned 1 [0197.629] GetFileType (hFile=0x15c) returned 0x1 [0197.629] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.629] WriteFile (in: hFile=0x15c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x1193, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12a73d00*=0x1193, lpOverlapped=0x12a73d0c) returned 1 [0197.630] GetFileType (hFile=0x15c) returned 0x1 [0197.630] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1193, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0197.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0197.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0197.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848dd8 | out: pbBuffer=0x12848dd8) returned 1 [0197.630] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\149ef4f4-82e0-49bf-99db-2ea4a1b5fd74"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.631] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.631] WriteFile (in: hFile=0x1a0, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0197.631] CloseHandle (hObject=0x1a0) returned 1 [0197.633] CloseHandle (hObject=0x15c) returned 1 [0197.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e10 | out: pbBuffer=0x12848e10) returned 1 [0197.634] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\149ef4f4-82e0-49bf-99db-2ea4a1b5fd74"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[E392EF80B10D6BE6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[e392ef80b10d6be6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.762] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0197.770] SetEvent (hEvent=0x1d0) returned 1 [0197.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1a8199fd-6a7f-407e-ba91-64e3c5a3eecb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0197.770] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1a8199fd-6a7f-407e-ba91-64e3c5a3eecb"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc860f3fd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc860f3fd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc86107a9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc69)) returned 1 [0197.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844960 | out: pbBuffer=0x12844960) returned 1 [0197.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810810 | out: pbBuffer=0x12810810) returned 1 [0197.771] ReadFile (in: hFile=0x15c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a6dd1c*=0xc69, lpOverlapped=0x0) returned 1 [0197.777] GetFileType (hFile=0x15c) returned 0x1 [0197.777] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.777] WriteFile (in: hFile=0x15c, lpBuffer=0x12a3a000*, nNumberOfBytesToWrite=0xc69, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a3a000*, lpNumberOfBytesWritten=0x12a6dd00*=0xc69, lpOverlapped=0x12a6dd0c) returned 1 [0197.778] GetFileType (hFile=0x15c) returned 0x1 [0197.778] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xc69, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0197.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0197.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0197.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0197.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128108c8 | out: pbBuffer=0x128108c8) returned 1 [0197.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1a8199fd-6a7f-407e-ba91-64e3c5a3eecb"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.779] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0197.779] WriteFile (in: hFile=0x1a0, lpBuffer=0x128f6a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x128f6a00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.779] CloseHandle (hObject=0x1a0) returned 1 [0197.781] CloseHandle (hObject=0x15c) returned 1 [0197.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108e0 | out: pbBuffer=0x128108e0) returned 1 [0197.784] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1a8199fd-6a7f-407e-ba91-64e3c5a3eecb"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[97206849BE953292]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[97206849be953292]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23bf312f-1be9-4411-bff6-fa34461b5139"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0198.064] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.064] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23bf312f-1be9-4411-bff6-fa34461b5139"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4efb86e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4efb86e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4efcbea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6b94)) returned 1 [0198.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98200 | out: pbBuffer=0x12a98200) returned 1 [0198.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0198.065] ReadFile (in: hFile=0x15c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6fd1c*=0x6b94, lpOverlapped=0x0) returned 1 [0198.071] GetFileType (hFile=0x15c) returned 0x1 [0198.071] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.071] WriteFile (in: hFile=0x15c, lpBuffer=0x1299a000*, nNumberOfBytesToWrite=0x6b94, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x1299a000*, lpNumberOfBytesWritten=0x12a6fd00*=0x6b94, lpOverlapped=0x12a6fd0c) returned 1 [0198.072] GetFileType (hFile=0x15c) returned 0x1 [0198.072] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x6b94, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0198.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0198.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0198.073] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341b0 | out: pbBuffer=0x12c341b0) returned 1 [0198.073] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23bf312f-1be9-4411-bff6-fa34461b5139"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.073] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.073] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.073] CloseHandle (hObject=0x1a0) returned 1 [0198.077] CloseHandle (hObject=0x15c) returned 1 [0198.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341c8 | out: pbBuffer=0x12c341c8) returned 1 [0198.083] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23bf312f-1be9-4411-bff6-fa34461b5139"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[43E2667AFC0167F4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[43e2667afc0167f4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.221] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.247] SetEvent (hEvent=0x19c) returned 1 [0198.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2a756dde-34e8-4dc2-855b-44682e9d4845"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.247] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2a756dde-34e8-4dc2-855b-44682e9d4845"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb502ff48, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb502ff48, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb503124f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x666c)) returned 1 [0198.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0198.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0198.248] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12a6fd1c*=0x666c, lpOverlapped=0x0) returned 1 [0198.252] GetFileType (hFile=0x3c4) returned 0x1 [0198.253] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.253] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x666c, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a6fd00*=0x666c, lpOverlapped=0x12a6fd0c) returned 1 [0198.253] GetFileType (hFile=0x3c4) returned 0x1 [0198.253] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x666c, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0198.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0198.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0198.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0198.254] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2a756dde-34e8-4dc2-855b-44682e9d4845"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.254] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.254] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d8ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d8ca00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.254] CloseHandle (hObject=0x1a0) returned 1 [0198.264] CloseHandle (hObject=0x3c4) returned 1 [0198.275] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0198.275] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2a756dde-34e8-4dc2-855b-44682e9d4845"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[393E2027826AEC8A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[393e2027826aec8a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.438] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.556] SetEvent (hEvent=0x19c) returned 1 [0198.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3628527b-53b7-45ad-a6db-2bb7cce4b284"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.557] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3628527b-53b7-45ad-a6db-2bb7cce4b284"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bdad10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bdad10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bdad10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8440)) returned 1 [0198.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e760 | out: pbBuffer=0x1280e760) returned 1 [0198.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849090 | out: pbBuffer=0x12849090) returned 1 [0198.557] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0198.571] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0198.571] SetEvent (hEvent=0x110) returned 1 [0198.571] SetEvent (hEvent=0x19c) returned 1 [0198.572] ReadFile (in: hFile=0x438, lpBuffer=0x12d44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d44000*, lpNumberOfBytesRead=0x12a6fd1c*=0x8440, lpOverlapped=0x0) returned 1 [0198.579] GetFileType (hFile=0x438) returned 0x1 [0198.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.579] WriteFile (in: hFile=0x438, lpBuffer=0x12d64000*, nNumberOfBytesToWrite=0x8440, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12d64000*, lpNumberOfBytesWritten=0x12a6fd00*=0x8440, lpOverlapped=0x12a6fd0c) returned 1 [0198.580] GetFileType (hFile=0x438) returned 0x1 [0198.580] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x8440, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0198.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce81 | out: pbBuffer=0x12afce81) returned 1 [0198.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf81 | out: pbBuffer=0x12afcf81) returned 1 [0198.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ac40 | out: pbBuffer=0x12a9ac40) returned 1 [0198.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3628527b-53b7-45ad-a6db-2bb7cce4b284"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.581] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.581] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b44f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.581] CloseHandle (hObject=0x3c4) returned 1 [0198.586] CloseHandle (hObject=0x438) returned 1 [0198.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0198.593] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3628527b-53b7-45ad-a6db-2bb7cce4b284"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0D2C4C12BC769402]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0d2c4c12bc769402]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.813] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.831] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.918] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.945] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0198.973] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.040] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.045] SetEvent (hEvent=0x1d0) returned 1 [0199.046] SetEvent (hEvent=0x420) returned 1 [0199.046] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0199.048] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.049] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0199.050] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0199.050] SetEvent (hEvent=0x1d0) returned 1 [0199.051] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0199.058] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.058] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.782] SetEvent (hEvent=0x1d0) returned 1 [0199.782] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.783] SetEvent (hEvent=0x1d0) returned 1 [0199.783] SetEvent (hEvent=0x420) returned 1 [0199.783] SwitchToThread () returned 1 [0199.786] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.792] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.829] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0199.898] SetEvent (hEvent=0x420) returned 1 [0199.898] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\719ca5e5-2264-4d2b-b1bc-1979ae2f8481"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.898] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\719ca5e5-2264-4d2b-b1bc-1979ae2f8481"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cf260c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cf260c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cf260c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb156)) returned 1 [0199.899] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0199.899] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0199.899] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6dd1c*=0xb156, lpOverlapped=0x0) returned 1 [0199.904] GetFileType (hFile=0x438) returned 0x1 [0199.904] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.904] WriteFile (in: hFile=0x438, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0xb156, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a6dd00*=0xb156, lpOverlapped=0x12a6dd0c) returned 1 [0199.905] GetFileType (hFile=0x438) returned 0x1 [0199.905] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xb156, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0199.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0199.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0199.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0199.905] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\719ca5e5-2264-4d2b-b1bc-1979ae2f8481"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0199.906] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.906] WriteFile (in: hFile=0x448, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.906] CloseHandle (hObject=0x448) returned 1 [0199.910] CloseHandle (hObject=0x438) returned 1 [0199.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0199.914] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\719ca5e5-2264-4d2b-b1bc-1979ae2f8481"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[4EEC3D5DEEFD4E14]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[4eec3d5deefd4e14]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.036] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.040] SetEvent (hEvent=0xfc) returned 1 [0200.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7c92fceb-66eb-471d-9ba1-bdee0e12fd94"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.041] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7c92fceb-66eb-471d-9ba1-bdee0e12fd94"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae28fb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae28fb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae3bb5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f)) returned 1 [0200.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0200.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ff0 | out: pbBuffer=0x12810ff0) returned 1 [0200.041] ReadFile (in: hFile=0x438, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12a6fd1c*=0x1f8f, lpOverlapped=0x0) returned 1 [0200.047] GetFileType (hFile=0x438) returned 0x1 [0200.048] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.048] WriteFile (in: hFile=0x438, lpBuffer=0x12ace000*, nNumberOfBytesToWrite=0x1f8f, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12ace000*, lpNumberOfBytesWritten=0x12a6fd00*=0x1f8f, lpOverlapped=0x12a6fd0c) returned 1 [0200.048] GetFileType (hFile=0x438) returned 0x1 [0200.048] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1f8f, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0200.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0200.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0200.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128110a8 | out: pbBuffer=0x128110a8) returned 1 [0200.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7c92fceb-66eb-471d-9ba1-bdee0e12fd94"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.049] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.049] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.050] CloseHandle (hObject=0x3c4) returned 1 [0200.052] CloseHandle (hObject=0x438) returned 1 [0200.058] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128110c0 | out: pbBuffer=0x128110c0) returned 1 [0200.058] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7c92fceb-66eb-471d-9ba1-bdee0e12fd94"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[DEDD13BCD2A4F2F9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[dedd13bcd2a4f2f9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.317] SetEvent (hEvent=0x110) returned 1 [0200.317] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.321] SetEvent (hEvent=0xfc) returned 1 [0200.322] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\825bfdeb-777e-4df1-818c-7ca4fc0d3016"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.322] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.322] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\825bfdeb-777e-4df1-818c-7ca4fc0d3016"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8565b98, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8565b98, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8565b98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c8)) returned 1 [0200.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844900 | out: pbBuffer=0x12844900) returned 1 [0200.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c347b0 | out: pbBuffer=0x12c347b0) returned 1 [0200.323] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0200.326] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.326] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0200.326] SetEvent (hEvent=0x110) returned 1 [0200.326] SetEvent (hEvent=0xfc) returned 1 [0200.326] ReadFile (in: hFile=0x438, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12829d1c*=0x4c8, lpOverlapped=0x0) returned 1 [0200.512] SetEvent (hEvent=0x110) returned 1 [0200.512] GetFileType (hFile=0x438) returned 0x1 [0200.512] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.513] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d00*=0x4c8, lpOverlapped=0x12829d0c) returned 1 [0200.513] GetFileType (hFile=0x438) returned 0x1 [0200.513] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x4c8, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0200.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0200.540] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0200.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848bf8 | out: pbBuffer=0x12848bf8) returned 1 [0200.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\825bfdeb-777e-4df1-818c-7ca4fc0d3016"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.557] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.557] WriteFile (in: hFile=0x448, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.558] CloseHandle (hObject=0x448) returned 1 [0200.558] CloseHandle (hObject=0x438) returned 1 [0200.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c30 | out: pbBuffer=0x12848c30) returned 1 [0200.558] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\825bfdeb-777e-4df1-818c-7ca4fc0d3016"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[43EFE80332DF717B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[43efe80332df717b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.560] SetEvent (hEvent=0x420) returned 1 [0200.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9056e597-0c30-4f42-ba7a-70b004bf042a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.561] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9056e597-0c30-4f42-ba7a-70b004bf042a"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb476eaa3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb476eaa3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb476fe6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c3c)) returned 1 [0200.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844a20 | out: pbBuffer=0x12844a20) returned 1 [0200.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848cd8 | out: pbBuffer=0x12848cd8) returned 1 [0200.561] ReadFile (in: hFile=0x438, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12829d1c*=0x4c3c, lpOverlapped=0x0) returned 1 [0200.655] GetFileType (hFile=0x438) returned 0x1 [0200.655] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.655] WriteFile (in: hFile=0x438, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x4c3c, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12829d00*=0x4c3c, lpOverlapped=0x12829d0c) returned 1 [0200.655] GetFileType (hFile=0x438) returned 0x1 [0200.655] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x4c3c, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0200.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0200.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0200.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848fb8 | out: pbBuffer=0x12848fb8) returned 1 [0200.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9056e597-0c30-4f42-ba7a-70b004bf042a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.656] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.656] WriteFile (in: hFile=0x448, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.657] CloseHandle (hObject=0x448) returned 1 [0200.657] CloseHandle (hObject=0x438) returned 1 [0200.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848fe0 | out: pbBuffer=0x12848fe0) returned 1 [0200.658] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9056e597-0c30-4f42-ba7a-70b004bf042a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[C2EC2038FB9579AD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[c2ec2038fb9579ad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95301b49-34be-47d5-99d1-1c50a4b80c13"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc848065f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc848065f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84819da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3b7)) returned 1 [0200.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95afb9a8-dead-49f6-9234-bea10973f0cd"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb715e7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb715e7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb715e7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x372b)) returned 1 [0200.659] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95301b49-34be-47d5-99d1-1c50a4b80c13"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.660] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95301b49-34be-47d5-99d1-1c50a4b80c13"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc848065f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc848065f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84819da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3b7)) returned 1 [0200.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128452e0 | out: pbBuffer=0x128452e0) returned 1 [0200.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496f0 | out: pbBuffer=0x128496f0) returned 1 [0200.661] ReadFile (in: hFile=0x438, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12829d1c*=0x3b7, lpOverlapped=0x0) returned 1 [0200.665] GetFileType (hFile=0x438) returned 0x1 [0200.665] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.665] WriteFile (in: hFile=0x438, lpBuffer=0x1287f400*, nNumberOfBytesToWrite=0x3b7, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1287f400*, lpNumberOfBytesWritten=0x12829d00*=0x3b7, lpOverlapped=0x12829d0c) returned 1 [0200.665] GetFileType (hFile=0x438) returned 0x1 [0200.665] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3b7, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0200.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0200.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0200.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497c8 | out: pbBuffer=0x128497c8) returned 1 [0200.666] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95301b49-34be-47d5-99d1-1c50a4b80c13"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.667] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.667] WriteFile (in: hFile=0x448, lpBuffer=0x12850500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.667] CloseHandle (hObject=0x448) returned 1 [0200.667] CloseHandle (hObject=0x438) returned 1 [0200.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849800 | out: pbBuffer=0x12849800) returned 1 [0200.667] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95301b49-34be-47d5-99d1-1c50a4b80c13"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[607594BD47B8E821]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[607594bd47b8e821]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.669] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95afb9a8-dead-49f6-9234-bea10973f0cd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.669] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95afb9a8-dead-49f6-9234-bea10973f0cd"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb715e7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb715e7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb715e7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x372b)) returned 1 [0200.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128454e0 | out: pbBuffer=0x128454e0) returned 1 [0200.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849868 | out: pbBuffer=0x12849868) returned 1 [0200.670] ReadFile (in: hFile=0x438, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12829d1c*=0x372b, lpOverlapped=0x0) returned 1 [0200.717] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.740] SetEvent (hEvent=0x40c) returned 1 [0200.740] GetFileType (hFile=0x438) returned 0x1 [0200.740] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.740] WriteFile (in: hFile=0x438, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x372b, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12829d00*=0x372b, lpOverlapped=0x12829d0c) returned 1 [0200.741] GetFileType (hFile=0x438) returned 0x1 [0200.741] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x372b, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0200.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0200.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0200.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0200.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95afb9a8-dead-49f6-9234-bea10973f0cd"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.742] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.742] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a22000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a22000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.742] CloseHandle (hObject=0x1a0) returned 1 [0200.742] CloseHandle (hObject=0x438) returned 1 [0200.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0200.743] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\95afb9a8-dead-49f6-9234-bea10973f0cd"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[2991B455ED536DC7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[2991b455ed536dc7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.744] SetEvent (hEvent=0x3f8) returned 1 [0200.744] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\af769060-9c3b-4f97-8fb8-1eb72198ba39"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c9b2e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c9b2e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c9b2e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x367e)) returned 1 [0200.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b1725647-3a36-4c56-9803-89edca8238a8"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f96f2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f96f2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9faa6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2132)) returned 1 [0200.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\af769060-9c3b-4f97-8fb8-1eb72198ba39"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.857] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\af769060-9c3b-4f97-8fb8-1eb72198ba39"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c9b2e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c9b2e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c9b2e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x367e)) returned 1 [0200.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0200.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34590 | out: pbBuffer=0x12c34590) returned 1 [0200.858] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6dd1c*=0x367e, lpOverlapped=0x0) returned 1 [0200.869] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.897] SetEvent (hEvent=0x19c) returned 1 [0200.897] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0200.901] SetEvent (hEvent=0x19c) returned 1 [0200.901] SetEvent (hEvent=0x40c) returned 1 [0200.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b20989ed-6b03-4803-add0-4360553ec384"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c666c7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8c666c7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x148c)) returned 1 [0200.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b6937276-0d21-44e4-b6a5-2f13f90e1698"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4df9f3a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4df9f3a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4df9f3a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7cb)) returned 1 [0200.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b74632a4-b059-4f5a-849d-252172a06a99"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd8b94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cd8b94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82cd8b94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5505)) returned 1 [0200.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bb41f806-1043-41b2-9372-8f6e7066247a"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f482a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f482a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f482a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3888)) returned 1 [0200.903] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b74632a4-b059-4f5a-849d-252172a06a99"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.903] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.903] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b74632a4-b059-4f5a-849d-252172a06a99"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd8b94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cd8b94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82cd8b94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5505)) returned 1 [0200.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0200.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aaf0 | out: pbBuffer=0x12a9aaf0) returned 1 [0200.903] ReadFile (in: hFile=0x15c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x5505, lpOverlapped=0x0) returned 1 [0200.921] GetFileType (hFile=0x15c) returned 0x1 [0200.921] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.921] WriteFile (in: hFile=0x15c, lpBuffer=0x12a06000*, nNumberOfBytesToWrite=0x5505, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a06000*, lpNumberOfBytesWritten=0x12829d00*=0x5505, lpOverlapped=0x12829d0c) returned 1 [0200.921] GetFileType (hFile=0x15c) returned 0x1 [0200.922] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x5505, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0200.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0200.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0200.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aba8 | out: pbBuffer=0x12a9aba8) returned 1 [0200.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b74632a4-b059-4f5a-849d-252172a06a99"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.923] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.923] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.923] CloseHandle (hObject=0x3c4) returned 1 [0200.923] CloseHandle (hObject=0x15c) returned 1 [0200.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9abc0 | out: pbBuffer=0x12a9abc0) returned 1 [0200.924] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b74632a4-b059-4f5a-849d-252172a06a99"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[DDD1EDEF521BF86A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[ddd1edef521bf86a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b6937276-0d21-44e4-b6a5-2f13f90e1698"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.925] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b6937276-0d21-44e4-b6a5-2f13f90e1698"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4df9f3a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4df9f3a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4df9f3a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7cb)) returned 1 [0200.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0200.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac08 | out: pbBuffer=0x12a9ac08) returned 1 [0200.925] ReadFile (in: hFile=0x15c, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12a6fd1c*=0x7cb, lpOverlapped=0x0) returned 1 [0200.952] GetFileType (hFile=0x15c) returned 0x1 [0200.952] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.952] WriteFile (in: hFile=0x15c, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x7cb, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12a6fd00*=0x7cb, lpOverlapped=0x12a6fd0c) returned 1 [0200.952] GetFileType (hFile=0x15c) returned 0x1 [0200.952] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x7cb, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.952] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0200.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0200.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0200.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9acc0 | out: pbBuffer=0x12a9acc0) returned 1 [0200.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b6937276-0d21-44e4-b6a5-2f13f90e1698"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.953] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.954] WriteFile (in: hFile=0x448, lpBuffer=0x12c32500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32500*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.954] CloseHandle (hObject=0x448) returned 1 [0200.954] CloseHandle (hObject=0x15c) returned 1 [0200.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9acd8 | out: pbBuffer=0x12a9acd8) returned 1 [0200.954] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b6937276-0d21-44e4-b6a5-2f13f90e1698"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[E0DBEF30223B7137]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[e0dbef30223b7137]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c4181e33-213a-4456-87ba-15fd83064187"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.956] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.956] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c4181e33-213a-4456-87ba-15fd83064187"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9cfd00, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9cfd00, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d23da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7e)) returned 1 [0200.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284e0 | out: pbBuffer=0x129284e0) returned 1 [0200.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad20 | out: pbBuffer=0x12a9ad20) returned 1 [0200.956] ReadFile (in: hFile=0x15c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a6fd1c*=0x2f7e, lpOverlapped=0x0) returned 1 [0200.976] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.011] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c9b26f48-b9b2-452d-9e4f-bd539a769b1b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.011] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0201.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c9b26f48-b9b2-452d-9e4f-bd539a769b1b"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e2fa78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e2fa78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e30e51, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5543)) returned 1 [0201.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0201.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0201.011] ReadFile (in: hFile=0x438, lpBuffer=0x12a28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a28000*, lpNumberOfBytesRead=0x129abd1c*=0x5543, lpOverlapped=0x0) returned 1 [0201.048] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.059] SetEvent (hEvent=0x420) returned 1 [0201.059] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.065] SetEvent (hEvent=0x40c) returned 1 [0201.066] SetEvent (hEvent=0x1d0) returned 1 [0201.066] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0201.073] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.073] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0201.075] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0201.075] SetEvent (hEvent=0x19c) returned 1 [0201.075] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0201.083] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\db4f9ab3-289c-4c85-93dc-c7725673e79b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc856808a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc856808a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc856808a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfe2)) returned 1 [0201.084] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.229] SetEvent (hEvent=0x3f8) returned 1 [0201.229] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.244] SetEvent (hEvent=0x420) returned 1 [0201.244] SwitchToThread () returned 1 [0201.250] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.264] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.276] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.374] SetEvent (hEvent=0x1d0) returned 1 [0201.374] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\fdac0094-8c06-4be5-856f-0db7bb8f69b9"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49ec6e1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49ec6e1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49eda26, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e)) returned 1 [0201.375] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.410] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.420] SetEvent (hEvent=0x420) returned 1 [0201.420] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.425] SetEvent (hEvent=0x40c) returned 1 [0201.426] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0201.435] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.435] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0201.437] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0201.437] SetEvent (hEvent=0xfc) returned 1 [0201.437] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0201.440] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0201.440] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.476] SetEvent (hEvent=0x3f8) returned 1 [0204.476] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.480] SetEvent (hEvent=0x3f8) returned 1 [0204.480] SetEvent (hEvent=0xfc) returned 1 [0204.480] GetFileType (hFile=0x15c) returned 0x1 [0204.480] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.480] WriteFile (in: hFile=0x15c, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x12a83d00, lpOverlapped=0x12a83d0c | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12a83d00*=0x12c, lpOverlapped=0x12a83d0c) returned 1 [0204.480] GetFileType (hFile=0x15c) returned 0x1 [0204.480] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x12c, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0204.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0204.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0204.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0204.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otele.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.482] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0204.482] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.483] CloseHandle (hObject=0x438) returned 1 [0204.487] CloseHandle (hObject=0x15c) returned 1 [0204.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0204.491] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otele.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[2AE06AC1EF0CEE7B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[2ae06ac1ef0cee7b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0204.748] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0204.748] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94689b47, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94689b47, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9489fc30, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0204.748] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f120 | out: pbBuffer=0x1280f120) returned 1 [0204.749] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9abc0 | out: pbBuffer=0x12a9abc0) returned 1 [0204.749] ReadFile (in: hFile=0x15c, lpBuffer=0x129a6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a6000*, lpNumberOfBytesRead=0x12829d1c*=0x4e5f, lpOverlapped=0x0) returned 1 [0204.766] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.783] SetEvent (hEvent=0x420) returned 1 [0204.783] SetEvent (hEvent=0x10c) returned 1 [0204.783] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0204.792] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.792] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0204.797] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.797] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0204.797] SetEvent (hEvent=0xfc) returned 1 [0204.797] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0204.801] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0204.801] GetFileType (hFile=0x15c) returned 0x1 [0204.801] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.801] WriteFile (in: hFile=0x15c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x4e5f, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x1282fd00*=0x4e5f, lpOverlapped=0x1282fd0c) returned 1 [0204.809] GetFileType (hFile=0x15c) returned 0x1 [0204.809] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4e5f, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0204.809] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0204.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0204.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0204.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0204.810] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.811] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0204.811] WriteFile (in: hFile=0x448, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.811] CloseHandle (hObject=0x448) returned 1 [0204.825] CloseHandle (hObject=0x15c) returned 1 [0204.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0204.871] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[B83072D7F7D08FE1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[b83072d7f7d08fe1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.401] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0205.481] SetEvent (hEvent=0x19c) returned 1 [0205.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.482] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0205.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0205.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0205.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0205.482] ReadFile (in: hFile=0x448, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a6fd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0205.499] GetFileType (hFile=0x448) returned 0x1 [0205.499] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.499] WriteFile (in: hFile=0x448, lpBuffer=0x12b98000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12b98000*, lpNumberOfBytesWritten=0x12a6fd00*=0x164c0, lpOverlapped=0x12a6fd0c) returned 1 [0205.500] GetFileType (hFile=0x448) returned 0x1 [0205.500] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0205.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0205.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0205.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0205.501] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.501] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0205.501] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0205.502] CloseHandle (hObject=0x1a0) returned 1 [0205.502] CloseHandle (hObject=0x448) returned 1 [0205.502] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0205.502] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\#_THIS_FILE_IS_ENCRYPTED_[60EC55D986DAEB71]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\#_this_file_is_encrypted_[60ec55d986daeb71]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.607] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0205.630] SetEvent (hEvent=0x19c) returned 1 [0205.630] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0205.637] SetEvent (hEvent=0x1d0) returned 1 [0205.637] SetEvent (hEvent=0x3f8) returned 1 [0205.637] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0205.687] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0205.745] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.746] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0205.746] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x149cb56a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x149cb56a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14e439d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0205.746] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0205.746] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0205.746] ReadFile (in: hFile=0x15c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12829d1c*=0x27f2, lpOverlapped=0x0) returned 1 [0205.759] GetFileType (hFile=0x15c) returned 0x1 [0205.759] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.759] WriteFile (in: hFile=0x15c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x27f2, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12829d00*=0x27f2, lpOverlapped=0x12829d0c) returned 1 [0205.760] GetFileType (hFile=0x15c) returned 0x1 [0205.760] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x27f2, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0205.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0205.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0205.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0205.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0205.761] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0205.761] WriteFile (in: hFile=0x438, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.762] CloseHandle (hObject=0x438) returned 1 [0205.768] CloseHandle (hObject=0x15c) returned 1 [0205.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0205.778] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[4EFBB8A10777B201]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[4efbb8a10777b201]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.900] SetEvent (hEvent=0x110) returned 1 [0205.900] SetEvent (hEvent=0x3f8) returned 1 [0205.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.900] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0205.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15de92d7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15de92d7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15f66b03, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0205.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98620 | out: pbBuffer=0x12a98620) returned 1 [0205.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103b0 | out: pbBuffer=0x128103b0) returned 1 [0205.902] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12829d1c*=0x4e5f, lpOverlapped=0x0) returned 1 [0206.087] SetEvent (hEvent=0x110) returned 1 [0206.087] GetFileType (hFile=0x1a0) returned 0x1 [0206.087] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.088] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x4e5f, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12829d00*=0x4e5f, lpOverlapped=0x12829d0c) returned 1 [0206.088] GetFileType (hFile=0x1a0) returned 0x1 [0206.088] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4e5f, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0206.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0206.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0206.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0206.089] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0206.089] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0206.089] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.089] CloseHandle (hObject=0x438) returned 1 [0206.089] CloseHandle (hObject=0x1a0) returned 1 [0206.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0206.090] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[80532C873A1B5D1A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[80532c873a1b5d1a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.091] SetEvent (hEvent=0x19c) returned 1 [0206.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.091] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0206.091] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21721d25, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x21721d25, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x218eb79d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0206.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928420 | out: pbBuffer=0x12928420) returned 1 [0206.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0206.092] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0206.268] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0206.283] SetEvent (hEvent=0x420) returned 1 [0206.283] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0206.287] SetEvent (hEvent=0x420) returned 1 [0206.287] SetEvent (hEvent=0x19c) returned 1 [0206.287] SetEvent (hEvent=0xfc) returned 1 [0206.287] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0206.332] SetEvent (hEvent=0x3f8) returned 1 [0206.332] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0206.353] SetEvent (hEvent=0x10c) returned 1 [0206.353] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0206.358] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0209.017] SetEvent (hEvent=0x1d0) returned 1 [0209.017] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0210.439] SetEvent (hEvent=0x1d0) returned 1 [0210.439] SetEvent (hEvent=0x3f8) returned 1 [0210.439] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0210.505] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0214.881] SetEvent (hEvent=0x420) returned 1 [0214.881] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0225.003] SetEvent (hEvent=0x420) returned 1 [0225.003] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0225.007] SetEvent (hEvent=0x420) returned 1 [0225.007] SwitchToThread () returned 1 [0225.015] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0225.087] SetEvent (hEvent=0x3cc) returned 1 [0225.088] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0225.089] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0225.089] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5125164f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5125164f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x512e9fc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0225.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0225.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0225.089] ReadFile (in: hFile=0x42c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12b05d1c*=0x1a8c0, lpOverlapped=0x0) returned 1 [0225.098] GetFileType (hFile=0x42c) returned 0x1 [0225.098] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.100] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x1a8c0, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12b05d00*=0x1a8c0, lpOverlapped=0x12b05d0c) returned 1 [0225.101] GetFileType (hFile=0x42c) returned 0x1 [0225.101] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1a8c0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0225.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0225.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0225.102] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a2a0 | out: pbBuffer=0x12a9a2a0) returned 1 [0225.102] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0225.102] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0225.102] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.103] CloseHandle (hObject=0x44c) returned 1 [0225.148] CloseHandle (hObject=0x42c) returned 1 [0225.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a348 | out: pbBuffer=0x12a9a348) returned 1 [0225.160] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[046AABFDDCE6D178]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[046aabfddce6d178]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.535] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0225.536] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.536] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55880b0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55880b0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55b558b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0225.536] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844280 | out: pbBuffer=0x12844280) returned 1 [0225.536] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848068 | out: pbBuffer=0x12848068) returned 1 [0225.536] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12be9d1c*=0x124b, lpOverlapped=0x0) returned 1 [0225.540] GetFileType (hFile=0x42c) returned 0x1 [0225.540] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.540] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x124b, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12be9d00*=0x124b, lpOverlapped=0x12be9d0c) returned 1 [0225.541] GetFileType (hFile=0x42c) returned 0x1 [0225.541] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x124b, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0225.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0225.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0225.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0225.542] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0225.542] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.542] WriteFile (in: hFile=0x450, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.542] CloseHandle (hObject=0x450) returned 1 [0225.542] CloseHandle (hObject=0x42c) returned 1 [0225.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0225.542] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[C5FA3E289A27D42B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[c5fa3e289a27d42b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.562] SetEvent (hEvent=0x40c) returned 1 [0225.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0225.563] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.563] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57ef2857, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0225.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f4e0 | out: pbBuffer=0x1280f4e0) returned 1 [0225.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9e30 | out: pbBuffer=0x128e9e30) returned 1 [0225.564] ReadFile (in: hFile=0x42c, lpBuffer=0x12cc6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc6000*, lpNumberOfBytesRead=0x12be9d1c*=0x9ac0, lpOverlapped=0x0) returned 1 [0225.719] GetFileType (hFile=0x42c) returned 0x1 [0225.719] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.719] WriteFile (in: hFile=0x42c, lpBuffer=0x12cfc000*, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12cfc000*, lpNumberOfBytesWritten=0x12be9d00*=0x9ac0, lpOverlapped=0x12be9d0c) returned 1 [0225.719] GetFileType (hFile=0x42c) returned 0x1 [0225.719] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x9ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0225.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0225.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0225.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9f38 | out: pbBuffer=0x128e9f38) returned 1 [0225.721] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0225.721] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.721] WriteFile (in: hFile=0x44c, lpBuffer=0x12c18000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c18000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.721] CloseHandle (hObject=0x44c) returned 1 [0225.721] CloseHandle (hObject=0x42c) returned 1 [0225.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9f50 | out: pbBuffer=0x128e9f50) returned 1 [0225.722] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[3397D72DA71D8274]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[3397d72da71d8274]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.724] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x641685fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x641685fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x494c0)) returned 1 [0225.754] SetEvent (hEvent=0x40c) returned 1 [0225.754] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x650751e8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x650751e8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6596648d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x632c0)) returned 1 [0225.794] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0225.830] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0225.833] SetEvent (hEvent=0x3cc) returned 1 [0225.833] SetEvent (hEvent=0x454) returned 1 [0225.833] SwitchToThread () returned 1 [0225.838] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0226.295] SwitchToThread () returned 1 [0226.493] SetEvent (hEvent=0x454) returned 1 [0226.786] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68b901fc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0)) returned 1 [0226.952] SetEvent (hEvent=0x1b8) returned 1 [0226.952] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x693e3c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0227.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0227.056] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x693e3c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0227.184] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x693e3c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0227.185] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x693e3c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6969295c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0227.185] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0227.185] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0227.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0227.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0227.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0227.774] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0227.886] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0227.889] CloseHandle (hObject=0x44c) returned 1 [0227.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x693e3c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6969295c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0228.051] SetEvent (hEvent=0x40c) returned 1 [0228.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a02b589, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.174] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a02b589, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0228.198] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a02b589, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.199] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a02b589, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0228.199] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.199] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0228.536] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0228.538] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.539] WriteFile (in: hFile=0x450, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.540] CloseHandle (hObject=0x450) returned 1 [0228.541] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a02b589, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x114c0)) returned 1 [0228.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6ae5336a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.837] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6ae5336a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0228.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6ae5336a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae5336a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0228.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.838] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0228.838] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0228.839] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.839] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.840] CloseHandle (hObject=0x458) returned 1 [0228.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae5336a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0228.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0228.841] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0228.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a02b589, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x114c0)) returned 1 [0228.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ef40 | out: pbBuffer=0x1280ef40) returned 1 [0228.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811180 | out: pbBuffer=0x12811180) returned 1 [0228.843] ReadFile (in: hFile=0x458, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12be7d1c*=0x114c0, lpOverlapped=0x0) returned 1 [0228.886] GetFileType (hFile=0x458) returned 0x1 [0228.887] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.887] WriteFile (in: hFile=0x458, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x114c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x12be7d00*=0x114c0, lpOverlapped=0x12be7d0c) returned 1 [0228.887] GetFileType (hFile=0x458) returned 0x1 [0228.887] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x114c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0228.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0228.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0228.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811238 | out: pbBuffer=0x12811238) returned 1 [0228.888] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0228.888] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0228.889] WriteFile (in: hFile=0x450, lpBuffer=0x129fc000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0228.889] CloseHandle (hObject=0x450) returned 1 [0228.889] CloseHandle (hObject=0x458) returned 1 [0228.889] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811250 | out: pbBuffer=0x12811250) returned 1 [0228.889] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\#_THIS_FILE_IS_ENCRYPTED_[21C2EBD87BEBBDF8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\#_this_file_is_encrypted_[21c2ebd87bebbdf8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0228.890] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0228.891] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0228.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9ef895, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4edf5bbb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0228.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f140 | out: pbBuffer=0x1280f140) returned 1 [0228.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811298 | out: pbBuffer=0x12811298) returned 1 [0228.893] ReadFile (in: hFile=0x458, lpBuffer=0x12a00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a00000*, lpNumberOfBytesRead=0x12be7d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0229.040] GetFileType (hFile=0x458) returned 0x1 [0229.040] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.040] WriteFile (in: hFile=0x458, lpBuffer=0x12d10000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d10000*, lpNumberOfBytesWritten=0x12be7d00*=0x160c0, lpOverlapped=0x12be7d0c) returned 1 [0229.041] GetFileType (hFile=0x458) returned 0x1 [0229.041] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0229.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0229.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0229.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811350 | out: pbBuffer=0x12811350) returned 1 [0229.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0229.042] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0229.042] WriteFile (in: hFile=0x45c, lpBuffer=0x129fc500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc500*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.042] CloseHandle (hObject=0x45c) returned 1 [0229.042] CloseHandle (hObject=0x458) returned 1 [0229.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811368 | out: pbBuffer=0x12811368) returned 1 [0229.042] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\#_THIS_FILE_IS_ENCRYPTED_[2772B54D0AA560CE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\#_this_file_is_encrypted_[2772b54d0aa560ce]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.044] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0229.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4faa013a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0229.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f360 | out: pbBuffer=0x1280f360) returned 1 [0229.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128113b0 | out: pbBuffer=0x128113b0) returned 1 [0229.045] ReadFile (in: hFile=0x458, lpBuffer=0x12cac000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cac000*, lpNumberOfBytesRead=0x12be7d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0229.194] GetFileType (hFile=0x458) returned 0x1 [0229.194] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.194] WriteFile (in: hFile=0x458, lpBuffer=0x12d3c000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d3c000*, lpNumberOfBytesWritten=0x12be7d00*=0x164c0, lpOverlapped=0x12be7d0c) returned 1 [0229.195] GetFileType (hFile=0x458) returned 0x1 [0229.195] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b281 | out: pbBuffer=0x1286b281) returned 1 [0229.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0229.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b481 | out: pbBuffer=0x1286b481) returned 1 [0229.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811570 | out: pbBuffer=0x12811570) returned 1 [0229.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.196] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0229.196] WriteFile (in: hFile=0x438, lpBuffer=0x129fcf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fcf00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.196] CloseHandle (hObject=0x438) returned 1 [0229.196] CloseHandle (hObject=0x458) returned 1 [0229.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811588 | out: pbBuffer=0x12811588) returned 1 [0229.197] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\#_THIS_FILE_IS_ENCRYPTED_[908BA9F6049CDBFA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\#_this_file_is_encrypted_[908ba9f6049cdbfa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.198] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0229.351] SetEvent (hEvent=0x19c) returned 1 [0229.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.352] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0229.352] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5042992c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x504e8433, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0229.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0229.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0229.353] ReadFile (in: hFile=0x438, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12b05d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0229.418] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0229.422] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0229.422] SetEvent (hEvent=0x110) returned 1 [0229.422] SetEvent (hEvent=0x1d0) returned 1 [0229.422] SetEvent (hEvent=0xfc) returned 1 [0229.422] SetEvent (hEvent=0x40c) returned 1 [0229.423] GetFileType (hFile=0x438) returned 0x1 [0229.423] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.423] WriteFile (in: hFile=0x438, lpBuffer=0x12a20000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12a20000*, lpNumberOfBytesWritten=0x12b05d00*=0x160c0, lpOverlapped=0x12b05d0c) returned 1 [0229.423] GetFileType (hFile=0x438) returned 0x1 [0229.423] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.424] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0229.425] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0229.425] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0229.425] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0229.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.426] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0229.426] WriteFile (in: hFile=0x458, lpBuffer=0x1294e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x1294e000*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.426] CloseHandle (hObject=0x458) returned 1 [0229.426] CloseHandle (hObject=0x438) returned 1 [0229.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0229.426] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\#_THIS_FILE_IS_ENCRYPTED_[5F279F3B247CBAAD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\#_this_file_is_encrypted_[5f279f3b247cbaad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.430] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0229.486] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0229.486] SetEvent (hEvent=0x40c) returned 1 [0229.486] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0229.591] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0229.591] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0229.591] SetEvent (hEvent=0x40c) returned 1 [0229.591] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0229.623] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0229.623] GetProcAddress (hModule=0x75310000, lpProcName="closesocket") returned 0x7531ead0 [0229.624] closesocket (s=0x3e4) returned 0 [0229.683] GetFileType (hFile=0x42c) returned 0x1 [0229.683] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.683] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12829d00*=0x156c0, lpOverlapped=0x12829d0c) returned 1 [0229.684] GetFileType (hFile=0x42c) returned 0x1 [0229.684] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0229.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0229.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0229.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0229.685] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.685] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0229.685] WriteFile (in: hFile=0x458, lpBuffer=0x129fc000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.685] CloseHandle (hObject=0x458) returned 1 [0229.685] CloseHandle (hObject=0x42c) returned 1 [0229.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0229.686] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\#_THIS_FILE_IS_ENCRYPTED_[BCD62EAD7DFB2C51]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\#_this_file_is_encrypted_[bcd62ead7dfb2c51]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.687] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.687] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0229.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52079625, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x526e1a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0229.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444e0 | out: pbBuffer=0x128444e0) returned 1 [0229.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0229.688] ReadFile (in: hFile=0x42c, lpBuffer=0x129fe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129fe000*, lpNumberOfBytesRead=0x12829d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0229.709] GetFileType (hFile=0x42c) returned 0x1 [0229.709] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.710] WriteFile (in: hFile=0x42c, lpBuffer=0x12cc4000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12cc4000*, lpNumberOfBytesWritten=0x12829d00*=0x160c0, lpOverlapped=0x12829d0c) returned 1 [0229.710] GetFileType (hFile=0x42c) returned 0x1 [0229.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0229.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0229.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0229.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8428 | out: pbBuffer=0x128e8428) returned 1 [0229.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.711] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0229.711] WriteFile (in: hFile=0x44c, lpBuffer=0x129fc500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.711] CloseHandle (hObject=0x44c) returned 1 [0229.711] CloseHandle (hObject=0x42c) returned 1 [0229.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8440 | out: pbBuffer=0x128e8440) returned 1 [0229.711] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\#_THIS_FILE_IS_ENCRYPTED_[AB433E9D1F7003C3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\#_this_file_is_encrypted_[ab433e9d1f7003c3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.816] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0229.822] SetEvent (hEvent=0x40c) returned 1 [0229.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.823] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.823] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eedb83, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53935b56, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0229.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ac0 | out: pbBuffer=0x12844ac0) returned 1 [0229.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8498 | out: pbBuffer=0x128e8498) returned 1 [0229.823] ReadFile (in: hFile=0x42c, lpBuffer=0x12cdc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cdc000*, lpNumberOfBytesRead=0x12be9d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0229.836] GetFileType (hFile=0x42c) returned 0x1 [0229.836] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.836] WriteFile (in: hFile=0x42c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12be9d00*=0x15ec0, lpOverlapped=0x12be9d0c) returned 1 [0229.836] GetFileType (hFile=0x42c) returned 0x1 [0229.836] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0229.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0229.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0229.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8550 | out: pbBuffer=0x128e8550) returned 1 [0229.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0229.837] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0229.837] WriteFile (in: hFile=0x3e4, lpBuffer=0x129fca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fca00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.838] CloseHandle (hObject=0x3e4) returned 1 [0229.838] CloseHandle (hObject=0x42c) returned 1 [0229.838] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8568 | out: pbBuffer=0x128e8568) returned 1 [0229.838] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\#_THIS_FILE_IS_ENCRYPTED_[1CB09231E45BFDED]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\#_this_file_is_encrypted_[1cb09231e45bfded]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.009] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.057] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.108] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.108] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51336474, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51336474, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x514da01f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0)) returned 1 [0230.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0230.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0230.109] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0230.190] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0230.190] SetEvent (hEvent=0x454) returned 1 [0230.191] GetFileType (hFile=0x44c) returned 0x1 [0230.191] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.191] WriteFile (in: hFile=0x44c, lpBuffer=0x1297a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1297a000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0230.192] GetFileType (hFile=0x44c) returned 0x1 [0230.192] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0230.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0230.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0230.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0230.194] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0230.195] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0230.195] WriteFile (in: hFile=0x458, lpBuffer=0x12b3a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b3a000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.280] CloseHandle (hObject=0x458) returned 1 [0230.301] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.308] SetEvent (hEvent=0x454) returned 1 [0230.308] CloseHandle (hObject=0x44c) returned 1 [0230.317] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8000 | out: pbBuffer=0x128e8000) returned 1 [0230.340] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[38F96E40964AC714]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[38f96e40964ac714]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.746] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.777] SetEvent (hEvent=0x3cc) returned 1 [0230.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.777] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.777] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea3c6d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ebe02eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0230.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0230.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5b0 | out: pbBuffer=0x12a9a5b0) returned 1 [0230.778] ReadFile (in: hFile=0x42c, lpBuffer=0x12b86000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b86000*, lpNumberOfBytesRead=0x12be9d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0230.796] GetFileType (hFile=0x42c) returned 0x1 [0230.797] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.797] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12be9d00*=0x14cc0, lpOverlapped=0x12be9d0c) returned 1 [0230.797] GetFileType (hFile=0x42c) returned 0x1 [0230.797] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0230.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0230.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0230.798] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a7b8 | out: pbBuffer=0x12a9a7b8) returned 1 [0230.798] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.799] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.799] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.799] CloseHandle (hObject=0x438) returned 1 [0230.799] CloseHandle (hObject=0x42c) returned 1 [0230.799] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7d0 | out: pbBuffer=0x12a9a7d0) returned 1 [0230.799] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\#_THIS_FILE_IS_ENCRYPTED_[62771C2FA266E9A9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\#_this_file_is_encrypted_[62771c2fa266e9a9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.881] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.919] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0230.956] SetEvent (hEvent=0x40c) returned 1 [0230.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.958] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620c61fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6247ff69, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0230.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0230.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0230.959] ReadFile (in: hFile=0x438, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12be5d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0231.003] SetEvent (hEvent=0x110) returned 1 [0231.004] GetFileType (hFile=0x438) returned 0x1 [0231.004] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.004] WriteFile (in: hFile=0x438, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12be5d00*=0x160c0, lpOverlapped=0x12be5d0c) returned 1 [0231.005] GetFileType (hFile=0x438) returned 0x1 [0231.005] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.005] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0231.005] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0231.006] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0231.019] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0231.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.020] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.020] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.020] CloseHandle (hObject=0x458) returned 1 [0231.020] CloseHandle (hObject=0x438) returned 1 [0231.021] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0231.021] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\#_THIS_FILE_IS_ENCRYPTED_[A78E8D4202517C99]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\#_this_file_is_encrypted_[a78e8d4202517c99]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.022] SetEvent (hEvent=0x1b8) returned 1 [0231.023] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.023] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6523efba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0231.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0231.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0231.024] ReadFile (in: hFile=0x438, lpBuffer=0x12a28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a28000*, lpNumberOfBytesRead=0x12be5d1c*=0x16ec0, lpOverlapped=0x0) returned 1 [0231.148] GetFileType (hFile=0x438) returned 0x1 [0231.148] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.148] WriteFile (in: hFile=0x438, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x16ec0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12be5d00*=0x16ec0, lpOverlapped=0x12be5d0c) returned 1 [0231.148] GetFileType (hFile=0x438) returned 0x1 [0231.149] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x16ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0231.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0231.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0231.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0231.149] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.150] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.150] WriteFile (in: hFile=0x458, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.150] CloseHandle (hObject=0x458) returned 1 [0231.150] CloseHandle (hObject=0x438) returned 1 [0231.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0231.150] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\#_THIS_FILE_IS_ENCRYPTED_[61FD9BE54A0325CD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\#_this_file_is_encrypted_[61fd9be54a0325cd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.185] SetEvent (hEvent=0x454) returned 1 [0231.185] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.185] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f401b4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6758246d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0231.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844560 | out: pbBuffer=0x12844560) returned 1 [0231.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0231.186] ReadFile (in: hFile=0x438, lpBuffer=0x12b86000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b86000*, lpNumberOfBytesRead=0x12be5d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0231.246] GetFileType (hFile=0x438) returned 0x1 [0231.246] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.246] WriteFile (in: hFile=0x438, lpBuffer=0x12b60000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12b60000*, lpNumberOfBytesWritten=0x12be5d00*=0x15ac0, lpOverlapped=0x12be5d0c) returned 1 [0231.246] GetFileType (hFile=0x438) returned 0x1 [0231.246] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0231.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0231.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0231.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9abf0 | out: pbBuffer=0x12a9abf0) returned 1 [0231.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0231.247] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0231.247] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b00a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00a00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.248] CloseHandle (hObject=0x3e4) returned 1 [0231.248] CloseHandle (hObject=0x438) returned 1 [0231.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac08 | out: pbBuffer=0x12a9ac08) returned 1 [0231.248] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\#_THIS_FILE_IS_ENCRYPTED_[3DF4DC658ED9B789]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\#_this_file_is_encrypted_[3df4dc658ed9b789]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.250] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6820824a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x684b56cd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0231.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844fa0 | out: pbBuffer=0x12844fa0) returned 1 [0231.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac50 | out: pbBuffer=0x12a9ac50) returned 1 [0231.250] ReadFile (in: hFile=0x438, lpBuffer=0x12ba6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba6000*, lpNumberOfBytesRead=0x12be9d1c*=0x17ec0, lpOverlapped=0x0) returned 1 [0231.303] GetFileType (hFile=0x438) returned 0x1 [0231.303] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.303] WriteFile (in: hFile=0x438, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x17ec0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be9d00*=0x17ec0, lpOverlapped=0x12be9d0c) returned 1 [0231.304] GetFileType (hFile=0x438) returned 0x1 [0231.304] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x17ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0231.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0231.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0231.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0231.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.305] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.305] WriteFile (in: hFile=0x458, lpBuffer=0x12afa000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.306] CloseHandle (hObject=0x458) returned 1 [0231.306] CloseHandle (hObject=0x438) returned 1 [0231.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0231.306] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\#_THIS_FILE_IS_ENCRYPTED_[8AB933326EAA9042]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\#_this_file_is_encrypted_[8ab933326eaa9042]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.349] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0231.355] SetEvent (hEvent=0xfc) returned 1 [0231.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.355] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.355] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e740 | out: pbBuffer=0x1280e740) returned 1 [0231.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848580 | out: pbBuffer=0x12848580) returned 1 [0231.356] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x156c0, lpOverlapped=0x0) returned 1 [0231.390] GetFileType (hFile=0x42c) returned 0x1 [0231.390] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.390] WriteFile (in: hFile=0x42c, lpBuffer=0x12b7e000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b7e000*, lpNumberOfBytesWritten=0x1282fd00*=0x156c0, lpOverlapped=0x1282fd0c) returned 1 [0231.390] GetFileType (hFile=0x42c) returned 0x1 [0231.390] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0231.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0231.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0231.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0231.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810c68 | out: pbBuffer=0x12810c68) returned 1 [0231.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.391] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0231.391] WriteFile (in: hFile=0x458, lpBuffer=0x12a4cf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4cf00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0231.392] CloseHandle (hObject=0x458) returned 1 [0231.392] CloseHandle (hObject=0x42c) returned 1 [0231.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c80 | out: pbBuffer=0x12810c80) returned 1 [0231.392] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\#_THIS_FILE_IS_ENCRYPTED_[4A4FB54C52F63793]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\#_this_file_is_encrypted_[4a4fb54c52f63793]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.520] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0231.788] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0231.913] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0231.978] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0232.093] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0233.139] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0233.801] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0233.801] WriteFile (in: hFile=0x458, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a83d00, lpOverlapped=0x12a83d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12a83d00*=0x20000, lpOverlapped=0x12a83d0c) returned 1 [0233.803] GetFileType (hFile=0x458) returned 0x1 [0233.803] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0233.880] SetEvent (hEvent=0x40c) returned 1 [0233.926] SetEvent (hEvent=0x40c) returned 1 [0233.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0234.062] SetEvent (hEvent=0x40c) returned 1 [0234.062] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0234.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncconfig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0234.096] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0234.096] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef2d450f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef2d450f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xefae0564, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0234.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88800 | out: pbBuffer=0x12b88800) returned 1 [0234.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0234.097] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0234.208] GetFileType (hFile=0x44c) returned 0x1 [0234.208] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0234.208] WriteFile (in: hFile=0x44c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0234.210] GetFileType (hFile=0x44c) returned 0x1 [0234.210] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0234.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0234.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0234.257] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0234.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a3b0 | out: pbBuffer=0x12a9a3b0) returned 1 [0234.599] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0234.600] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0234.600] WriteFile (in: hFile=0x458, lpBuffer=0x12b02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0234.760] CloseHandle (hObject=0x458) returned 1 [0234.760] CloseHandle (hObject=0x3e4) returned 1 [0234.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3c8 | out: pbBuffer=0x12a9a3c8) returned 1 [0234.859] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[E15CFED15B56E6CC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[e15cfed15b56e6cc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0234.860] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[5A92CA7BD0D042F8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[5a92ca7bd0d042f8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0234.862] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5a72c24, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5a72c24, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfd98e121, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0234.862] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a385d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1a385d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2245d34, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0234.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\onedrivesetup.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849bc788, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849bc788, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3150e345, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7718c0)) returned 1 [0235.217] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0235.386] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 0 [0235.386] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 1 [0247.601] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x33a6faac, fWait=0, lpdwFlags=0x33a6fabc | out: lpcbTransfer=0x33a6faac, lpdwFlags=0x33a6fabc) returned 1 [0249.014] SetEvent (hEvent=0x40c) returned 1 [0249.591] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0249.835] SetEvent (hEvent=0xf4) returned 1 [0249.835] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0252.564] SetEvent (hEvent=0xf4) returned 1 [0252.564] SetEvent (hEvent=0x1d0) returned 1 [0252.564] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0252.980] SetEvent (hEvent=0xf4) returned 1 [0252.981] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0252.995] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0252.995] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0252.995] SetEvent (hEvent=0xf4) returned 1 [0252.995] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0253.036] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.037] GetFileType (hFile=0x42c) returned 0x1 [0253.037] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.037] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xd000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12851d00*=0xd000, lpOverlapped=0x12851d0c) returned 1 [0253.038] GetFileType (hFile=0x42c) returned 0x1 [0253.038] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xd000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0253.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0253.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0253.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0253.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.039] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.039] WriteFile (in: hFile=0x3e4, lpBuffer=0x128f6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128f6000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.040] CloseHandle (hObject=0x3e4) returned 1 [0253.040] CloseHandle (hObject=0x42c) returned 1 [0253.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0253.040] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[39188993C308CF81]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[39188993c308cf81]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.042] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.187] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.319] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.344] SetEvent (hEvent=0x1d0) returned 1 [0253.345] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.345] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d63d0c | out: lpMode=0x12d63d0c) returned 0 [0253.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12d63ad0 | out: lpFileInformation=0x12d63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929460 | out: pbBuffer=0x12929460) returned 1 [0253.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b068 | out: pbBuffer=0x12a9b068) returned 1 [0253.346] ReadFile (in: hFile=0x42c, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12d63d1c*=0x2000, lpOverlapped=0x0) returned 1 [0253.350] GetFileType (hFile=0x42c) returned 0x1 [0253.350] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d63ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.350] WriteFile (in: hFile=0x42c, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12d63d00, lpOverlapped=0x12d63d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12d63d00*=0x2000, lpOverlapped=0x12d63d0c) returned 1 [0253.351] GetFileType (hFile=0x42c) returned 0x1 [0253.351] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12d63ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0253.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0253.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0253.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b120 | out: pbBuffer=0x12a9b120) returned 1 [0253.352] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.352] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12d63d0c | out: lpMode=0x12d63d0c) returned 0 [0253.352] WriteFile (in: hFile=0x458, lpBuffer=0x12aee500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee500*, lpNumberOfBytesWritten=0x12d63d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.352] CloseHandle (hObject=0x458) returned 1 [0253.358] CloseHandle (hObject=0x42c) returned 1 [0253.358] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b138 | out: pbBuffer=0x12a9b138) returned 1 [0253.359] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[3A33E46D94683CBC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[3a33e46d94683cbc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.402] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.593] SetEvent (hEvent=0x3f8) returned 1 [0253.593] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.594] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12d61d0c | out: lpMode=0x12d61d0c) returned 0 [0253.594] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12d61ad0 | out: lpFileInformation=0x12d61ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0253.594] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e280 | out: pbBuffer=0x1280e280) returned 1 [0253.594] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848038 | out: pbBuffer=0x12848038) returned 1 [0253.594] ReadFile (in: hFile=0x3e4, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12d61d1c*=0x6000, lpOverlapped=0x0) returned 1 [0253.638] GetFileType (hFile=0x3e4) returned 0x1 [0253.638] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d61ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.638] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x12d61d00, lpOverlapped=0x12d61d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12d61d00*=0x6000, lpOverlapped=0x12d61d0c) returned 1 [0253.638] GetFileType (hFile=0x3e4) returned 0x1 [0253.638] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x12d61ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0253.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0253.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0253.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0253.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.640] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12d61d0c | out: lpMode=0x12d61d0c) returned 0 [0253.640] WriteFile (in: hFile=0x44c, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12d61d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.640] CloseHandle (hObject=0x44c) returned 1 [0253.640] CloseHandle (hObject=0x3e4) returned 1 [0253.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0253.641] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[546D47080C25C722]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[546d47080c25c722]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.642] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.802] SetEvent (hEvent=0x3f8) returned 1 [0253.802] SetEvent (hEvent=0x1d0) returned 1 [0253.803] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0253.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.856] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128b1d0c | out: lpMode=0x128b1d0c) returned 0 [0253.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128b1ad0 | out: lpFileInformation=0x128b1ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0253.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0253.857] ReadFile (in: hFile=0x44c, lpBuffer=0x12cb4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b1d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb4000*, lpNumberOfBytesRead=0x128b1d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.857] CloseHandle (hObject=0x44c) returned 1 [0253.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.857] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.858] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.858] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.858] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.858] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.860] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.861] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.862] CloseHandle (hObject=0x44c) returned 1 [0253.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.863] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.863] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0253.864] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.864] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.864] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0253.864] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.865] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.865] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.867] CloseHandle (hObject=0x44c) returned 1 [0253.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.885] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0253.889] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.889] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.908] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0253.908] WriteFile (in: hFile=0x44c, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0253.910] CloseHandle (hObject=0x44c) returned 1 [0253.910] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.911] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0253.943] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.943] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0253.990] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.994] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.994] WriteFile (in: hFile=0x44c, lpBuffer=0x12db4c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db4c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.996] CloseHandle (hObject=0x44c) returned 1 [0253.996] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.997] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.998] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.998] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.998] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.998] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.998] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.999] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.999] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.000] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.000] WriteFile (in: hFile=0x44c, lpBuffer=0x12a6a000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a6a000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.002] CloseHandle (hObject=0x44c) returned 1 [0254.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.002] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.003] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.003] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.003] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.003] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.005] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.005] WriteFile (in: hFile=0x44c, lpBuffer=0x12a6b300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a6b300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.007] CloseHandle (hObject=0x44c) returned 1 [0254.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.007] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.007] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.007] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.008] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.008] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.009] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.009] WriteFile (in: hFile=0x44c, lpBuffer=0x12a6c600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a6c600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.011] CloseHandle (hObject=0x44c) returned 1 [0254.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.016] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.016] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0254.016] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.017] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.017] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0254.017] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.018] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.018] WriteFile (in: hFile=0x458, lpBuffer=0x12a6d900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a6d900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.019] CloseHandle (hObject=0x458) returned 1 [0254.019] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.020] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.020] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.020] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.020] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.021] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.022] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.022] WriteFile (in: hFile=0x458, lpBuffer=0x12a6ec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a6ec00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.024] CloseHandle (hObject=0x458) returned 1 [0254.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.024] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0254.025] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.025] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.025] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0254.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.025] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.025] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.026] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.026] WriteFile (in: hFile=0x458, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.028] CloseHandle (hObject=0x458) returned 1 [0254.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.029] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.029] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0254.029] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.029] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.029] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0254.029] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.029] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.030] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.031] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.031] WriteFile (in: hFile=0x458, lpBuffer=0x12ae9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ae9300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.036] CloseHandle (hObject=0x458) returned 1 [0254.036] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.043] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0254.043] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.043] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0254.043] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.043] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0254.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.045] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.045] WriteFile (in: hFile=0x42c, lpBuffer=0x12aea600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aea600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.047] CloseHandle (hObject=0x42c) returned 1 [0254.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.047] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.054] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.054] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1edad144, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1edad144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0254.054] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0254.054] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0254.054] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.054] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.058] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.058] WriteFile (in: hFile=0x42c, lpBuffer=0x12aeb900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12aeb900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.060] CloseHandle (hObject=0x42c) returned 1 [0254.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1edad144, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1edad144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0254.061] SetEvent (hEvent=0x3f8) returned 1 [0254.075] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0254.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.077] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.077] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.077] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.079] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.079] WriteFile (in: hFile=0x42c, lpBuffer=0x12aecc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aecc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.081] CloseHandle (hObject=0x42c) returned 1 [0254.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.081] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.081] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.081] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.081] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0254.081] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0254.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.128] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.131] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.131] WriteFile (in: hFile=0x42c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.133] CloseHandle (hObject=0x42c) returned 1 [0254.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.134] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.135] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.135] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.136] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.136] WriteFile (in: hFile=0x42c, lpBuffer=0x12c65300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c65300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.138] CloseHandle (hObject=0x42c) returned 1 [0254.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.140] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0254.140] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.140] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.140] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0254.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.143] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.143] WriteFile (in: hFile=0x42c, lpBuffer=0x12c66600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c66600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.144] CloseHandle (hObject=0x42c) returned 1 [0254.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.145] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0254.156] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0254.253] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0254.520] SetEvent (hEvent=0x19c) returned 1 [0254.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.521] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128b1d0c | out: lpMode=0x128b1d0c) returned 0 [0254.521] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128b1ad0 | out: lpFileInformation=0x128b1ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0254.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0254.522] ReadFile (in: hFile=0x42c, lpBuffer=0x12d8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b1d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d8a000*, lpNumberOfBytesRead=0x128b1d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.522] CloseHandle (hObject=0x42c) returned 1 [0254.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.523] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128b1d0c | out: lpMode=0x128b1d0c) returned 0 [0254.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128b1ad0 | out: lpFileInformation=0x128b1ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9115737d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9115737d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9115737d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0254.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0254.524] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b1d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x128b1d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.524] CloseHandle (hObject=0x42c) returned 1 [0254.525] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.525] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.525] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.525] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.525] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.526] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.526] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.527] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.527] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.529] CloseHandle (hObject=0x42c) returned 1 [0254.529] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.530] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.530] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.530] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.530] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.530] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.530] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.531] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.531] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.532] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.532] WriteFile (in: hFile=0x42c, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.534] CloseHandle (hObject=0x42c) returned 1 [0254.534] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.534] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.534] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1331ced9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0254.535] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.535] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.535] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.537] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0254.537] WriteFile (in: hFile=0x42c, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0254.539] CloseHandle (hObject=0x42c) returned 1 [0254.539] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.539] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.539] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0254.562] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.562] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.563] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.565] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.565] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.566] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.566] WriteFile (in: hFile=0x42c, lpBuffer=0x12923900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12923900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.568] CloseHandle (hObject=0x42c) returned 1 [0254.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.586] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.586] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.586] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.586] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.586] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.587] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.587] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.588] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.588] WriteFile (in: hFile=0x44c, lpBuffer=0x12924c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12924c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.589] CloseHandle (hObject=0x44c) returned 1 [0254.589] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.590] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0254.590] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.590] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.590] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0254.590] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.591] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.591] WriteFile (in: hFile=0x44c, lpBuffer=0x12ad4000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12ad4000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.593] CloseHandle (hObject=0x44c) returned 1 [0254.593] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.595] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.595] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.595] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.595] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.596] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.596] WriteFile (in: hFile=0x44c, lpBuffer=0x12ad5300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12ad5300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.598] CloseHandle (hObject=0x44c) returned 1 [0254.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.598] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.599] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0254.599] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.599] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.599] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0254.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.599] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.599] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.601] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.601] WriteFile (in: hFile=0x44c, lpBuffer=0x12ad6600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12ad6600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.602] CloseHandle (hObject=0x44c) returned 1 [0254.602] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.603] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.603] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.603] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.605] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.605] WriteFile (in: hFile=0x44c, lpBuffer=0x12ad7900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ad7900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.606] CloseHandle (hObject=0x44c) returned 1 [0254.606] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.606] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.607] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.607] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.608] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0x1d2da7be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d2da7be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x52b902, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CallsBackgroundTaskLog.etl", cAlternateFileName="CALLSB~1.ETL")) returned 1 [0254.608] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3a667a9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CallsBackgroundTaskLog.last.etl", cAlternateFileName="CALLSB~2.ETL")) returned 1 [0254.608] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.608] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.615] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.615] WriteFile (in: hFile=0x44c, lpBuffer=0x12ad8c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ad8c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.617] CloseHandle (hObject=0x44c) returned 1 [0254.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.etl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0x1d2da7be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d2da7be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x52b902, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.618] SetEvent (hEvent=0x1d0) returned 1 [0254.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\callsbackgroundtasklog.last.etl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3a667a9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.619] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.619] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.619] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.619] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.620] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.621] WriteFile (in: hFile=0x44c, lpBuffer=0x12daa000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12daa000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.622] CloseHandle (hObject=0x44c) returned 1 [0254.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.622] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.622] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.623] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.623] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0254.623] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.623] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.624] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.624] WriteFile (in: hFile=0x44c, lpBuffer=0x12dab300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12dab300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.626] CloseHandle (hObject=0x44c) returned 1 [0254.626] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158f63a2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0254.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.627] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158f63a2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158f63a2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf9bf03f7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x1614e61b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0254.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0254.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0254.627] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.627] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.628] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.628] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.629] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.629] WriteFile (in: hFile=0x44c, lpBuffer=0x12dac600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12dac600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.632] CloseHandle (hObject=0x44c) returned 1 [0254.632] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf9bf03f7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0x1614e61b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0254.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0254.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0254.634] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.634] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0254.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99e00 | out: pbBuffer=0x12a99e00) returned 1 [0254.652] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0254.726] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0254.782] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0254.946] SetEvent (hEvent=0x1d0) returned 1 [0254.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.969] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.970] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3e9b04, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3e9b04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0254.970] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0254.970] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0255.013] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12855d1c*=0x4000, lpOverlapped=0x0) returned 1 [0255.698] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0256.514] SetEvent (hEvent=0x1d0) returned 1 [0256.514] SetEvent (hEvent=0x19c) returned 1 [0256.514] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0256.525] SetEvent (hEvent=0x40c) returned 1 [0256.526] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.526] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0256.695] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0257.122] SwitchToThread () returned 1 [0257.156] SetEvent (hEvent=0x420) returned 1 [0257.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1cf55339, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1cf55339, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1cf55339, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.238] SetEvent (hEvent=0x420) returned 1 [0257.238] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.238] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0257.280] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0257.281] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0257.281] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1cf55339, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1cf55339, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1cf55339, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.282] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0257.282] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a318 | out: pbBuffer=0x12a9a318) returned 1 [0257.283] ReadFile (in: hFile=0x3e4, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0257.283] CloseHandle (hObject=0x3e4) returned 1 [0257.283] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.283] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d8b269b, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0257.283] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.283] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0257.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.296] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0257.296] WriteFile (in: hFile=0x42c, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0257.298] CloseHandle (hObject=0x42c) returned 1 [0257.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d8b269b, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.298] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0257.299] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.299] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.299] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0257.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.299] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.299] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.300] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0257.300] WriteFile (in: hFile=0x42c, lpBuffer=0x12a45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a45300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0257.302] CloseHandle (hObject=0x42c) returned 1 [0257.302] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.302] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0257.303] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.303] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.303] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0257.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.304] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0257.304] WriteFile (in: hFile=0x42c, lpBuffer=0x12a46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a46600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0257.305] CloseHandle (hObject=0x42c) returned 1 [0257.305] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.306] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0257.306] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.306] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.306] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0257.306] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.307] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0257.307] WriteFile (in: hFile=0x42c, lpBuffer=0x12a47900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a47900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0257.308] CloseHandle (hObject=0x42c) returned 1 [0257.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.309] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0257.564] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.564] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3abf05c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessagingBackgroundTaskLog.etl", cAlternateFileName="MESSAG~1.ETL")) returned 1 [0257.564] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b327c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bde25fe, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivateTransportId.setting", cAlternateFileName="PRIVAT~1.SET")) returned 1 [0257.564] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e4ad6b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x0, dwReserved1=0x0, cFileName="TransportIdList.setting", cAlternateFileName="TRANSP~1.SET")) returned 1 [0257.564] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.565] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0257.565] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.568] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0257.569] WriteFile (in: hFile=0x42c, lpBuffer=0x12a48c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a48c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0257.570] CloseHandle (hObject=0x42c) returned 1 [0257.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\messagingbackgroundtasklog.etl"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3abf05c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0257.624] SetEvent (hEvent=0x40c) returned 1 [0257.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\privatetransportid.setting"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b327c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bde25fe, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4)) returned 1 [0257.625] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\transportidlist.setting"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e4ad6b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5)) returned 1 [0257.625] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0257.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.625] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0257.625] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DataRv", cAlternateFileName="")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27121c88, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x27121c88, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x27121c88, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="shared.lck", cAlternateFileName="")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2748effe, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2748effe, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0xf3007824, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x8c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="shared.xml", cAlternateFileName="")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a6a07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x43a6a07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c4690c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x31, dwReserved0=0x0, dwReserved1=0x0, cFileName="update.log", cAlternateFileName="")) returned 1 [0257.626] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.626] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0257.626] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.626] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.628] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0257.628] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0257.630] CloseHandle (hObject=0x42c) returned 1 [0257.631] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.631] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0257.631] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0257.631] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0257.631] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x6af0efc0, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x200818, dwReserved0=0x0, dwReserved1=0x0, cFileName="offline-storage-ecs.data", cAlternateFileName="OFFLIN~1.DAT")) returned 1 [0257.632] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af42386, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0xc38b667c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x300c18, dwReserved0=0x0, dwReserved1=0x0, cFileName="offline-storage.data", cAlternateFileName="OFFLIN~2.DAT")) returned 1 [0257.632] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.632] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0257.632] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0257.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0257.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0257.872] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0258.082] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\transportidlist.setting"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0258.084] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\transportidlist.setting"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e4ad6b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5)) returned 1 [0258.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99220 | out: pbBuffer=0x12a99220) returned 1 [0258.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9afe0 | out: pbBuffer=0x12a9afe0) returned 1 [0258.084] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0258.115] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0258.128] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0258.129] SetEvent (hEvent=0x110) returned 1 [0258.129] SetEvent (hEvent=0x420) returned 1 [0258.145] ReadFile (in: hFile=0x450, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12855d1c*=0x5, lpOverlapped=0x0) returned 1 [0258.169] GetFileType (hFile=0x450) returned 0x1 [0258.169] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.169] WriteFile (in: hFile=0x450, lpBuffer=0x12848428*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12848428*, lpNumberOfBytesWritten=0x12855d00*=0x5, lpOverlapped=0x12855d0c) returned 1 [0258.169] GetFileType (hFile=0x450) returned 0x1 [0258.169] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x5, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0258.276] SetEvent (hEvent=0x420) returned 1 [0258.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0258.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0258.321] SetEvent (hEvent=0x420) returned 1 [0258.321] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0258.339] SetEvent (hEvent=0x420) returned 1 [0258.339] SetEvent (hEvent=0x40c) returned 1 [0258.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0258.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\transportidlist.setting"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0258.562] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.562] WriteFile (in: hFile=0x45c, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0258.618] CloseHandle (hObject=0x45c) returned 1 [0258.618] CloseHandle (hObject=0x450) returned 1 [0258.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848040 | out: pbBuffer=0x12848040) returned 1 [0258.619] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\transportidlist.setting"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\#_THIS_FILE_IS_ENCRYPTED_[EFDD82CB18F6E3D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\#_this_file_is_encrypted_[efdd82cb18f6e3d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.lck" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.lck"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27121c88, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x27121c88, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x27121c88, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2748effe, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2748effe, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0xf3007824, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x8c5)) returned 1 [0258.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.lck" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0258.622] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.lck" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.lck"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27121c88, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x27121c88, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x27121c88, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2a0 | out: pbBuffer=0x1280e2a0) returned 1 [0258.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b20 | out: pbBuffer=0x12848b20) returned 1 [0258.622] ReadFile (in: hFile=0x450, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0258.622] CloseHandle (hObject=0x450) returned 1 [0258.622] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0258.623] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2748effe, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2748effe, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0xf3007824, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x8c5)) returned 1 [0258.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0258.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b30 | out: pbBuffer=0x12848b30) returned 1 [0258.624] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x8c5, lpOverlapped=0x0) returned 1 [0258.625] GetFileType (hFile=0x450) returned 0x1 [0258.625] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.625] WriteFile (in: hFile=0x450, lpBuffer=0x1286e000*, nNumberOfBytesToWrite=0x8c5, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1286e000*, lpNumberOfBytesWritten=0x12855d00*=0x8c5, lpOverlapped=0x12855d0c) returned 1 [0258.626] GetFileType (hFile=0x450) returned 0x1 [0258.626] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x8c5, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0258.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0258.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0258.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848be8 | out: pbBuffer=0x12848be8) returned 1 [0258.626] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0258.627] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.627] WriteFile (in: hFile=0x45c, lpBuffer=0x12a5e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a5e500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0258.627] CloseHandle (hObject=0x45c) returned 1 [0258.627] CloseHandle (hObject=0x450) returned 1 [0258.627] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c20 | out: pbBuffer=0x12848c20) returned 1 [0258.627] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\#_THIS_FILE_IS_ENCRYPTED_[7FAAB4D6D44D8A49]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\#_this_file_is_encrypted_[7faab4d6d44d8a49]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a6a07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x43a6a07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c4690c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x31)) returned 1 [0258.650] SetEvent (hEvent=0x420) returned 1 [0258.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.650] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0258.651] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.651] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0258.651] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.651] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0258.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.651] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.651] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.653] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.653] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.654] CloseHandle (hObject=0x42c) returned 1 [0258.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0258.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.655] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0258.655] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.655] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xb2c15ea9, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfd39837d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0258.655] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0258.655] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0258.655] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.655] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0258.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.657] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0258.657] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a5a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0258.659] CloseHandle (hObject=0x42c) returned 1 [0258.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xb2c15ea9, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfd39837d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0258.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.660] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.660] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0258.660] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.661] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0258.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f3e0 | out: pbBuffer=0x1280f3e0) returned 1 [0258.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849888 | out: pbBuffer=0x12849888) returned 1 [0258.661] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0258.661] CloseHandle (hObject=0x42c) returned 1 [0258.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.662] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.662] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.662] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.662] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.662] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.662] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.663] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.664] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.664] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.667] CloseHandle (hObject=0x42c) returned 1 [0258.667] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x26a02595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0258.667] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.667] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x26a02595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0258.667] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x26a02595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.668] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf458b6ed, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf458b6ed, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf458b6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0258.668] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf426a58a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x6aff3de4, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6aff3de4, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0258.668] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0258.668] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0258.668] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.668] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0258.668] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.669] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.669] WriteFile (in: hFile=0x42c, lpBuffer=0x12a5cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a5cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.671] CloseHandle (hObject=0x42c) returned 1 [0258.672] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf458b6ed, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf458b6ed, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf458b6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.672] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.673] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0258.673] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fa00 | out: pbBuffer=0x1280fa00) returned 1 [0258.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8070 | out: pbBuffer=0x128e8070) returned 1 [0258.674] ReadFile (in: hFile=0x42c, lpBuffer=0x12d0e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d0e000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0258.674] CloseHandle (hObject=0x42c) returned 1 [0258.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.724] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0258.724] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf458b6ed, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf458b6ed, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf458b6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fa20 | out: pbBuffer=0x1280fa20) returned 1 [0258.724] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8080 | out: pbBuffer=0x128e8080) returned 1 [0258.725] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0258.725] SetEvent (hEvent=0x420) returned 1 [0258.726] ReadFile (in: hFile=0x42c, lpBuffer=0x12d8e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d8e000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0258.726] CloseHandle (hObject=0x42c) returned 1 [0258.727] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0258.746] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0258.746] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0258.747] SetEvent (hEvent=0x420) returned 1 [0258.747] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0258.748] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.137] SetEvent (hEvent=0x40c) returned 1 [0259.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.138] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0259.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0259.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0259.139] ReadFile (in: hFile=0x42c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0259.139] CloseHandle (hObject=0x42c) returned 1 [0259.139] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.288] SetEvent (hEvent=0x19c) returned 1 [0259.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0259.290] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.290] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0259.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0259.291] ReadFile (in: hFile=0x44c, lpBuffer=0x12cca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cca000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0259.299] GetFileType (hFile=0x44c) returned 0x1 [0259.299] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.300] WriteFile (in: hFile=0x44c, lpBuffer=0x12d0a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12d0a000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0259.301] GetFileType (hFile=0x44c) returned 0x1 [0259.301] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0259.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0259.301] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0259.314] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340d0 | out: pbBuffer=0x12c340d0) returned 1 [0259.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00002.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.314] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.314] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.320] CloseHandle (hObject=0x458) returned 1 [0259.320] CloseHandle (hObject=0x44c) returned 1 [0259.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340e8 | out: pbBuffer=0x12c340e8) returned 1 [0259.320] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\#_THIS_FILE_IS_ENCRYPTED_[C4958067DA9345BC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\#_this_file_is_encrypted_[c4958067da9345bc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.322] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0259.323] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\edb.chk"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0259.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0259.324] ReadFile (in: hFile=0x44c, lpBuffer=0x12d2a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d2a000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0259.393] GetFileType (hFile=0x44c) returned 0x1 [0259.393] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.393] WriteFile (in: hFile=0x44c, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0259.393] GetFileType (hFile=0x44c) returned 0x1 [0259.393] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.401] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e001 | out: pbBuffer=0x12c0e001) returned 1 [0259.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e101 | out: pbBuffer=0x12c0e101) returned 1 [0259.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e201 | out: pbBuffer=0x12c0e201) returned 1 [0259.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80d0 | out: pbBuffer=0x128e80d0) returned 1 [0259.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\edb.chk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.416] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.416] WriteFile (in: hFile=0x458, lpBuffer=0x12c22000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.416] CloseHandle (hObject=0x458) returned 1 [0259.416] CloseHandle (hObject=0x44c) returned 1 [0259.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0259.417] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\#_THIS_FILE_IS_ENCRYPTED_[D9BE2FFB70FC7AF6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\#_this_file_is_encrypted_[d9be2ffb70fc7af6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.584] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.657] SetEvent (hEvent=0x19c) returned 1 [0259.657] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.657] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e760 | out: pbBuffer=0x1280e760) returned 1 [0259.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8480 | out: pbBuffer=0x128e8480) returned 1 [0259.658] ReadFile (in: hFile=0x458, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0259.658] CloseHandle (hObject=0x458) returned 1 [0259.658] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.658] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e780 | out: pbBuffer=0x1280e780) returned 1 [0259.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8490 | out: pbBuffer=0x128e8490) returned 1 [0259.659] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0259.661] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.661] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0259.661] SetEvent (hEvent=0x110) returned 1 [0259.661] SetEvent (hEvent=0x19c) returned 1 [0259.661] SetEvent (hEvent=0x420) returned 1 [0259.661] ReadFile (in: hFile=0x458, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0259.662] CloseHandle (hObject=0x458) returned 1 [0259.662] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0259.669] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.669] SetEvent (hEvent=0x420) returned 1 [0259.669] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0259.704] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.704] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0259.708] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0259.708] SetEvent (hEvent=0x110) returned 1 [0259.708] SetEvent (hEvent=0x19c) returned 1 [0259.708] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0259.733] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.734] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0259.866] SetEvent (hEvent=0x420) returned 1 [0259.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.867] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68f23fcc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68f23fcc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0259.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0259.867] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0259.868] ReadFile (in: hFile=0x458, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x1282bd1c*=0x8000, lpOverlapped=0x0) returned 1 [0260.231] GetFileType (hFile=0x458) returned 0x1 [0260.231] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0260.231] WriteFile (in: hFile=0x458, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x1282bd00*=0x8000, lpOverlapped=0x1282bd0c) returned 1 [0260.232] GetFileType (hFile=0x458) returned 0x1 [0260.232] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0260.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0260.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0260.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0260.252] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0260.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.252] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0260.252] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0260.253] CloseHandle (hObject=0x3e4) returned 1 [0260.253] CloseHandle (hObject=0x458) returned 1 [0260.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0260.253] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[AEF2624B5D6BC3A6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[aef2624b5d6bc3a6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.255] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.430] SetEvent (hEvent=0x3f8) returned 1 [0260.430] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.451] SetEvent (hEvent=0x420) returned 1 [0260.451] SetEvent (hEvent=0x19c) returned 1 [0260.451] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.479] SetEvent (hEvent=0x3f8) returned 1 [0260.479] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.496] SetEvent (hEvent=0x40c) returned 1 [0260.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.497] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0260.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0260.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0260.497] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.498] CloseHandle (hObject=0x3e4) returned 1 [0260.498] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.771] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.948] SetEvent (hEvent=0x420) returned 1 [0260.948] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.949] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0260.949] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0260.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a028 | out: pbBuffer=0x12a9a028) returned 1 [0260.950] ReadFile (in: hFile=0x42c, lpBuffer=0x12a1c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a1c000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.950] CloseHandle (hObject=0x42c) returned 1 [0260.950] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.951] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0260.951] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.951] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88040 | out: pbBuffer=0x12b88040) returned 1 [0260.951] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a038 | out: pbBuffer=0x12a9a038) returned 1 [0260.951] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.959] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0260.974] GetFileType (hFile=0x42c) returned 0x1 [0260.974] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.974] WriteFile (in: hFile=0x42c, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0260.974] GetFileType (hFile=0x42c) returned 0x1 [0260.974] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835981 | out: pbBuffer=0x12835981) returned 1 [0260.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a81 | out: pbBuffer=0x12835a81) returned 1 [0260.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835b81 | out: pbBuffer=0x12835b81) returned 1 [0260.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9428 | out: pbBuffer=0x128e9428) returned 1 [0260.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.976] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0260.976] WriteFile (in: hFile=0x458, lpBuffer=0x12be2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be2500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0260.976] CloseHandle (hObject=0x458) returned 1 [0260.977] CloseHandle (hObject=0x42c) returned 1 [0260.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9440 | out: pbBuffer=0x128e9440) returned 1 [0260.977] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[48424646522D8638]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[48424646522d8638]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.978] SetEvent (hEvent=0x19c) returned 1 [0260.978] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0261.627] SetEvent (hEvent=0x420) returned 1 [0261.627] SetEvent (hEvent=0x3f8) returned 1 [0261.627] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.056] SetEvent (hEvent=0x1d0) returned 1 [0262.057] SetEvent (hEvent=0xf4) returned 1 [0262.057] SetEvent (hEvent=0xfc) returned 1 [0262.057] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0262.065] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.065] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0262.070] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.070] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0262.083] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.083] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0262.083] SetEvent (hEvent=0x40c) returned 1 [0262.083] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0262.099] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.099] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.219] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.307] SetEvent (hEvent=0x3f8) returned 1 [0262.307] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.308] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.308] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0262.308] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0262.309] ReadFile (in: hFile=0x458, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.316] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.332] SetEvent (hEvent=0x420) returned 1 [0262.332] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0262.337] SetEvent (hEvent=0x420) returned 1 [0262.337] SetEvent (hEvent=0x3f8) returned 1 [0262.338] GetFileType (hFile=0x458) returned 0x1 [0262.338] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.338] WriteFile (in: hFile=0x458, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0262.338] GetFileType (hFile=0x458) returned 0x1 [0262.338] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0262.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0262.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0262.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0262.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.339] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.339] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0262.340] CloseHandle (hObject=0x42c) returned 1 [0262.340] CloseHandle (hObject=0x458) returned 1 [0262.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0262.340] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[40CD6385F2B4D5D6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[40cd6385f2b4d5d6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.342] SwitchToThread () returned 1 [0262.350] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.041] SetEvent (hEvent=0x3f8) returned 1 [0263.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.043] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1ce836c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x673c6ff, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0263.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0263.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0263.043] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x10000, lpOverlapped=0x0) returned 1 [0263.095] GetFileType (hFile=0x458) returned 0x1 [0263.095] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.095] WriteFile (in: hFile=0x458, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12829d00*=0x10000, lpOverlapped=0x12829d0c) returned 1 [0263.096] GetFileType (hFile=0x458) returned 0x1 [0263.096] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0263.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0263.098] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0263.098] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8c90 | out: pbBuffer=0x128e8c90) returned 1 [0263.098] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.112] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.112] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.113] CloseHandle (hObject=0x42c) returned 1 [0263.113] CloseHandle (hObject=0x458) returned 1 [0263.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8f60 | out: pbBuffer=0x128e8f60) returned 1 [0263.113] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[53FC7BC5E67390B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[53fc7bc5e67390b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.117] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.117] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128454a0 | out: pbBuffer=0x128454a0) returned 1 [0263.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8fa8 | out: pbBuffer=0x128e8fa8) returned 1 [0263.118] ReadFile (in: hFile=0x458, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0263.138] GetFileType (hFile=0x458) returned 0x1 [0263.139] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.139] WriteFile (in: hFile=0x458, lpBuffer=0x12db6000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12db6000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0263.139] GetFileType (hFile=0x458) returned 0x1 [0263.139] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0263.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0263.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0263.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9400 | out: pbBuffer=0x128e9400) returned 1 [0263.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.140] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.140] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.141] CloseHandle (hObject=0x42c) returned 1 [0263.141] CloseHandle (hObject=0x458) returned 1 [0263.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9418 | out: pbBuffer=0x128e9418) returned 1 [0263.141] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[BFFF9B6CAF6DD95C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[bfff9b6caf6dd95c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.199] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.401] SetEvent (hEvent=0x19c) returned 1 [0263.401] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.405] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.406] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.406] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89060 | out: pbBuffer=0x12b89060) returned 1 [0263.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b50 | out: pbBuffer=0x12810b50) returned 1 [0263.406] ReadFile (in: hFile=0x42c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x1282bd1c*=0x4000, lpOverlapped=0x0) returned 1 [0263.415] GetFileType (hFile=0x42c) returned 0x1 [0263.415] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0263.415] WriteFile (in: hFile=0x42c, lpBuffer=0x12bd2000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12bd2000*, lpNumberOfBytesWritten=0x1282bd00*=0x4000, lpOverlapped=0x1282bd0c) returned 1 [0263.416] GetFileType (hFile=0x42c) returned 0x1 [0263.416] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0263.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0263.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0263.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0263.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849d78 | out: pbBuffer=0x12849d78) returned 1 [0263.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.417] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.417] WriteFile (in: hFile=0x458, lpBuffer=0x12bde000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0263.417] CloseHandle (hObject=0x458) returned 1 [0263.417] CloseHandle (hObject=0x42c) returned 1 [0263.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849da0 | out: pbBuffer=0x12849da0) returned 1 [0263.417] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[168AEC817C8F5233]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[168aec817c8f5233]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.419] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.473] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.522] SetEvent (hEvent=0x19c) returned 1 [0263.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.523] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93c418e8, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93c418e8, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0263.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0263.523] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0263.562] GetFileType (hFile=0x42c) returned 0x1 [0263.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.562] WriteFile (in: hFile=0x42c, lpBuffer=0x128f4000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x128f4000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0263.562] GetFileType (hFile=0x42c) returned 0x1 [0263.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0263.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0263.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0263.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0263.564] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.564] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.564] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.566] CloseHandle (hObject=0x3e4) returned 1 [0263.566] CloseHandle (hObject=0x42c) returned 1 [0263.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0263.566] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[C31115844C5D9344]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[c31115844c5d9344]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.568] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.569] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0263.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0263.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0263.570] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.570] CloseHandle (hObject=0x42c) returned 1 [0263.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.571] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0263.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810180 | out: pbBuffer=0x12810180) returned 1 [0263.571] ReadFile (in: hFile=0x42c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.571] CloseHandle (hObject=0x42c) returned 1 [0263.572] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.846] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.937] SetEvent (hEvent=0x3f8) returned 1 [0263.938] SetEvent (hEvent=0xfc) returned 1 [0263.938] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0263.940] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.940] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0263.940] SetEvent (hEvent=0xfc) returned 1 [0263.940] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0263.947] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0263.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.948] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0263.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0263.948] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0264.000] GetFileType (hFile=0x42c) returned 0x1 [0264.000] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.000] WriteFile (in: hFile=0x42c, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0264.079] GetFileType (hFile=0x42c) returned 0x1 [0264.079] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0264.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0264.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0264.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0264.080] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0264.080] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0264.080] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0264.090] CloseHandle (hObject=0x458) returned 1 [0264.090] CloseHandle (hObject=0x42c) returned 1 [0264.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0264.099] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[F965F40FFB37FEA8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[f965f40ffb37fea8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0264.311] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0264.762] SetEvent (hEvent=0x40c) returned 1 [0264.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.766] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12c8bd0c | out: lpMode=0x12c8bd0c) returned 0 [0264.766] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12c8bad0 | out: lpFileInformation=0x12c8bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d6b609, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d6b609, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0264.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0264.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0264.766] ReadFile (in: hFile=0x450, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12c8bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12c8bd1c*=0x10000, lpOverlapped=0x0) returned 1 [0264.873] GetFileType (hFile=0x450) returned 0x1 [0264.875] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12c8bce4 | out: lpNewFilePointer=0x0) returned 1 [0264.875] WriteFile (in: hFile=0x450, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12c8bd00, lpOverlapped=0x12c8bd0c | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12c8bd00*=0x10000, lpOverlapped=0x12c8bd0c) returned 1 [0264.876] GetFileType (hFile=0x450) returned 0x1 [0264.876] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12c8bce4 | out: lpNewFilePointer=0x0) returned 1 [0264.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0264.877] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0264.878] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0264.929] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ada8 | out: pbBuffer=0x12a9ada8) returned 1 [0264.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0264.930] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12c8bd0c | out: lpMode=0x12c8bd0c) returned 0 [0264.930] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12c8bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12c8bd0c*=0x276, lpOverlapped=0x0) returned 1 [0264.930] CloseHandle (hObject=0x42c) returned 1 [0264.930] CloseHandle (hObject=0x450) returned 1 [0264.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9adc0 | out: pbBuffer=0x12a9adc0) returned 1 [0264.931] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[05C643DA2E139CE8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[05c643da2e139ce8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0264.933] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.934] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0264.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98fc0 | out: pbBuffer=0x12a98fc0) returned 1 [0264.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae08 | out: pbBuffer=0x12a9ae08) returned 1 [0264.934] ReadFile (in: hFile=0x450, lpBuffer=0x12d46000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d46000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0264.934] CloseHandle (hObject=0x450) returned 1 [0264.935] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.936] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.936] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0264.936] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.936] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.936] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0264.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.938] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.938] WriteFile (in: hFile=0x450, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.939] CloseHandle (hObject=0x450) returned 1 [0264.940] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.940] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0264.940] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.940] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.941] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0264.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.943] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.943] WriteFile (in: hFile=0x450, lpBuffer=0x12b13300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b13300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.945] CloseHandle (hObject=0x450) returned 1 [0264.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.945] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.945] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0265.171] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0265.259] SetEvent (hEvent=0x3f8) returned 1 [0265.260] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0266.335] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 0 [0266.336] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 1 [0277.446] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x33a6faac, fWait=0, lpdwFlags=0x33a6fabc | out: lpcbTransfer=0x33a6faac, lpdwFlags=0x33a6fabc) returned 1 [0277.536] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.588] SwitchToThread () returned 1 [0277.596] SetEvent (hEvent=0x104) returned 1 [0277.596] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\nWxBib8foQhMc2j.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\nwxbib8foqhmc2j.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74fc0e0, ftCreationTime.dwHighDateTime=0x1d82525, ftLastAccessTime.dwLowDateTime=0x81374d00, ftLastAccessTime.dwHighDateTime=0x1d82758, ftLastWriteTime.dwLowDateTime=0x81374d00, ftLastWriteTime.dwHighDateTime=0x1d82758, nFileSizeHigh=0x0, nFileSizeLow=0xc158)) returned 1 [0277.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mhliFoX1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mhlifox1.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.598] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0277.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mhliFoX1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mhlifox1.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3625990, ftCreationTime.dwHighDateTime=0x1d823cb, ftLastAccessTime.dwLowDateTime=0xbb55f3d0, ftLastAccessTime.dwHighDateTime=0x1d82904, ftLastWriteTime.dwLowDateTime=0xbb55f3d0, ftLastWriteTime.dwHighDateTime=0x1d82904, nFileSizeHigh=0x0, nFileSizeLow=0x90d3)) returned 1 [0277.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928920 | out: pbBuffer=0x12928920) returned 1 [0277.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485d0 | out: pbBuffer=0x128485d0) returned 1 [0277.598] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0277.603] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.603] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb20, ulNumEntriesRemoved=0x33a6fb04) returned 0 [0277.603] SetEvent (hEvent=0x110) returned 1 [0277.603] SetEvent (hEvent=0x104) returned 1 [0277.603] ReadFile (in: hFile=0x45c, lpBuffer=0x12d18000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d18000*, lpNumberOfBytesRead=0x12829d1c*=0x90d3, lpOverlapped=0x0) returned 1 [0277.606] GetFileType (hFile=0x45c) returned 0x1 [0277.606] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.606] WriteFile (in: hFile=0x45c, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x90d3, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12829d00*=0x90d3, lpOverlapped=0x12829d0c) returned 1 [0277.606] GetFileType (hFile=0x45c) returned 0x1 [0277.606] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x90d3, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.606] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72101 | out: pbBuffer=0x12e72101) returned 1 [0277.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72201 | out: pbBuffer=0x12e72201) returned 1 [0277.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72301 | out: pbBuffer=0x12e72301) returned 1 [0277.607] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486e8 | out: pbBuffer=0x128486e8) returned 1 [0277.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mhliFoX1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mhlifox1.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.608] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0277.608] WriteFile (in: hFile=0x44c, lpBuffer=0x12dc6f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0277.608] CloseHandle (hObject=0x44c) returned 1 [0277.609] CloseHandle (hObject=0x45c) returned 1 [0277.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848700 | out: pbBuffer=0x12848700) returned 1 [0277.609] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mhliFoX1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mhlifox1.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[1EEB5CAA540BB644]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[1eeb5caa540bb644]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\nWxBib8foQhMc2j.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\nwxbib8foqhmc2j.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.612] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0277.612] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\nWxBib8foQhMc2j.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\nwxbib8foqhmc2j.flv"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74fc0e0, ftCreationTime.dwHighDateTime=0x1d82525, ftLastAccessTime.dwLowDateTime=0x81374d00, ftLastAccessTime.dwHighDateTime=0x1d82758, ftLastWriteTime.dwLowDateTime=0x81374d00, ftLastWriteTime.dwHighDateTime=0x1d82758, nFileSizeHigh=0x0, nFileSizeLow=0xc158)) returned 1 [0277.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b40 | out: pbBuffer=0x12928b40) returned 1 [0277.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848758 | out: pbBuffer=0x12848758) returned 1 [0277.613] ReadFile (in: hFile=0x45c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12829d1c*=0xc158, lpOverlapped=0x0) returned 1 [0277.615] GetFileType (hFile=0x45c) returned 0x1 [0277.615] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.615] WriteFile (in: hFile=0x45c, lpBuffer=0x12c00000*, nNumberOfBytesToWrite=0xc158, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c00000*, lpNumberOfBytesWritten=0x12829d00*=0xc158, lpOverlapped=0x12829d0c) returned 1 [0277.616] GetFileType (hFile=0x45c) returned 0x1 [0277.616] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xc158, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72601 | out: pbBuffer=0x12e72601) returned 1 [0277.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72701 | out: pbBuffer=0x12e72701) returned 1 [0277.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12e72801 | out: pbBuffer=0x12e72801) returned 1 [0277.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848840 | out: pbBuffer=0x12848840) returned 1 [0277.617] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\nWxBib8foQhMc2j.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\nwxbib8foqhmc2j.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.617] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0277.617] WriteFile (in: hFile=0x44c, lpBuffer=0x12dc7400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc7400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0277.617] CloseHandle (hObject=0x44c) returned 1 [0277.617] CloseHandle (hObject=0x45c) returned 1 [0277.618] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848858 | out: pbBuffer=0x12848858) returned 1 [0277.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\nWxBib8foQhMc2j.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\nwxbib8foqhmc2j.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[73F6AAC4E77D790E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[73f6aac4e77d790e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.624] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0277.626] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.626] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0277.665] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x0 [0277.669] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33a6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6fb28, ulNumEntriesRemoved=0x33a6fb0c) returned 0 [0277.669] SetEvent (hEvent=0x110) returned 1 [0277.669] SetEvent (hEvent=0x420) returned 1 [0277.669] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x1) returned 0x102 [0277.712] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.713] SwitchToThread () returned 1 [0277.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oAgMN9U_p8BUTqAW1.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oagmn9u_p8butqaw1.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3beba0, ftCreationTime.dwHighDateTime=0x1d82026, ftLastAccessTime.dwLowDateTime=0xdcf2c8d0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xdcf2c8d0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x17aa4)) returned 1 [0277.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\qKzW8J3AvmRUdsVCGgRU.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\qkzw8j3avmrudsvcggru.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa17c6f0, ftCreationTime.dwHighDateTime=0x1d8270d, ftLastAccessTime.dwLowDateTime=0x8d18b340, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0x8d18b340, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x2ac1)) returned 1 [0277.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwD ndsTii9UVozcMJde.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwd ndstii9uvozcmjde.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdff83b90, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x889af920, ftLastAccessTime.dwHighDateTime=0x1d82587, ftLastWriteTime.dwLowDateTime=0x889af920, ftLastWriteTime.dwHighDateTime=0x1d82587, nFileSizeHigh=0x0, nFileSizeLow=0x7016)) returned 1 [0277.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\snc6GkKAD0HvXm.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\snc6gkkad0hvxm.ods"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a03a50, ftCreationTime.dwHighDateTime=0x1d81cd0, ftLastAccessTime.dwLowDateTime=0x2cab68f0, ftLastAccessTime.dwHighDateTime=0x1d82287, ftLastWriteTime.dwLowDateTime=0x2cab68f0, ftLastWriteTime.dwHighDateTime=0x1d82287, nFileSizeHigh=0x0, nFileSizeLow=0xa847)) returned 1 [0277.763] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwD ndsTii9UVozcMJde.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwd ndstii9uvozcmjde.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.764] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwD ndsTii9UVozcMJde.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwd ndstii9uvozcmjde.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdff83b90, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x889af920, ftLastAccessTime.dwHighDateTime=0x1d82587, ftLastWriteTime.dwLowDateTime=0x889af920, ftLastWriteTime.dwHighDateTime=0x1d82587, nFileSizeHigh=0x0, nFileSizeLow=0x7016)) returned 1 [0277.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98300 | out: pbBuffer=0x12a98300) returned 1 [0277.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac40 | out: pbBuffer=0x12a9ac40) returned 1 [0277.764] ReadFile (in: hFile=0x42c, lpBuffer=0x12cf8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf8000*, lpNumberOfBytesRead=0x12a5dd1c*=0x7016, lpOverlapped=0x0) returned 1 [0277.766] GetFileType (hFile=0x42c) returned 0x1 [0277.766] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.766] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x7016, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a5dd00*=0x7016, lpOverlapped=0x12a5dd0c) returned 1 [0277.766] GetFileType (hFile=0x42c) returned 0x1 [0277.766] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x7016, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0277.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0277.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0277.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9acf8 | out: pbBuffer=0x12a9acf8) returned 1 [0277.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwD ndsTii9UVozcMJde.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwd ndstii9uvozcmjde.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.767] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.767] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.767] CloseHandle (hObject=0x45c) returned 1 [0277.767] CloseHandle (hObject=0x42c) returned 1 [0277.768] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad10 | out: pbBuffer=0x12a9ad10) returned 1 [0277.768] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwD ndsTii9UVozcMJde.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwd ndstii9uvozcmjde.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[BBF22428F7E25C01]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[bbf22428f7e25c01]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\snc6GkKAD0HvXm.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\snc6gkkad0hvxm.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.770] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\snc6GkKAD0HvXm.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\snc6gkkad0hvxm.ods"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a03a50, ftCreationTime.dwHighDateTime=0x1d81cd0, ftLastAccessTime.dwLowDateTime=0x2cab68f0, ftLastAccessTime.dwHighDateTime=0x1d82287, ftLastWriteTime.dwLowDateTime=0x2cab68f0, ftLastWriteTime.dwHighDateTime=0x1d82287, nFileSizeHigh=0x0, nFileSizeLow=0xa847)) returned 1 [0277.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98500 | out: pbBuffer=0x12a98500) returned 1 [0277.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad58 | out: pbBuffer=0x12a9ad58) returned 1 [0277.770] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12a5dd1c*=0xa847, lpOverlapped=0x0) returned 1 [0277.772] GetFileType (hFile=0x42c) returned 0x1 [0277.772] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.774] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0xa847, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12a5dd00*=0xa847, lpOverlapped=0x12a5dd0c) returned 1 [0277.775] GetFileType (hFile=0x42c) returned 0x1 [0277.775] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xa847, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0277.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0277.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0277.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ae10 | out: pbBuffer=0x12a9ae10) returned 1 [0277.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\snc6GkKAD0HvXm.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\snc6gkkad0hvxm.ods"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.776] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.776] WriteFile (in: hFile=0x45c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.776] CloseHandle (hObject=0x45c) returned 1 [0277.776] CloseHandle (hObject=0x42c) returned 1 [0277.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae28 | out: pbBuffer=0x12a9ae28) returned 1 [0277.776] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\snc6GkKAD0HvXm.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\snc6gkkad0hvxm.ods"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[45D8D0E4D80FCBA3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[45d8d0e4d80fcba3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\t5Wg.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\t5wg.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb836fdb0, ftCreationTime.dwHighDateTime=0x1d8204a, ftLastAccessTime.dwLowDateTime=0x8eb3ec40, ftLastAccessTime.dwHighDateTime=0x1d823f7, ftLastWriteTime.dwLowDateTime=0x8eb3ec40, ftLastWriteTime.dwHighDateTime=0x1d823f7, nFileSizeHigh=0x0, nFileSizeLow=0x16153)) returned 1 [0277.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\u0lRKxoZGIPaUd7o.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\u0lrkxozgipaud7o.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2402d7b0, ftCreationTime.dwHighDateTime=0x1d8209d, ftLastAccessTime.dwLowDateTime=0xa73b2390, ftLastAccessTime.dwHighDateTime=0x1d8210a, ftLastWriteTime.dwLowDateTime=0xa73b2390, ftLastWriteTime.dwHighDateTime=0x1d8210a, nFileSizeHigh=0x0, nFileSizeLow=0x1751d)) returned 1 [0277.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\t5Wg.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\t5wg.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.779] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\t5Wg.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\t5wg.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb836fdb0, ftCreationTime.dwHighDateTime=0x1d8204a, ftLastAccessTime.dwLowDateTime=0x8eb3ec40, ftLastAccessTime.dwHighDateTime=0x1d823f7, ftLastWriteTime.dwLowDateTime=0x8eb3ec40, ftLastWriteTime.dwHighDateTime=0x1d823f7, nFileSizeHigh=0x0, nFileSizeLow=0x16153)) returned 1 [0277.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98cc0 | out: pbBuffer=0x12a98cc0) returned 1 [0277.779] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b5a0 | out: pbBuffer=0x12a9b5a0) returned 1 [0277.782] ReadFile (in: hFile=0x42c, lpBuffer=0x12e20000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e20000*, lpNumberOfBytesRead=0x12a5dd1c*=0x16153, lpOverlapped=0x0) returned 1 [0277.785] GetFileType (hFile=0x42c) returned 0x1 [0277.785] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.785] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc8000*, nNumberOfBytesToWrite=0x16153, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12dc8000*, lpNumberOfBytesWritten=0x12a5dd00*=0x16153, lpOverlapped=0x12a5dd0c) returned 1 [0277.785] GetFileType (hFile=0x42c) returned 0x1 [0277.785] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x16153, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0277.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0277.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0277.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b658 | out: pbBuffer=0x12a9b658) returned 1 [0277.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\t5Wg.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\t5wg.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.786] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.786] WriteFile (in: hFile=0x45c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.787] CloseHandle (hObject=0x45c) returned 1 [0277.787] CloseHandle (hObject=0x42c) returned 1 [0277.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b670 | out: pbBuffer=0x12a9b670) returned 1 [0277.787] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\t5Wg.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\t5wg.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[4E03DBB48FF0D0A1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[4e03dbb48ff0d0a1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\u0lRKxoZGIPaUd7o.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\u0lrkxozgipaud7o.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.790] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\u0lRKxoZGIPaUd7o.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\u0lrkxozgipaud7o.pdf"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2402d7b0, ftCreationTime.dwHighDateTime=0x1d8209d, ftLastAccessTime.dwLowDateTime=0xa73b2390, ftLastAccessTime.dwHighDateTime=0x1d8210a, ftLastWriteTime.dwLowDateTime=0xa73b2390, ftLastWriteTime.dwHighDateTime=0x1d8210a, nFileSizeHigh=0x0, nFileSizeLow=0x1751d)) returned 1 [0277.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98ec0 | out: pbBuffer=0x12a98ec0) returned 1 [0277.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b6b8 | out: pbBuffer=0x12a9b6b8) returned 1 [0277.792] ReadFile (in: hFile=0x42c, lpBuffer=0x12de0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12de0000*, lpNumberOfBytesRead=0x12a5dd1c*=0x1751d, lpOverlapped=0x0) returned 1 [0277.795] GetFileType (hFile=0x42c) returned 0x1 [0277.795] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.795] WriteFile (in: hFile=0x42c, lpBuffer=0x12e00000*, nNumberOfBytesToWrite=0x1751d, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e00000*, lpNumberOfBytesWritten=0x12a5dd00*=0x1751d, lpOverlapped=0x12a5dd0c) returned 1 [0277.796] GetFileType (hFile=0x42c) returned 0x1 [0277.796] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1751d, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0277.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0277.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801881 | out: pbBuffer=0x12801881) returned 1 [0277.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b770 | out: pbBuffer=0x12a9b770) returned 1 [0277.797] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\u0lRKxoZGIPaUd7o.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\u0lrkxozgipaud7o.pdf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.797] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.797] WriteFile (in: hFile=0x45c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.797] CloseHandle (hObject=0x45c) returned 1 [0277.797] CloseHandle (hObject=0x42c) returned 1 [0277.797] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b788 | out: pbBuffer=0x12a9b788) returned 1 [0277.797] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\u0lRKxoZGIPaUd7o.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\u0lrkxozgipaud7o.pdf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[059542403BF6C246]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[059542403bf6c246]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\uja38dNRQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uja38dnrq.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5641f90, ftCreationTime.dwHighDateTime=0x1d81d46, ftLastAccessTime.dwLowDateTime=0xdbfe1fc0, ftLastAccessTime.dwHighDateTime=0x1d81e93, ftLastWriteTime.dwLowDateTime=0xdbfe1fc0, ftLastWriteTime.dwHighDateTime=0x1d81e93, nFileSizeHigh=0x0, nFileSizeLow=0x15555)) returned 1 [0277.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v1Mp.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v1mp.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d00b810, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0x2d3de490, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x2d3de490, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x5f35)) returned 1 [0277.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\uja38dNRQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uja38dnrq.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.800] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\uja38dNRQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uja38dnrq.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5641f90, ftCreationTime.dwHighDateTime=0x1d81d46, ftLastAccessTime.dwLowDateTime=0xdbfe1fc0, ftLastAccessTime.dwHighDateTime=0x1d81e93, ftLastWriteTime.dwLowDateTime=0xdbfe1fc0, ftLastWriteTime.dwHighDateTime=0x1d81e93, nFileSizeHigh=0x0, nFileSizeLow=0x15555)) returned 1 [0277.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a990c0 | out: pbBuffer=0x12a990c0) returned 1 [0277.800] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848540 | out: pbBuffer=0x12848540) returned 1 [0277.800] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a5dd1c*=0x15555, lpOverlapped=0x0) returned 1 [0277.802] GetFileType (hFile=0x42c) returned 0x1 [0277.802] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.802] WriteFile (in: hFile=0x42c, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x15555, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12a5dd00*=0x15555, lpOverlapped=0x12a5dd0c) returned 1 [0277.803] GetFileType (hFile=0x42c) returned 0x1 [0277.803] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15555, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b01 | out: pbBuffer=0x12801b01) returned 1 [0277.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801c01 | out: pbBuffer=0x12801c01) returned 1 [0277.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d01 | out: pbBuffer=0x12801d01) returned 1 [0277.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848968 | out: pbBuffer=0x12848968) returned 1 [0277.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\uja38dNRQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uja38dnrq.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.803] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.804] WriteFile (in: hFile=0x45c, lpBuffer=0x12dc6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6000*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.804] CloseHandle (hObject=0x45c) returned 1 [0277.804] CloseHandle (hObject=0x42c) returned 1 [0277.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848990 | out: pbBuffer=0x12848990) returned 1 [0277.804] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\uja38dNRQ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uja38dnrq.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[700BDC803C65683C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[700bdc803c65683c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.861] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.890] SwitchToThread () returned 1 [0277.892] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0277.897] SetEvent (hEvent=0x1b8) returned 1 [0277.897] SetEvent (hEvent=0x104) returned 1 [0277.898] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.898] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0277.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980cc2bb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980cc2bb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980cc2bb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb8c0)) returned 1 [0277.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e220 | out: pbBuffer=0x1280e220) returned 1 [0277.898] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0277.898] ReadFile (in: hFile=0x1a4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0xb8c0, lpOverlapped=0x0) returned 1 [0277.900] GetFileType (hFile=0x1a4) returned 0x1 [0277.900] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.900] WriteFile (in: hFile=0x1a4, lpBuffer=0x128a8000*, nNumberOfBytesToWrite=0xb8c0, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x128a8000*, lpNumberOfBytesWritten=0x12853d00*=0xb8c0, lpOverlapped=0x12853d0c) returned 1 [0277.901] GetFileType (hFile=0x1a4) returned 0x1 [0277.901] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xb8c0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0277.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0277.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0277.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810130 | out: pbBuffer=0x12810130) returned 1 [0277.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.902] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0277.902] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0277.902] CloseHandle (hObject=0x42c) returned 1 [0277.902] CloseHandle (hObject=0x1a4) returned 1 [0277.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810148 | out: pbBuffer=0x12810148) returned 1 [0277.903] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\#_THIS_FILE_IS_ENCRYPTED_[307C57BF6F5ED8F3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\#_this_file_is_encrypted_[307c57bf6f5ed8f3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\vBuf95Nf11PMfowkk0S.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\vbuf95nf11pmfowkk0s.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19174ec0, ftCreationTime.dwHighDateTime=0x1d819e6, ftLastAccessTime.dwLowDateTime=0x39057a30, ftLastAccessTime.dwHighDateTime=0x1d826c6, ftLastWriteTime.dwLowDateTime=0x39057a30, ftLastWriteTime.dwHighDateTime=0x1d826c6, nFileSizeHigh=0x0, nFileSizeLow=0x86b8)) returned 1 [0277.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\x8AKx9IC.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\x8akx9ic.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b55e300, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0x9f180a0, ftLastAccessTime.dwHighDateTime=0x1d824cc, ftLastWriteTime.dwLowDateTime=0x9f180a0, ftLastWriteTime.dwHighDateTime=0x1d824cc, nFileSizeHigh=0x0, nFileSizeLow=0x179f2)) returned 1 [0277.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ywbUJcs-.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ywbujcs-.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1165b80, ftCreationTime.dwHighDateTime=0x1d81b93, ftLastAccessTime.dwLowDateTime=0xf54b6fc0, ftLastAccessTime.dwHighDateTime=0x1d81e23, ftLastWriteTime.dwLowDateTime=0xf54b6fc0, ftLastWriteTime.dwHighDateTime=0x1d81e23, nFileSizeHigh=0x0, nFileSizeLow=0x1169d)) returned 1 [0277.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\application data"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0277.905] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\application data"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a4 [0277.905] GetFileInformationByHandle (in: hFile=0x1a4, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0277.905] GetFileInformationByHandleEx (in: hFile=0x1a4, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0277.905] CloseHandle (hObject=0x1a4) returned 1 [0277.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0277.906] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0277.906] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0277.906] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0277.906] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0277.906] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0277.906] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0277.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0277.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0277.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.908] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0277.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0277.909] CloseHandle (hObject=0x1a4) returned 1 [0277.909] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c)) returned 1 [0277.909] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\application data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0277.909] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0277.910] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0277.910] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0277.910] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c)) returned 1 [0277.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eae0 | out: pbBuffer=0x1280eae0) returned 1 [0277.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128117c8 | out: pbBuffer=0x128117c8) returned 1 [0277.911] ReadFile (in: hFile=0x1a4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0x19c, lpOverlapped=0x0) returned 1 [0277.912] GetFileType (hFile=0x1a4) returned 0x1 [0277.912] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.912] WriteFile (in: hFile=0x1a4, lpBuffer=0x12c37380*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c37380*, lpNumberOfBytesWritten=0x12853d00*=0x19c, lpOverlapped=0x12853d0c) returned 1 [0277.912] GetFileType (hFile=0x1a4) returned 0x1 [0277.912] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x19c, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0277.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0277.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0277.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0277.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811880 | out: pbBuffer=0x12811880) returned 1 [0277.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.913] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0277.913] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc6a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.195] SetEvent (hEvent=0x110) returned 1 [0278.195] CloseHandle (hObject=0x42c) returned 1 [0278.195] CloseHandle (hObject=0x1a4) returned 1 [0278.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102c0 | out: pbBuffer=0x128102c0) returned 1 [0278.201] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\#_THIS_FILE_IS_ENCRYPTED_[8DE28122ACD149B6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\#_this_file_is_encrypted_[8de28122acd149b6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.210] SetEvent (hEvent=0x19c) returned 1 [0278.210] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\eqpPz5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eqppz5d.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.211] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\eqpPz5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eqppz5d.gif"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x666a92d0, ftCreationTime.dwHighDateTime=0x1d8218f, ftLastAccessTime.dwLowDateTime=0x181e4610, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0x181e4610, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x5f98)) returned 1 [0278.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6e0 | out: pbBuffer=0x1280e6e0) returned 1 [0278.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810308 | out: pbBuffer=0x12810308) returned 1 [0278.211] ReadFile (in: hFile=0x1a4, lpBuffer=0x12a0c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a0c000*, lpNumberOfBytesRead=0x12853d1c*=0x5f98, lpOverlapped=0x0) returned 1 [0278.212] GetFileType (hFile=0x1a4) returned 0x1 [0278.212] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.212] WriteFile (in: hFile=0x1a4, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x5f98, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12853d00*=0x5f98, lpOverlapped=0x12853d0c) returned 1 [0278.213] GetFileType (hFile=0x1a4) returned 0x1 [0278.213] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x5f98, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0278.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0278.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0278.213] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c0 | out: pbBuffer=0x128103c0) returned 1 [0278.213] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\eqpPz5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eqppz5d.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.213] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.213] WriteFile (in: hFile=0x42c, lpBuffer=0x12dc6f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.214] CloseHandle (hObject=0x42c) returned 1 [0278.219] CloseHandle (hObject=0x1a4) returned 1 [0278.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103d8 | out: pbBuffer=0x128103d8) returned 1 [0278.231] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\eqpPz5d.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\eqppz5d.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[CCF0A53BCD6B5B71]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[ccf0a53bcd6b5b71]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.536] SetEvent (hEvent=0x110) returned 1 [0278.536] SetEvent (hEvent=0x19c) returned 1 [0278.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\uF2rHEH2XRc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\uf2rheh2xrc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.538] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\uF2rHEH2XRc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\uf2rheh2xrc.wav"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x949c6c60, ftCreationTime.dwHighDateTime=0x1d8258f, ftLastAccessTime.dwLowDateTime=0x48c5e190, ftLastAccessTime.dwHighDateTime=0x1d8288c, ftLastWriteTime.dwLowDateTime=0x48c5e190, ftLastWriteTime.dwHighDateTime=0x1d8288c, nFileSizeHigh=0x0, nFileSizeLow=0x17f1d)) returned 1 [0278.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928760 | out: pbBuffer=0x12928760) returned 1 [0278.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c88 | out: pbBuffer=0x12848c88) returned 1 [0278.539] ReadFile (in: hFile=0x1a4, lpBuffer=0x1298c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x1298c000*, lpNumberOfBytesRead=0x12853d1c*=0x17f1d, lpOverlapped=0x0) returned 1 [0278.545] GetFileType (hFile=0x1a4) returned 0x1 [0278.545] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.545] WriteFile (in: hFile=0x1a4, lpBuffer=0x129cc000*, nNumberOfBytesToWrite=0x17f1d, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x129cc000*, lpNumberOfBytesWritten=0x12853d00*=0x17f1d, lpOverlapped=0x12853d0c) returned 1 [0278.546] GetFileType (hFile=0x1a4) returned 0x1 [0278.546] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x17f1d, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b781 | out: pbBuffer=0x1286b781) returned 1 [0278.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b881 | out: pbBuffer=0x1286b881) returned 1 [0278.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b981 | out: pbBuffer=0x1286b981) returned 1 [0278.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848d40 | out: pbBuffer=0x12848d40) returned 1 [0278.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\uF2rHEH2XRc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\uf2rheh2xrc.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.548] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.548] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdf400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdf400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.549] CloseHandle (hObject=0x42c) returned 1 [0278.557] CloseHandle (hObject=0x1a4) returned 1 [0278.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d58 | out: pbBuffer=0x12848d58) returned 1 [0278.564] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\uF2rHEH2XRc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\uf2rheh2xrc.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\#_THIS_FILE_IS_ENCRYPTED_[BE56A0D57E127116]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\#_this_file_is_encrypted_[be56a0d57e127116]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.640] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\E sqm5OszcoziTDY.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e sqm5oszcozitdy.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82166f0, ftCreationTime.dwHighDateTime=0x1d825d5, ftLastAccessTime.dwLowDateTime=0xa0a327c0, ftLastAccessTime.dwHighDateTime=0x1d82700, ftLastWriteTime.dwLowDateTime=0xa0a327c0, ftLastWriteTime.dwHighDateTime=0x1d82700, nFileSizeHigh=0x0, nFileSizeLow=0xc066)) returned 1 [0278.640] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\FObnuAwtmJC9McsJ_-Z.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\fobnuawtmjc9mcsj_-z.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8dca7a20, ftCreationTime.dwHighDateTime=0x1d82027, ftLastAccessTime.dwLowDateTime=0xb179bfb0, ftLastAccessTime.dwHighDateTime=0x1d825c9, ftLastWriteTime.dwLowDateTime=0xb179bfb0, ftLastWriteTime.dwHighDateTime=0x1d825c9, nFileSizeHigh=0x0, nFileSizeLow=0x18cbc)) returned 1 [0278.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\E sqm5OszcoziTDY.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e sqm5oszcozitdy.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.642] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\E sqm5OszcoziTDY.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e sqm5oszcozitdy.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82166f0, ftCreationTime.dwHighDateTime=0x1d825d5, ftLastAccessTime.dwLowDateTime=0xa0a327c0, ftLastAccessTime.dwHighDateTime=0x1d82700, ftLastWriteTime.dwLowDateTime=0xa0a327c0, ftLastWriteTime.dwHighDateTime=0x1d82700, nFileSizeHigh=0x0, nFileSizeLow=0xc066)) returned 1 [0278.642] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99e60 | out: pbBuffer=0x12a99e60) returned 1 [0278.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad10 | out: pbBuffer=0x12a9ad10) returned 1 [0278.643] ReadFile (in: hFile=0x1a4, lpBuffer=0x12e40000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12e40000*, lpNumberOfBytesRead=0x12853d1c*=0xc066, lpOverlapped=0x0) returned 1 [0278.645] GetFileType (hFile=0x1a4) returned 0x1 [0278.645] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.645] WriteFile (in: hFile=0x1a4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xc066, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12853d00*=0xc066, lpOverlapped=0x12853d0c) returned 1 [0278.646] GetFileType (hFile=0x1a4) returned 0x1 [0278.646] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xc066, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0278.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0278.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0278.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9adc8 | out: pbBuffer=0x12a9adc8) returned 1 [0278.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\E sqm5OszcoziTDY.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e sqm5oszcozitdy.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.647] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.647] WriteFile (in: hFile=0x42c, lpBuffer=0x12e72a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12e72a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.647] CloseHandle (hObject=0x42c) returned 1 [0278.656] CloseHandle (hObject=0x1a4) returned 1 [0278.660] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae20 | out: pbBuffer=0x12a9ae20) returned 1 [0278.660] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\E sqm5OszcoziTDY.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e sqm5oszcozitdy.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[85A8CC08E2106E08]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[85a8cc08e2106e08]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.780] SetEvent (hEvent=0xf4) returned 1 [0278.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Ptd_CEMx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ptd_cemx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.781] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Ptd_CEMx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ptd_cemx.png"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc108da10, ftCreationTime.dwHighDateTime=0x1d81bab, ftLastAccessTime.dwLowDateTime=0x8ab3dfa0, ftLastAccessTime.dwHighDateTime=0x1d8242a, ftLastWriteTime.dwLowDateTime=0x8ab3dfa0, ftLastWriteTime.dwHighDateTime=0x1d8242a, nFileSizeHigh=0x0, nFileSizeLow=0xe623)) returned 1 [0278.782] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e9a0 | out: pbBuffer=0x1280e9a0) returned 1 [0278.782] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b1a8 | out: pbBuffer=0x12a9b1a8) returned 1 [0278.782] ReadFile (in: hFile=0x1a4, lpBuffer=0x12cbe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cbe000*, lpNumberOfBytesRead=0x12853d1c*=0xe623, lpOverlapped=0x0) returned 1 [0278.784] GetFileType (hFile=0x1a4) returned 0x1 [0278.784] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.785] WriteFile (in: hFile=0x1a4, lpBuffer=0x12cde000*, nNumberOfBytesToWrite=0xe623, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12cde000*, lpNumberOfBytesWritten=0x12853d00*=0xe623, lpOverlapped=0x12853d0c) returned 1 [0278.785] GetFileType (hFile=0x1a4) returned 0x1 [0278.785] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xe623, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b01 | out: pbBuffer=0x12801b01) returned 1 [0278.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801c01 | out: pbBuffer=0x12801c01) returned 1 [0278.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d01 | out: pbBuffer=0x12801d01) returned 1 [0278.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b260 | out: pbBuffer=0x12a9b260) returned 1 [0278.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Ptd_CEMx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ptd_cemx.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.786] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.787] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.787] CloseHandle (hObject=0x42c) returned 1 [0278.789] CloseHandle (hObject=0x1a4) returned 1 [0278.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b278 | out: pbBuffer=0x12a9b278) returned 1 [0278.795] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Ptd_CEMx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ptd_cemx.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[25810DCDE44012F1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[25810dcde44012f1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0278.890] SetEvent (hEvent=0x19c) returned 1 [0278.890] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\We0X6gEqRDhiUH6OA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\we0x6geqrdhiuh6oa.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0278.891] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.892] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\We0X6gEqRDhiUH6OA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\we0x6geqrdhiuh6oa.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62222ed0, ftCreationTime.dwHighDateTime=0x1d81c6d, ftLastAccessTime.dwLowDateTime=0xc42d3520, ftLastAccessTime.dwHighDateTime=0x1d821f9, ftLastWriteTime.dwLowDateTime=0xc42d3520, ftLastWriteTime.dwHighDateTime=0x1d821f9, nFileSizeHigh=0x0, nFileSizeLow=0x17f86)) returned 1 [0278.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0278.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34160 | out: pbBuffer=0x12c34160) returned 1 [0278.892] ReadFile (in: hFile=0x1a4, lpBuffer=0x12e3a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12e3a000*, lpNumberOfBytesRead=0x12853d1c*=0x17f86, lpOverlapped=0x0) returned 1 [0278.894] GetFileType (hFile=0x1a4) returned 0x1 [0278.894] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.894] WriteFile (in: hFile=0x1a4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x17f86, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12853d00*=0x17f86, lpOverlapped=0x12853d0c) returned 1 [0278.895] GetFileType (hFile=0x1a4) returned 0x1 [0278.895] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x17f86, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0278.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0278.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0278.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0278.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34218 | out: pbBuffer=0x12c34218) returned 1 [0278.896] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\We0X6gEqRDhiUH6OA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\we0x6geqrdhiuh6oa.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0278.896] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0278.896] WriteFile (in: hFile=0x42c, lpBuffer=0x128e4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128e4500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0278.896] CloseHandle (hObject=0x42c) returned 1 [0278.899] CloseHandle (hObject=0x1a4) returned 1 [0278.906] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34230 | out: pbBuffer=0x12c34230) returned 1 [0278.906] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\We0X6gEqRDhiUH6OA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\we0x6geqrdhiuh6oa.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[6DFE8C54BF2C91A1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[6dfe8c54bf2c91a1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0279.182] SetEvent (hEvent=0x19c) returned 1 [0279.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z_rpRFXyhj7uRUyh_aBs.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z_rprfxyhj7uruyh_abs.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0279.183] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0279.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z_rpRFXyhj7uRUyh_aBs.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z_rprfxyhj7uruyh_abs.docx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb682a30, ftCreationTime.dwHighDateTime=0x1d81aaf, ftLastAccessTime.dwLowDateTime=0x8d4e5d30, ftLastAccessTime.dwHighDateTime=0x1d81d72, ftLastWriteTime.dwLowDateTime=0x8d4e5d30, ftLastWriteTime.dwHighDateTime=0x1d81d72, nFileSizeHigh=0x0, nFileSizeLow=0x73e9)) returned 1 [0279.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ed80 | out: pbBuffer=0x1280ed80) returned 1 [0279.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c345c0 | out: pbBuffer=0x12c345c0) returned 1 [0279.183] ReadFile (in: hFile=0x1a4, lpBuffer=0x12c04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c04000*, lpNumberOfBytesRead=0x12853d1c*=0x73e9, lpOverlapped=0x0) returned 1 [0279.185] GetFileType (hFile=0x1a4) returned 0x1 [0279.185] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0279.186] WriteFile (in: hFile=0x1a4, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0x73e9, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x12853d00*=0x73e9, lpOverlapped=0x12853d0c) returned 1 [0279.186] GetFileType (hFile=0x1a4) returned 0x1 [0279.186] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x73e9, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0279.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd681 | out: pbBuffer=0x12afd681) returned 1 [0279.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd781 | out: pbBuffer=0x12afd781) returned 1 [0279.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd881 | out: pbBuffer=0x12afd881) returned 1 [0279.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34678 | out: pbBuffer=0x12c34678) returned 1 [0279.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z_rpRFXyhj7uRUyh_aBs.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z_rprfxyhj7uruyh_abs.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0279.187] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0279.188] WriteFile (in: hFile=0x42c, lpBuffer=0x12b0c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0c000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0279.188] CloseHandle (hObject=0x42c) returned 1 [0279.192] CloseHandle (hObject=0x1a4) returned 1 [0279.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34690 | out: pbBuffer=0x12c34690) returned 1 [0279.196] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z_rpRFXyhj7uRUyh_aBs.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z_rprfxyhj7uruyh_abs.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\#_THIS_FILE_IS_ENCRYPTED_[9DBCCEADF5DDEAFE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\#_this_file_is_encrypted_[9dbcceadf5ddeafe]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0280.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ed3OEBOHI5YM1zXSFg m.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ed3oebohi5ym1zxsfg m.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0280.156] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0280.156] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ed3OEBOHI5YM1zXSFg m.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ed3oebohi5ym1zxsfg m.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89ddbc50, ftCreationTime.dwHighDateTime=0x1d81b55, ftLastAccessTime.dwLowDateTime=0x156723e0, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x156723e0, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x36af)) returned 1 [0280.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99420 | out: pbBuffer=0x12a99420) returned 1 [0280.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9adb0 | out: pbBuffer=0x12a9adb0) returned 1 [0280.157] ReadFile (in: hFile=0x45c, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12853d1c*=0x36af, lpOverlapped=0x0) returned 1 [0280.159] GetFileType (hFile=0x45c) returned 0x1 [0280.159] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.159] WriteFile (in: hFile=0x45c, lpBuffer=0x12a16000*, nNumberOfBytesToWrite=0x36af, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a16000*, lpNumberOfBytesWritten=0x12853d00*=0x36af, lpOverlapped=0x12853d0c) returned 1 [0280.159] GetFileType (hFile=0x45c) returned 0x1 [0280.159] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x36af, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0280.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0280.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0280.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0280.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ae68 | out: pbBuffer=0x12a9ae68) returned 1 [0280.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ed3OEBOHI5YM1zXSFg m.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ed3oebohi5ym1zxsfg m.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0280.171] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0280.171] WriteFile (in: hFile=0x1a4, lpBuffer=0x1291e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x1291e000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0280.171] CloseHandle (hObject=0x1a4) returned 1 [0280.174] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0280.355] CloseHandle (hObject=0x45c) returned 1 [0280.356] SwitchToThread () returned 1 [0280.395] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0280.698] SetEvent (hEvent=0x104) returned 1 [0280.698] SetEvent (hEvent=0x1b8) returned 1 [0280.698] SetEvent (hEvent=0x1d0) returned 1 [0280.698] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0282.207] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uDGO5JU.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\udgo5ju.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0f7a80, ftCreationTime.dwHighDateTime=0x1d827df, ftLastAccessTime.dwLowDateTime=0x52660710, ftLastAccessTime.dwHighDateTime=0x1d828a6, ftLastWriteTime.dwLowDateTime=0x52660710, ftLastWriteTime.dwHighDateTime=0x1d828a6, nFileSizeHigh=0x0, nFileSizeLow=0xd3ae)) returned 1 [0282.663] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0282.758] SwitchToThread () returned 1 [0283.077] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0283.705] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iFdAmmAFYX4CdXqN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ifdammafyx4cdxqn.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.706] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0283.706] WriteFile (in: hFile=0x460, lpBuffer=0x12b0d900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0d900*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0283.706] CloseHandle (hObject=0x460) returned 1 [0283.787] CloseHandle (hObject=0x1a4) returned 1 [0283.813] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0283.941] SetEvent (hEvent=0x1d0) returned 1 [0283.941] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914f90 | out: pbBuffer=0x12914f90) returned 1 [0283.941] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914f98 | out: pbBuffer=0x12914f98) returned 1 [0283.941] ReadFile (in: hFile=0x45c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12855d1c*=0x16318, lpOverlapped=0x0) returned 1 [0283.944] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0289.325] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0289.328] SetEvent (hEvent=0x420) returned 1 [0289.328] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0xffffffff) returned 0x0 [0289.334] SetEvent (hEvent=0x420) returned 1 [0289.334] SetEvent (hEvent=0x104) returned 1 [0289.642] GetAddrInfoW (in: pNodeName="api.telegram.org", pServiceName=0x0, pHints=0x12821f94*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x12821f50 | out: ppResult=0x12821f50*=0x336657d0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366df70*(sa_family=2, sin_port=0x0, sin_addr="149.154.167.220"), ai_next=0x0)) returned 0 [0289.733] FreeAddrInfoW (pAddrInfo=0x336657d0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x3366df70*(sa_family=2, sin_port=0x0, sin_addr="149.154.167.220"), ai_next=0x0)) [0289.733] SetEvent (hEvent=0x1d0) returned 1 [0289.853] WSASocketW (af=2, type=1, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x81) returned 0x1a4 [0289.853] setsockopt (s=0x1a4, level=65535, optname=32, optval="\x01", optlen=4) returned -1 [0289.872] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x1a8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a8 [0289.872] SetFileCompletionNotificationModes (FileHandle=0x1a4, Flags=0x3) returned 1 [0289.883] SetEvent (hEvent=0x104) returned 1 [0289.883] bind (s=0x1a4, addr=0x12ac6248*(sa_family=2, sin_port=0x0, sin_addr="0.0.0.0"), namelen=16) returned 0 [0289.884] ConnectEx (in: s=0x1a4, name=0x12ac6228*(sa_family=2, sin_port=0x1bb, sin_addr="149.154.167.220"), namelen=16, lpSendBuffer=0x0, dwSendDataLength=0x0, lpdwBytesSent=0x0, lpOverlapped=0x12c2e088 | out: lpdwBytesSent=0x0) returned 0 [0289.886] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x7170) returned 0x0 [0292.746] WaitForSingleObject (hHandle=0x3f4, dwMilliseconds=0x26e9) returned 0x102 [0302.718] SetEvent (hEvent=0x110) returned 1 [0302.749] SetEvent (hEvent=0x104) returned 1 [0304.793] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0x1cc, buf=0x12a48200*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0x1cc, lpOverlapped=0x12c2e088) returned 0 [0304.920] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33a6facc, ulNumEntriesRemoved=0x33a6fab0) returned 0 [0304.920] GetQueuedCompletionStatusEx (CompletionPort=0x1a8, lpCompletionPortEntries=0x33a6facc, ulCount=0x10, ulNumEntriesRemoved=0x33a6fab0, dwMilliseconds=0xffffffff, fAlertable=0) Thread: id = 12 os_tid = 0x1e0 [0130.944] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33c2ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33c2ff30*=0x3d8) returned 1 [0130.944] VirtualQuery (in: lpAddress=0x33c2ff40, lpBuffer=0x33c2ff40, dwLength=0x1c | out: lpBuffer=0x33c2ff40*(BaseAddress=0x33c2f000, AllocationBase=0x33b30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0130.945] SetEvent (hEvent=0x10c) returned 1 [0130.945] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.945] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui\\*", lpFindFileData=0x12a95a44 | out: lpFindFileData=0x12a95a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.945] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.945] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0130.945] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3f8 [0130.945] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0130.953] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0130.975] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0130.979] SetEvent (hEvent=0x1d0) returned 1 [0130.979] SetEvent (hEvent=0x1b8) returned 1 [0130.979] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.106] SetEvent (hEvent=0x1d0) returned 1 [0131.106] SetEvent (hEvent=0x3f4) returned 1 [0131.108] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.151] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.175] SetEvent (hEvent=0x3f4) returned 1 [0131.175] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.175] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.175] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.176] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.176] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.601] SetEvent (hEvent=0x3f4) returned 1 [0131.601] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.601] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.602] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.602] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.602] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.705] SetEvent (hEvent=0x3f4) returned 1 [0131.705] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.705] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.705] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.705] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.706] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0131.876] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.877] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.878] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0131.878] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0131.878] ReadFile (in: hFile=0x410, lpBuffer=0x12858000, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x12821ef4, lpOverlapped=0x0 | out: lpBuffer=0x12858000, lpNumberOfBytesRead=0x12821ef4*=0x0, lpOverlapped=0x0) returned 0 [0156.304] CloseHandle (hObject=0x410) returned 1 [0156.861] SetEvent (hEvent=0xfc) returned 1 [0157.088] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0163.079] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\s321033.hash"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\#_THIS_FILE_IS_ENCRYPTED_[01759C4BB0F2879D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\#_this_file_is_encrypted_[01759c4bb0f2879d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0163.101] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829a90 | out: lpFileInformation=0x12829a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce)) returned 1 [0163.180] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829b58 | out: lpFileInformation=0x12829b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d04153d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7b6)) returned 1 [0163.298] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), fInfoLevelId=0x0, lpFileInformation=0x12829b58 | out: lpFileInformation=0x12829b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x566)) returned 1 [0163.394] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata"), fInfoLevelId=0x0, lpFileInformation=0x12829b58 | out: lpFileInformation=0x12829b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0163.394] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0163.395] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x12829a30 | out: lpFindFileData=0x12829a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0163.425] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0163.425] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Catalog", cAlternateFileName="")) returned 1 [0163.425] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0163.425] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12829a74 | out: lpFindFileData=0x12829a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0163.425] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0163.571] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0163.572] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0163.572] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x566)) returned 1 [0163.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a32aa0 | out: pbBuffer=0x12a32aa0) returned 1 [0163.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128495b8 | out: pbBuffer=0x128495b8) returned 1 [0163.582] VirtualAlloc (lpAddress=0x12c6e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c6e000 [0163.583] VirtualAlloc (lpAddress=0x12c8e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12c8e000 [0163.593] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0163.673] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0163.771] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0163.771] SetEvent (hEvent=0x110) returned 1 [0163.771] SetEvent (hEvent=0xfc) returned 1 [0163.782] ReadFile (in: hFile=0x19c, lpBuffer=0x12c6e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c6e000*, lpNumberOfBytesRead=0x12921d1c*=0x566, lpOverlapped=0x0) returned 1 [0164.082] GetFileType (hFile=0x19c) returned 0x1 [0164.082] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.083] WriteFile (in: hFile=0x19c, lpBuffer=0x12c64b00*, nNumberOfBytesToWrite=0x566, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12c64b00*, lpNumberOfBytesWritten=0x12921d00*=0x566, lpOverlapped=0x12921d0c) returned 1 [0164.083] GetFileType (hFile=0x19c) returned 0x1 [0164.083] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x566, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0164.084] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x127e0000 [0164.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0164.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0164.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914680 | out: pbBuffer=0x12914680) returned 1 [0164.085] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0164.086] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0164.086] WriteFile (in: hFile=0x41c, lpBuffer=0x12bad400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bad400*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.086] CloseHandle (hObject=0x41c) returned 1 [0164.091] CloseHandle (hObject=0x19c) returned 1 [0164.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914698 | out: pbBuffer=0x12914698) returned 1 [0164.092] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\#_THIS_FILE_IS_ENCRYPTED_[D9D2359E62300C39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\#_this_file_is_encrypted_[d9d2359e62300c39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0164.094] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0164.346] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0164.346] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0164.346] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb33ac2, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cb33ac2, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cb9ca40, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4b480e)) returned 1 [0164.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0164.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0164.347] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12a67d1c*=0x20000, lpOverlapped=0x0) returned 1 [0164.468] GetFileType (hFile=0x1a0) returned 0x1 [0164.469] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.469] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b5e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b5e000*, lpNumberOfBytesWritten=0x12a67d00*=0x20000, lpOverlapped=0x12a67d0c) returned 1 [0164.469] GetFileType (hFile=0x1a0) returned 0x1 [0164.472] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0164.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0164.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835101 | out: pbBuffer=0x12835101) returned 1 [0164.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0164.473] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a3c0 | out: pbBuffer=0x12a9a3c0) returned 1 [0164.473] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0164.473] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0164.473] WriteFile (in: hFile=0x424, lpBuffer=0x12baca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12baca00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0164.539] CloseHandle (hObject=0x424) returned 1 [0165.507] CloseHandle (hObject=0x1a0) returned 1 [0165.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3e0 | out: pbBuffer=0x12a9a3e0) returned 1 [0165.990] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\#_THIS_FILE_IS_ENCRYPTED_[8D72243EA94108A8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\#_this_file_is_encrypted_[8d72243ea94108a8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0165.991] SwitchToThread () returned 1 [0166.041] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0166.127] SetEvent (hEvent=0x1b8) returned 1 [0166.127] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0166.127] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0166.127] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ae9ce0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa11790db, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x44e23)) returned 1 [0166.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844c60 | out: pbBuffer=0x12844c60) returned 1 [0166.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a428 | out: pbBuffer=0x12a9a428) returned 1 [0166.129] ReadFile (in: hFile=0x408, lpBuffer=0x129a0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a0000*, lpNumberOfBytesRead=0x12927d1c*=0x20000, lpOverlapped=0x0) returned 1 [0166.218] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0166.302] VirtualAlloc (lpAddress=0x12d0e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12d0e000 [0166.303] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0166.460] SwitchToThread () returned 1 [0166.503] SetEvent (hEvent=0x1b8) returned 1 [0166.507] GetFileType (hFile=0x408) returned 0x1 [0166.508] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.508] WriteFile (in: hFile=0x408, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x12927d00*=0x20000, lpOverlapped=0x12927d0c) returned 1 [0166.509] GetFileType (hFile=0x408) returned 0x1 [0166.509] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.617] GetFileType (hFile=0x1a0) returned 0x1 [0166.617] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a85ce4 | out: lpNewFilePointer=0x0) returned 1 [0166.617] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c14000*, nNumberOfBytesToWrite=0x410e, lpNumberOfBytesWritten=0x12a85d00, lpOverlapped=0x12a85d0c | out: lpBuffer=0x12c14000*, lpNumberOfBytesWritten=0x12a85d00*=0x410e, lpOverlapped=0x12a85d0c) returned 1 [0166.617] GetFileType (hFile=0x1a0) returned 0x1 [0166.618] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x410e, lpNewFilePointer=0x0, dwMoveMethod=0x12a85ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.024] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0167.099] SetEvent (hEvent=0x10c) returned 1 [0167.099] SetEvent (hEvent=0x1b8) returned 1 [0167.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0167.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0167.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0167.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a030 | out: pbBuffer=0x12a9a030) returned 1 [0167.474] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0167.474] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0167.474] WriteFile (in: hFile=0x41c, lpBuffer=0x12b4c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b4c000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0167.474] CloseHandle (hObject=0x41c) returned 1 [0167.486] CloseHandle (hObject=0x424) returned 1 [0167.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a048 | out: pbBuffer=0x12a9a048) returned 1 [0167.487] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[67F20CDA06872285]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[67f20cda06872285]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.489] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64441c43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6)) returned 1 [0167.530] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d56dc4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d56dc4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645f4b7c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5ee)) returned 1 [0167.646] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0167.674] SetEvent (hEvent=0x1d0) returned 1 [0167.674] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4f8c1, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4f8c1, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645ce8f3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0167.692] SetEvent (hEvent=0x1b8) returned 1 [0167.692] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d6ced4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d6ced4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64629b0d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x176c8)) returned 1 [0167.765] SetEvent (hEvent=0x420) returned 1 [0167.765] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d47160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d47160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65ec8648, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a)) returned 1 [0167.797] SetEvent (hEvent=0x10c) returned 1 [0167.797] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cc820c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82cc820c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6452e5d6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xadce8)) returned 1 [0167.831] SetEvent (hEvent=0x110) returned 1 [0167.831] SetEvent (hEvent=0x1b8) returned 1 [0167.831] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf5a6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82bf5a6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64811bd3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x19170)) returned 1 [0168.020] SetEvent (hEvent=0xfc) returned 1 [0168.020] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d08901, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x636e)) returned 1 [0168.177] SetEvent (hEvent=0xfc) returned 1 [0168.177] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b23f2e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6)) returned 1 [0168.222] SetEvent (hEvent=0x10c) returned 1 [0168.222] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b78136, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6)) returned 1 [0168.246] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0168.257] SetEvent (hEvent=0x1d0) returned 1 [0168.257] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x646e8b6c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e)) returned 1 [0168.314] SetEvent (hEvent=0x420) returned 1 [0168.314] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a0dba7, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82a0dba7, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64ca2e69, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15286)) returned 1 [0168.353] SetEvent (hEvent=0xfc) returned 1 [0168.353] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8436b436, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8436b436, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65211dfd, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xe048)) returned 1 [0168.549] SetEvent (hEvent=0x10c) returned 1 [0168.549] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x654c802f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0168.593] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0168.604] SetEvent (hEvent=0x1d0) returned 1 [0168.604] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83460030, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83460030, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x653fa2bf, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2656)) returned 1 [0168.620] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0168.640] SetEvent (hEvent=0x1d0) returned 1 [0168.640] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65565d76, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x88d0)) returned 1 [0168.814] SetEvent (hEvent=0x19c) returned 1 [0168.814] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6553a708, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x17f6)) returned 1 [0168.841] SetEvent (hEvent=0x10c) returned 1 [0168.841] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8303f160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8303f160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6556f8c0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5b20)) returned 1 [0168.930] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0168.941] SetEvent (hEvent=0xfc) returned 1 [0168.941] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fcc6db, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82fcc6db, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656085a0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x55c2)) returned 1 [0168.969] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.000] SetEvent (hEvent=0xfc) returned 1 [0169.000] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f706a3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82f706a3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65595fb2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.100] SetEvent (hEvent=0x110) returned 1 [0169.100] SetEvent (hEvent=0x19c) returned 1 [0169.100] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e76fbe, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82e76fbe, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x650f791d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x414c2)) returned 1 [0169.188] SetEvent (hEvent=0x10c) returned 1 [0169.188] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d85586, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d85586, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6598f087, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1a182)) returned 1 [0169.225] SetEvent (hEvent=0x1b8) returned 1 [0169.226] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d73041, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d73041, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x657cb5e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.261] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.276] SetEvent (hEvent=0xfc) returned 1 [0169.276] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d5e483, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d5e483, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6577f134, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a)) returned 1 [0169.319] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.332] SetEvent (hEvent=0xfc) returned 1 [0169.332] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d54840, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d54840, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656d7217, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2b14)) returned 1 [0169.351] SetEvent (hEvent=0x10c) returned 1 [0169.351] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4d28a, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4d28a, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6593d93a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2698)) returned 1 [0169.398] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d39ab3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d39ab3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65a5d95d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x178c4)) returned 1 [0169.504] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.519] SetEvent (hEvent=0x1b8) returned 1 [0169.520] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6584ce48, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x684e)) returned 1 [0169.542] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.554] SetEvent (hEvent=0x1b8) returned 1 [0169.554] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65aa9e3b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.582] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.598] SetEvent (hEvent=0x1b8) returned 1 [0169.598] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b2cf46, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b2cf46, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65acff84, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3708)) returned 1 [0169.678] SetEvent (hEvent=0x1d0) returned 1 [0169.678] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82adb9f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82adb9f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6469c575, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xaac34)) returned 1 [0169.709] SetEvent (hEvent=0x420) returned 1 [0169.709] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8297548b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8297548b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6608ac43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1301e)) returned 1 [0169.828] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0169.841] SetEvent (hEvent=0x1b8) returned 1 [0169.841] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb55735, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcf4)) returned 1 [0169.876] SetEvent (hEvent=0x10c) returned 1 [0169.876] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e727d9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4e727d9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4e727d9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcb2)) returned 1 [0170.180] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0170.194] SetEvent (hEvent=0x1d0) returned 1 [0170.195] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70)) returned 1 [0170.234] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0170.243] SetEvent (hEvent=0x40c) returned 1 [0170.243] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5088032e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5088032e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9a627e13, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1b826)) returned 1 [0170.385] SetEvent (hEvent=0x19c) returned 1 [0170.385] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd)) returned 1 [0170.423] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0170.439] SetEvent (hEvent=0x40c) returned 1 [0170.439] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto" (normalized: "c:\\programdata\\microsoft\\crypto"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.440] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto" (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.441] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.463] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.463] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1 [0170.464] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1 [0170.464] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0170.464] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0170.464] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0170.464] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.464] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.502] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.502] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.502] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0170.514] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0170.514] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0170.515] CloseHandle (hObject=0x3c4) returned 1 [0170.516] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS" (normalized: "c:\\programdata\\microsoft\\crypto\\dss"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.516] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS" (normalized: "c:\\programdata\\microsoft\\crypto\\dss"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.516] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0170.516] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.516] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0170.516] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.517] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0170.517] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.517] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.517] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0170.517] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.517] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.519] CloseHandle (hObject=0x3c4) returned 1 [0170.519] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.519] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.519] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.520] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.520] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.520] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.520] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.520] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.544] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0170.544] WriteFile (in: hFile=0x41c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0170.545] CloseHandle (hObject=0x41c) returned 1 [0170.545] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys" (normalized: "c:\\programdata\\microsoft\\crypto\\keys"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.546] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys" (normalized: "c:\\programdata\\microsoft\\crypto\\keys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.546] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0170.546] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.546] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.546] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0170.546] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.546] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.547] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\Keys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.551] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.551] WriteFile (in: hFile=0x41c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.553] CloseHandle (hObject=0x41c) returned 1 [0170.553] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.555] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.556] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0170.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0170.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.556] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0170.557] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.557] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.557] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0170.577] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.577] WriteFile (in: hFile=0x408, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.578] CloseHandle (hObject=0x408) returned 1 [0170.579] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.579] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.579] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0170.579] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.579] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.579] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0170.579] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.580] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.580] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0170.580] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.580] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0170.580] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0170.580] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.580] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0170.581] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.581] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.581] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0170.581] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.581] WriteFile (in: hFile=0x408, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.582] CloseHandle (hObject=0x408) returned 1 [0170.583] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.583] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.583] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0170.583] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.583] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.583] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0170.584] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.584] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.584] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0170.584] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0170.585] WriteFile (in: hFile=0x408, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0170.586] CloseHandle (hObject=0x408) returned 1 [0170.586] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.587] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.587] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0170.587] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.587] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 1 [0170.587] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.587] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0170.588] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.588] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.588] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.591] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0170.591] WriteFile (in: hFile=0x41c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0170.592] CloseHandle (hObject=0x41c) returned 1 [0170.592] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38)) returned 1 [0170.595] SetEvent (hEvent=0x1d0) returned 1 [0170.595] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.595] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0170.595] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0170.595] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.595] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x0, dwReserved1=0x0, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 1 [0170.596] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.596] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0170.596] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0170.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0170.605] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0170.605] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0170.606] CloseHandle (hObject=0x3c4) returned 1 [0170.607] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0170.607] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0170.638] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0173.342] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0173.435] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0173.644] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.646] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.646] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0173.647] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.647] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9940c797, ftLastWriteTime.dwHighDateTime=0x1d75217, nFileSizeHigh=0x0, nFileSizeLow=0x6988, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0173.647] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="temp", cAlternateFileName="")) returned 1 [0173.647] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.647] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0173.647] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.647] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.648] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0173.772] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0173.897] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.897] WriteFile (in: hFile=0x428, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.899] CloseHandle (hObject=0x428) returned 1 [0173.901] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9940c797, ftLastWriteTime.dwHighDateTime=0x1d75217, nFileSizeHigh=0x0, nFileSizeLow=0x6988)) returned 1 [0173.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0173.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0174.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914868 | out: pbBuffer=0x12914868) returned 1 [0174.062] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0174.062] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.062] WriteFile (in: hFile=0x438, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.062] CloseHandle (hObject=0x438) returned 1 [0174.065] CloseHandle (hObject=0x15c) returned 1 [0174.065] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914890 | out: pbBuffer=0x12914890) returned 1 [0174.083] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.static"), lpNewFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\#_THIS_FILE_IS_ENCRYPTED_[45DAE35AC80EF590]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\#_this_file_is_encrypted_[45dae35ac80ef590]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.085] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.085] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.085] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9940c797, ftLastWriteTime.dwHighDateTime=0x1d75217, nFileSizeHigh=0x0, nFileSizeLow=0x6988)) returned 1 [0174.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0174.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129148e8 | out: pbBuffer=0x129148e8) returned 1 [0174.086] ReadFile (in: hFile=0x15c, lpBuffer=0x12d48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d48000*, lpNumberOfBytesRead=0x12a67d1c*=0x6988, lpOverlapped=0x0) returned 1 [0174.088] GetFileType (hFile=0x15c) returned 0x1 [0174.088] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.088] WriteFile (in: hFile=0x15c, lpBuffer=0x12b74000*, nNumberOfBytesToWrite=0x6988, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b74000*, lpNumberOfBytesWritten=0x12a67d00*=0x6988, lpOverlapped=0x12a67d0c) returned 1 [0174.089] GetFileType (hFile=0x15c) returned 0x1 [0174.089] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x6988, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0174.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0174.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0174.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914a30 | out: pbBuffer=0x12914a30) returned 1 [0174.090] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0174.090] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.090] WriteFile (in: hFile=0x438, lpBuffer=0x12a6e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a6e500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.090] CloseHandle (hObject=0x438) returned 1 [0174.092] CloseHandle (hObject=0x15c) returned 1 [0174.092] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914a58 | out: pbBuffer=0x12914a58) returned 1 [0174.093] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), lpNewFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\#_THIS_FILE_IS_ENCRYPTED_[C16E72939346B7C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\#_this_file_is_encrypted_[c16e72939346b7c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.124] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.125] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.125] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.125] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.125] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.125] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.125] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.125] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.126] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.126] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0174.126] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0174.127] CloseHandle (hObject=0x3c4) returned 1 [0174.128] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF" (normalized: "c:\\programdata\\microsoft\\mf"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.128] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF" (normalized: "c:\\programdata\\microsoft\\mf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.128] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0174.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0174.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.128] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.129] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mf\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.129] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mf\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.129] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mf\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.129] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.129] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.130] CloseHandle (hObject=0x3c4) returned 1 [0174.131] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c)) returned 1 [0174.131] SetEvent (hEvent=0x10c) returned 1 [0174.131] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c)) returned 1 [0174.131] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MapData" (normalized: "c:\\programdata\\microsoft\\mapdata"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.132] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MapData" (normalized: "c:\\programdata\\microsoft\\mapdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.132] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\MapData\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0174.132] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.132] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.132] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0174.132] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MapData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mapdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.132] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MapData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mapdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.132] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MapData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\mapdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.133] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.133] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.134] CloseHandle (hObject=0x3c4) returned 1 [0174.134] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework" (normalized: "c:\\programdata\\microsoft\\netframework"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.135] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework" (normalized: "c:\\programdata\\microsoft\\netframework"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.135] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0174.135] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.135] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0174.135] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.135] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0174.136] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.136] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.136] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.136] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.136] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.137] CloseHandle (hObject=0x3c4) returned 1 [0174.137] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.138] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.138] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0174.138] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.138] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.138] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0174.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.138] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.138] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.139] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.139] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.140] CloseHandle (hObject=0x3c4) returned 1 [0174.140] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network" (normalized: "c:\\programdata\\microsoft\\network"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.140] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network" (normalized: "c:\\programdata\\microsoft\\network"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.141] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0174.141] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.141] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0174.141] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0174.141] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.141] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0174.141] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.141] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.142] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.142] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.142] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c04000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c04000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.143] CloseHandle (hObject=0x3c4) returned 1 [0174.144] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections" (normalized: "c:\\programdata\\microsoft\\network\\connections"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.144] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections" (normalized: "c:\\programdata\\microsoft\\network\\connections"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.144] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.144] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.144] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.144] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.145] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\connections\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.145] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\connections\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.145] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Connections\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\connections\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.145] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.145] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c05300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12c05300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.146] CloseHandle (hObject=0x3c4) returned 1 [0174.147] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader" (normalized: "c:\\programdata\\microsoft\\network\\downloader"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.147] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader" (normalized: "c:\\programdata\\microsoft\\network\\downloader"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.147] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0174.147] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.147] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x9982b6fd, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0174.147] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x998191f1, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0174.147] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.147] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0174.147] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.148] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.148] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.148] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.148] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c06600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12c06600*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.149] CloseHandle (hObject=0x3c4) returned 1 [0174.149] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x9982b6fd, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0174.150] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x998191f1, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0174.150] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Office" (normalized: "c:\\programdata\\microsoft\\office"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.150] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Office" (normalized: "c:\\programdata\\microsoft\\office"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.150] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Office\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0174.150] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.150] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0174.151] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.151] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0174.151] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\office\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.151] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.151] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.152] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.152] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c07900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12c07900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.153] CloseHandle (hObject=0x3c4) returned 1 [0174.153] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\programdata\\microsoft\\office\\clicktorunpackagelocker"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.153] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.154] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat\\*", lpFindFileData=0x12927a44 | out: lpFindFileData=0x12927a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0174.154] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\programdata\\microsoft\\office\\clicktorunpackagelocker"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.154] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.154] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\programdata\\microsoft\\office\\clicktorunpackagelocker"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b00 | out: pbBuffer=0x12928b00) returned 1 [0174.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129156a8 | out: pbBuffer=0x129156a8) returned 1 [0174.156] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12927d1c*=0x0, lpOverlapped=0x0) returned 1 [0174.156] CloseHandle (hObject=0x3c4) returned 1 [0174.156] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning" (normalized: "c:\\programdata\\microsoft\\provisioning"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.156] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning" (normalized: "c:\\programdata\\microsoft\\provisioning"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.156] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815, dwReserved0=0x0, dwReserved1=0x0, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0174.343] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1 [0174.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.344] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.345] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.346] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.347] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.360] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0174.360] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0174.362] CloseHandle (hObject=0x3c4) returned 1 [0174.362] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815)) returned 1 [0174.375] SetEvent (hEvent=0x40c) returned 1 [0174.375] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.382] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.382] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.384] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.384] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f6b62d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe90, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0174.384] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0174.384] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0174.384] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.384] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.386] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.387] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.387] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.387] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.387] WriteFile (in: hFile=0x428, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.389] CloseHandle (hObject=0x428) returned 1 [0174.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.389] SetEvent (hEvent=0x40c) returned 1 [0174.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.397] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.397] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.397] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.397] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0174.397] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0174.397] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.397] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.397] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.398] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.398] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.398] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0174.398] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0174.400] CloseHandle (hObject=0x42c) returned 1 [0174.400] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.400] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.400] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0174.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0174.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.401] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.401] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.401] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.401] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.443] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0174.443] WriteFile (in: hFile=0x428, lpBuffer=0x12a3c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a3c000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0174.445] CloseHandle (hObject=0x428) returned 1 [0174.445] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e)) returned 1 [0174.446] SetEvent (hEvent=0x40c) returned 1 [0174.446] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e)) returned 1 [0174.452] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.531] SetEvent (hEvent=0x1d0) returned 1 [0174.531] SetEvent (hEvent=0x40c) returned 1 [0174.531] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f)) returned 1 [0174.531] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f6b62d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe90)) returned 1 [0174.531] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.537] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.537] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0174.543] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.559] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.559] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa10504bd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0174.559] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0174.559] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0174.559] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.559] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0174.561] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.562] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.562] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.563] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.563] WriteFile (in: hFile=0x428, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.564] CloseHandle (hObject=0x428) returned 1 [0174.565] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.565] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.566] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.566] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0174.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0174.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.566] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.566] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.566] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.567] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.567] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0174.567] WriteFile (in: hFile=0x428, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0174.570] CloseHandle (hObject=0x428) returned 1 [0174.571] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.591] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.591] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0174.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0174.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0174.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.591] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0174.592] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.592] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.592] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.631] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0174.631] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0174.633] CloseHandle (hObject=0x3c4) returned 1 [0174.633] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168)) returned 1 [0174.634] SetEvent (hEvent=0x40c) returned 1 [0174.634] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168)) returned 1 [0174.634] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157)) returned 1 [0174.634] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa10504bd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x4ef)) returned 1 [0174.634] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.641] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.641] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.689] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.689] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa15fa13e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x159d, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0174.689] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0174.689] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0174.689] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.689] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.690] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.692] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.693] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0174.693] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0174.694] CloseHandle (hObject=0x42c) returned 1 [0174.695] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.696] SetEvent (hEvent=0x19c) returned 1 [0174.696] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.714] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.714] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0174.714] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.714] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0174.714] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0174.715] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.715] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0174.715] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.715] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.716] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.716] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0174.716] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0174.719] CloseHandle (hObject=0x42c) returned 1 [0174.719] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0174.719] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.720] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0174.720] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0174.720] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0174.720] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0174.720] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0174.720] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0174.721] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0174.721] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0174.721] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.830] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0174.830] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0174.832] CloseHandle (hObject=0x42c) returned 1 [0174.848] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd)) returned 1 [0174.848] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.859] SetEvent (hEvent=0x19c) returned 1 [0174.859] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.863] SetEvent (hEvent=0x420) returned 1 [0174.864] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd)) returned 1 [0174.869] SetEvent (hEvent=0xfc) returned 1 [0174.870] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0174.965] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.965] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0174.965] SetEvent (hEvent=0x1d0) returned 1 [0174.965] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0174.992] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0174.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914000 | out: pbBuffer=0x12914000) returned 1 [0174.992] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[B6058E5783504B72]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\#_this_file_is_encrypted_[b6058e5783504b72]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.993] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa15fa13e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x159d)) returned 1 [0174.993] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.026] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.026] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0175.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2389ec8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1988, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0175.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0175.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0175.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.116] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0175.117] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.118] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.118] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0175.147] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0175.147] WriteFile (in: hFile=0x15c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0175.169] CloseHandle (hObject=0x15c) returned 1 [0175.204] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0175.205] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.234] SetEvent (hEvent=0x420) returned 1 [0175.234] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.234] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.235] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0175.235] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.235] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0175.235] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0175.235] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.235] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0175.235] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.236] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.236] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0175.255] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0175.256] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0175.269] CloseHandle (hObject=0x1a0) returned 1 [0175.269] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.279] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.279] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0175.280] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0175.280] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0175.280] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0175.280] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0175.280] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0175.280] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0175.280] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0175.281] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0175.281] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0175.285] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0175.285] WriteFile (in: hFile=0x15c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0175.286] CloseHandle (hObject=0x15c) returned 1 [0175.287] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7)) returned 1 [0175.287] SetEvent (hEvent=0xfc) returned 1 [0175.287] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720)) returned 1 [0175.287] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905)) returned 1 [0175.288] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0175.288] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.288] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720)) returned 1 [0175.288] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928120 | out: pbBuffer=0x12928120) returned 1 [0175.288] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145d0 | out: pbBuffer=0x129145d0) returned 1 [0175.288] ReadFile (in: hFile=0x15c, lpBuffer=0x12d36000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d36000*, lpNumberOfBytesRead=0x12925d1c*=0x720, lpOverlapped=0x0) returned 1 [0175.322] GetFileType (hFile=0x15c) returned 0x1 [0175.322] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.322] WriteFile (in: hFile=0x15c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12925d00*=0x720, lpOverlapped=0x12925d0c) returned 1 [0175.322] GetFileType (hFile=0x15c) returned 0x1 [0175.322] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x720, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.322] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0175.322] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0175.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0175.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1a0 | out: pbBuffer=0x12a9a1a0) returned 1 [0175.323] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0175.323] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0175.323] WriteFile (in: hFile=0x43c, lpBuffer=0x12c88500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c88500*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.323] CloseHandle (hObject=0x43c) returned 1 [0175.325] CloseHandle (hObject=0x15c) returned 1 [0175.325] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1b8 | out: pbBuffer=0x12a9a1b8) returned 1 [0175.325] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[CABDE45CED7D0859]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\#_this_file_is_encrypted_[cabde45ced7d0859]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.326] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0175.332] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.430] SetEvent (hEvent=0xfc) returned 1 [0175.430] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.433] SetEvent (hEvent=0xfc) returned 1 [0175.433] SetEvent (hEvent=0xf4) returned 1 [0175.433] SetEvent (hEvent=0x1d0) returned 1 [0175.433] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.496] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.652] SetEvent (hEvent=0x1d0) returned 1 [0175.652] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.653] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0175.653] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0175.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0175.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0175.653] ReadFile (in: hFile=0x428, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282fd1c*=0x10f, lpOverlapped=0x0) returned 1 [0175.655] GetFileType (hFile=0x428) returned 0x1 [0175.655] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0175.655] WriteFile (in: hFile=0x428, lpBuffer=0x12908900*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12908900*, lpNumberOfBytesWritten=0x1282fd00*=0x10f, lpOverlapped=0x1282fd0c) returned 1 [0175.655] GetFileType (hFile=0x428) returned 0x1 [0175.655] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0175.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0175.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0175.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0175.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0175.656] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0175.656] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0175.657] WriteFile (in: hFile=0x42c, lpBuffer=0x12b02000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0175.701] CloseHandle (hObject=0x42c) returned 1 [0175.703] CloseHandle (hObject=0x428) returned 1 [0175.703] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0175.704] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\#_THIS_FILE_IS_ENCRYPTED_[A681F748463CFDE7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\#_this_file_is_encrypted_[a681f748463cfde7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.705] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0175.772] SetEvent (hEvent=0x1d0) returned 1 [0175.772] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0175.772] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.772] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec)) returned 1 [0175.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0175.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0175.773] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12927d1c*=0xcec, lpOverlapped=0x0) returned 1 [0175.818] GetFileType (hFile=0x1a0) returned 0x1 [0175.818] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.818] WriteFile (in: hFile=0x1a0, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0xcec, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12927d00*=0xcec, lpOverlapped=0x12927d0c) returned 1 [0175.818] GetFileType (hFile=0x1a0) returned 0x1 [0175.818] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcec, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.818] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0175.818] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0175.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0175.819] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0175.819] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0175.819] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.819] WriteFile (in: hFile=0x438, lpBuffer=0x12b02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02500*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.819] CloseHandle (hObject=0x438) returned 1 [0175.821] CloseHandle (hObject=0x1a0) returned 1 [0175.821] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484e0 | out: pbBuffer=0x128484e0) returned 1 [0175.821] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[B5E5C31533682061]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\#_this_file_is_encrypted_[b5e5c31533682061]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0176.158] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0176.274] SetEvent (hEvent=0x40c) returned 1 [0176.274] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0176.574] SetEvent (hEvent=0xf4) returned 1 [0176.574] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cb, buf=0x1286c5a0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cb, lpOverlapped=0x128e6088) returned 0 [0176.591] SwitchToThread () returned 1 [0176.609] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.193] SetEvent (hEvent=0x19c) returned 1 [0181.193] SetEvent (hEvent=0x3f4) returned 1 [0181.193] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.203] SetEvent (hEvent=0xfc) returned 1 [0181.203] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.382] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.382] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.382] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.387] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.387] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0fddd6c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0181.387] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0181.387] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0181.387] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.388] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.390] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.391] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.391] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0181.407] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0181.407] WriteFile (in: hFile=0x42c, lpBuffer=0x12d64c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d64c00*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0181.416] CloseHandle (hObject=0x42c) returned 1 [0181.427] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.427] SetEvent (hEvent=0x1d0) returned 1 [0181.427] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.433] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.433] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0181.433] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.433] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0181.434] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0181.434] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.434] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0181.434] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.434] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.434] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.447] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0181.447] WriteFile (in: hFile=0x428, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0181.495] CloseHandle (hObject=0x428) returned 1 [0181.496] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.496] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.496] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0181.496] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.497] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0181.497] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0181.497] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.497] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0181.497] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.497] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.497] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.509] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0181.509] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0181.510] CloseHandle (hObject=0x1a0) returned 1 [0181.511] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734)) returned 1 [0181.511] SetEvent (hEvent=0x1d0) returned 1 [0181.511] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732)) returned 1 [0181.523] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.547] SetEvent (hEvent=0x1d0) returned 1 [0181.547] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.717] SetEvent (hEvent=0x3f4) returned 1 [0181.717] SetEvent (hEvent=0xfc) returned 1 [0181.717] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.728] SetEvent (hEvent=0x1d0) returned 1 [0181.728] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0181.799] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0182.128] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0182.129] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.129] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018)) returned 1 [0182.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98200 | out: pbBuffer=0x12a98200) returned 1 [0182.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914568 | out: pbBuffer=0x12914568) returned 1 [0182.129] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a61d1c*=0x1018, lpOverlapped=0x0) returned 1 [0182.158] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0182.410] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0182.418] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0183.885] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0186.826] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.227] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.411] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.424] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.454] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.467] SetEvent (hEvent=0x1d0) returned 1 [0188.468] SetEvent (hEvent=0xf4) returned 1 [0188.469] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0188.471] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.471] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0188.521] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0188.521] SetEvent (hEvent=0x1d0) returned 1 [0188.521] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0188.530] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0188.530] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0189.825] SetEvent (hEvent=0xfc) returned 1 [0189.825] SetEvent (hEvent=0xf4) returned 1 [0189.826] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0190.391] SetEvent (hEvent=0xfc) returned 1 [0190.391] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0190.414] SetEvent (hEvent=0xfc) returned 1 [0190.414] SetEvent (hEvent=0x3f4) returned 1 [0190.457] SetEvent (hEvent=0xfc) returned 1 [0190.457] SetEvent (hEvent=0xf4) returned 1 [0190.457] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0192.408] SetEvent (hEvent=0x3f4) returned 1 [0193.559] WriteFile (in: hFile=0x428, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0193.561] CloseHandle (hObject=0x428) returned 1 [0193.791] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0193.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0193.793] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0193.941] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0193.941] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0193.942] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0194.440] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0194.452] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0194.530] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0194.581] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0194.606] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0194.606] SetEvent (hEvent=0x40c) returned 1 [0194.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0194.630] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0194.630] WriteFile (in: hFile=0x438, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0194.632] CloseHandle (hObject=0x438) returned 1 [0194.632] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b2676dd, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bff1e28, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bff1e28, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0194.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0194.633] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b2676dd, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bff1e28, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bff1e28, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0194.633] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b2676dd, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bff1e28, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bff1e28, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0194.633] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bfdd1c2, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bfdd1c2, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bfe1f96, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x3f96, dwReserved0=0x0, dwReserved1=0x0, cFileName="versionlist.xml", cAlternateFileName="VERSIO~1.XML")) returned 1 [0194.633] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0194.633] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0194.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0194.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0194.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0194.635] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0194.635] WriteFile (in: hFile=0x438, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0194.636] CloseHandle (hObject=0x438) returned 1 [0194.636] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bfdd1c2, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bfdd1c2, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bfe1f96, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x3f96)) returned 1 [0194.852] SetEvent (hEvent=0x3f4) returned 1 [0194.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0194.853] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0194.853] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bfdd1c2, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x7bfdd1c2, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7bfe1f96, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x3f96)) returned 1 [0194.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ee20 | out: pbBuffer=0x1280ee20) returned 1 [0194.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a600 | out: pbBuffer=0x12a9a600) returned 1 [0194.867] ReadFile (in: hFile=0x438, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a4bd1c*=0x3f96, lpOverlapped=0x0) returned 1 [0194.879] GetFileType (hFile=0x438) returned 0x1 [0194.879] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0194.880] WriteFile (in: hFile=0x438, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x3f96, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12a4bd00*=0x3f96, lpOverlapped=0x12a4bd0c) returned 1 [0194.880] GetFileType (hFile=0x438) returned 0x1 [0194.880] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3f96, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0195.070] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0195.157] SetEvent (hEvent=0x40c) returned 1 [0195.157] SetEvent (hEvent=0x19c) returned 1 [0195.383] SetEvent (hEvent=0x3f4) returned 1 [0195.383] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0195.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0195.638] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0195.638] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431ab1e5, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x431ab1e5, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x600a7168, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x92)) returned 1 [0195.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98060 | out: pbBuffer=0x12a98060) returned 1 [0195.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8028 | out: pbBuffer=0x128e8028) returned 1 [0195.639] ReadFile (in: hFile=0x15c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a49d1c*=0x92, lpOverlapped=0x0) returned 1 [0195.640] GetFileType (hFile=0x15c) returned 0x1 [0195.640] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0195.640] WriteFile (in: hFile=0x15c, lpBuffer=0x12c22140*, nNumberOfBytesToWrite=0x92, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12c22140*, lpNumberOfBytesWritten=0x12a49d00*=0x92, lpOverlapped=0x12a49d0c) returned 1 [0195.640] GetFileType (hFile=0x15c) returned 0x1 [0195.640] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x92, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0195.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0196.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0196.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0196.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0196.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0196.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8118 | out: pbBuffer=0x128e8118) returned 1 [0196.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0196.225] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0196.225] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.225] CloseHandle (hObject=0x42c) returned 1 [0196.225] CloseHandle (hObject=0x438) returned 1 [0196.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8290 | out: pbBuffer=0x128e8290) returned 1 [0196.239] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\#_THIS_FILE_IS_ENCRYPTED_[28903659C8CF4A86]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\#_this_file_is_encrypted_[28903659c8cf4a86]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0196.344] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0196.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\01_music_auto_rated_at_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x414)) returned 1 [0196.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98340 | out: pbBuffer=0x12a98340) returned 1 [0196.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8308 | out: pbBuffer=0x128e8308) returned 1 [0196.346] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x414, lpOverlapped=0x0) returned 1 [0196.459] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0196.524] GetFileType (hFile=0x438) returned 0x1 [0196.524] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.524] WriteFile (in: hFile=0x438, lpBuffer=0x12c1e000*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c1e000*, lpNumberOfBytesWritten=0x1282fd00*=0x414, lpOverlapped=0x1282fd0c) returned 1 [0196.525] GetFileType (hFile=0x438) returned 0x1 [0196.525] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x414, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.525] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc081 | out: pbBuffer=0x12afc081) returned 1 [0196.525] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0196.525] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0196.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810210 | out: pbBuffer=0x12810210) returned 1 [0196.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.526] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0196.526] WriteFile (in: hFile=0x3c4, lpBuffer=0x12cd8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12cd8000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.526] CloseHandle (hObject=0x3c4) returned 1 [0196.526] CloseHandle (hObject=0x438) returned 1 [0196.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0196.527] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[C85E5BF9A5F2768D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[c85e5bf9a5f2768d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\06_pictures_rated_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x311)) returned 1 [0196.654] SetEvent (hEvent=0x1d0) returned 1 [0196.655] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\07_tv_recorded_in_the_last_week.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x410)) returned 1 [0196.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\08_video_rated_at_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3fc)) returned 1 [0196.779] SetEvent (hEvent=0x40c) returned 1 [0196.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\09_music_played_the_most.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x401)) returned 1 [0196.866] SetEvent (hEvent=0x19c) returned 1 [0196.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\10_all_music.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x427)) returned 1 [0196.904] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0196.957] SetEvent (hEvent=0xfc) returned 1 [0196.957] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\11_all_pictures.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x249)) returned 1 [0196.975] SetEvent (hEvent=0x3f4) returned 1 [0196.976] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\12_all_video.wpl"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fe83ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x437)) returned 1 [0197.002] SetEvent (hEvent=0x40c) returned 1 [0197.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0197.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.007] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0197.007] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.007] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.008] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0197.008] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0197.009] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0197.009] WriteFile (in: hFile=0x448, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0197.010] CloseHandle (hObject=0x448) returned 1 [0197.010] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0197.010] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.011] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0197.011] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.011] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0", cAlternateFileName="")) returned 1 [0197.011] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa304b1cc, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OTele", cAlternateFileName="")) returned 1 [0197.011] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.011] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0197.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.011] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.012] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0197.012] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0197.012] WriteFile (in: hFile=0x448, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0197.014] CloseHandle (hObject=0x448) returned 1 [0197.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0197.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.014] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0197.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba9333c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba9333c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6b3f26a7, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x13bd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="excel.exe_Rules.xml", cAlternateFileName="EXCELE~1.XML")) returned 1 [0197.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cb2b47, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8cb2b47, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8cb2b47, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d02, dwReserved0=0x0, dwReserved1=0x0, cFileName="msaccess.exe_Rules.xml", cAlternateFileName="MSACCE~1.XML")) returned 1 [0197.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bb7bfa, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x20bb7bfa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x20bb8ff9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x0, dwReserved1=0x0, cFileName="officec2rclient.exe_Rules.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfcf021, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cfcf021, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cfcf021, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x0, dwReserved1=0x0, cFileName="officeclicktorun.exe_Rules.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b96fdbf, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x14a91, dwReserved0=0x0, dwReserved1=0x0, cFileName="outlook.exe_Rules.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50ff70b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb50ff70b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb50ff70b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c3e, dwReserved0=0x0, dwReserved1=0x0, cFileName="powerpnt.exe_Rules.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x5781bc17, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x9d540b29, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x4d2aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup.exe_Rules.xml", cAlternateFileName="SETUPE~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18417d03, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x18417d03, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1841a3b9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup32.exe_Rules.xml", cAlternateFileName="SETUP3~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WebServiceCache", cAlternateFileName="WEBSER~1")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa7c66, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82fa7c66, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82fa7c66, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x197d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="winword.exe_Rules.xml", cAlternateFileName="WINWOR~1.XML")) returned 1 [0197.015] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.015] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0197.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.016] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0197.016] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0197.016] WriteFile (in: hFile=0x448, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0197.017] CloseHandle (hObject=0x448) returned 1 [0197.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0197.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.019] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0197.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AllUsers", cAlternateFileName="")) returned 1 [0197.019] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.019] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0197.019] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0197.020] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0197.020] WriteFile (in: hFile=0x448, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0197.021] CloseHandle (hObject=0x448) returned 1 [0197.021] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0197.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.021] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*", lpFindFileData=0x1282b83c | out: lpFindFileData=0x1282b83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0197.022] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.022] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b05ffa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="binaries.templates.cdn.office.net", cAlternateFileName="BINARI~1.NET")) returned 1 [0197.022] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d38e5d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="officeclient.microsoft.com", cAlternateFileName="OFFICE~1.COM")) returned 1 [0197.022] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b880 | out: lpFindFileData=0x1282b880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.022] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0197.022] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b504 | out: lpFileInformation=0x1282b504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.031] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b714 | out: lpMode=0x1282b714) returned 0 [0197.031] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b714, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b714*=0x118a, lpOverlapped=0x0) returned 1 [0197.033] CloseHandle (hObject=0x3c4) returned 1 [0197.033] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net"), fInfoLevelId=0x0, lpFileInformation=0x1282b900 | out: lpFileInformation=0x1282b900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5d4d30d2, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d4d30d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0197.035] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0197.036] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\*", lpFindFileData=0x1282b7d8 | out: lpFindFileData=0x1282b7d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5d4d30d2, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d4d30d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0197.045] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5d4d30d2, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d4d30d2, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0197.052] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e03b9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e03b9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e03b9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xaff, dwReserved0=0x0, dwReserved1=0x0, cFileName="033A5E2E-F52B-4392-A855-EB1B603352F7", cAlternateFileName="033A5E~1")) returned 1 [0197.052] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb2bc31, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb2bc31, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb2d062, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2b3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="0431222D-6E07-4867-BED3-3672DEAE6648", cAlternateFileName="043122~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ca303e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ca303e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ca303e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3be8, dwReserved0=0x0, dwReserved1=0x0, cFileName="05BDDC85-1B21-40A1-AD47-D6AD70518BA9", cAlternateFileName="05BDDC~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8494d29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8494d29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8496206, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa96, dwReserved0=0x0, dwReserved1=0x0, cFileName="08DD48C4-4C22-48B1-8676-03955502381B", cAlternateFileName="08DD48~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5398c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b5398c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b54d17, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5ba7, dwReserved0=0x0, dwReserved1=0x0, cFileName="0BB3D81C-E14E-48A8-9E37-42996BD92C45", cAlternateFileName="0BB3D8~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c946be, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c946be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c946be, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14b50, dwReserved0=0x0, dwReserved1=0x0, cFileName="0FFEDD2D-75F1-4D91-8A68-D07299430A95", cAlternateFileName="0FFEDD~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b28e4c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b28e4c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b28e4c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2426, dwReserved0=0x0, dwReserved1=0x0, cFileName="136081F3-73A0-4FF7-B28C-3470DE19BBF1", cAlternateFileName="136081~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84be520, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84be520, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84bf915, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1193, dwReserved0=0x0, dwReserved1=0x0, cFileName="149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74", cAlternateFileName="149EF4~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d9ad45, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d9ad45, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d9ad45, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x812e, dwReserved0=0x0, dwReserved1=0x0, cFileName="15A1ED83-2E0D-4739-B941-AD1703A61A1C", cAlternateFileName="15A1ED~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb6b457, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb6b457, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb6b457, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1604DFC0-3711-40F4-A312-5716BCF1C705", cAlternateFileName="1604DF~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc860f3fd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc860f3fd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc86107a9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc69, dwReserved0=0x0, dwReserved1=0x0, cFileName="1A8199FD-6A7F-407E-BA91-64E3C5A3EECB", cAlternateFileName="1A8199~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f20e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f20e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f20e3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="1E1D102B-3E38-42D5-97CF-F307C2E53FA9", cAlternateFileName="1E1D10~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb5b5f4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb5b5f4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb5dbcb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2084, dwReserved0=0x0, dwReserved1=0x0, cFileName="21676BA8-01CC-477B-8C3D-258E774A1164", cAlternateFileName="21676B~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4efb86e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4efb86e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4efcbea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6b94, dwReserved0=0x0, dwReserved1=0x0, cFileName="23BF312F-1BE9-4411-BFF6-FA34461B5139", cAlternateFileName="23BF31~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d4b04, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d4b04, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d5f98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3bcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="23FB071D-E9EC-4666-A0CB-7D6993563959", cAlternateFileName="23FB07~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a897d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a897d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a8ab48, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1fdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="292EB0B0-CEFD-4710-B2BC-B6DEBB11376B", cAlternateFileName="292EB0~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49f4ff8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49f4ff8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49f62e6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2fff, dwReserved0=0x0, dwReserved1=0x0, cFileName="29A9F36E-19FA-474E-A88B-9EE7C96DCBA2", cAlternateFileName="29A9F3~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb502ff48, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb502ff48, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb503124f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x666c, dwReserved0=0x0, dwReserved1=0x0, cFileName="2A756DDE-34E8-4DC2-855B-44682E9D4845", cAlternateFileName="2A756D~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49fb16b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49fb16b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49fb16b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4af4, dwReserved0=0x0, dwReserved1=0x0, cFileName="2DFAAC69-9C98-47D4-8E3B-6AD109FD232D", cAlternateFileName="2DFAAC~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a80f08, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a80f08, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a883fc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507, dwReserved0=0x0, dwReserved1=0x0, cFileName="2EC88447-26FF-4E32-8D81-5ABC75AE65DB", cAlternateFileName="2EC884~1")) returned 1 [0197.053] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ea9c0d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4ea9c0d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4ea9c0d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8b27, dwReserved0=0x0, dwReserved1=0x0, cFileName="33F63883-F0AE-4AB6-B4F0-30BB1951B381", cAlternateFileName="33F638~1")) returned 1 [0197.054] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bdad10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bdad10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bdad10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8440, dwReserved0=0x0, dwReserved1=0x0, cFileName="3628527B-53B7-45AD-A6DB-2BB7CCE4B284", cAlternateFileName="362852~1")) returned 1 [0197.054] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8e2fcd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8e2fcd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8e2fcd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4a91, dwReserved0=0x0, dwReserved1=0x0, cFileName="393DA17C-492D-4E39-93B9-A0EB68F559AE", cAlternateFileName="393DA1~1")) returned 1 [0197.054] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829648ac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829648ac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829648ac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x63f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436", cAlternateFileName="3BA446~1")) returned 1 [0197.125] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c74994, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c74994, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c770d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x235a, dwReserved0=0x0, dwReserved1=0x0, cFileName="3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B", cAlternateFileName="3C5BB2~1")) returned 1 [0197.125] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba3536d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba3536d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba3536d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="3E543A2A-53F0-47F8-9F51-FF1B9D7890AD", cAlternateFileName="3E543A~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d79e71, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d79e71, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d7b256, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2aee, dwReserved0=0x0, dwReserved1=0x0, cFileName="3FFAE199-5C90-4A06-AA16-96546E1FDFD1", cAlternateFileName="3FFAE1~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82960d16, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82960d16, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82962239, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x341b, dwReserved0=0x0, dwReserved1=0x0, cFileName="406E18D5-EC82-4FCC-82A8-2D148D067E02", cAlternateFileName="406E18~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84c0c6a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84c0c6a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84c20aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x97c, dwReserved0=0x0, dwReserved1=0x0, cFileName="43F05AC3-1345-4232-9173-E5AEAF85BF98", cAlternateFileName="43F05A~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc847f2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc847f2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc847f2b8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x0, dwReserved1=0x0, cFileName="4BCC7FD4-613C-4B15-9DBE-908105E4ED54", cAlternateFileName="4BCC7F~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828dd133, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x828dd133, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x828dd133, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4825, dwReserved0=0x0, dwReserved1=0x0, cFileName="4CA2E262-1B83-48AB-BA5B-2A052BA6485B", cAlternateFileName="4CA2E2~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5074490, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb5074490, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb5074490, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2171, dwReserved0=0x0, dwReserved1=0x0, cFileName="4F183948-A9C6-492E-8CD3-78756D7F03CF", cAlternateFileName="4F1839~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84da778, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84da778, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84db9c3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x438, dwReserved0=0x0, dwReserved1=0x0, cFileName="4F9F0AEF-1D87-4F0C-910C-0ADC7E172289", cAlternateFileName="4F9F0A~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4b06560, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4b06560, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4b07902, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c73, dwReserved0=0x0, dwReserved1=0x0, cFileName="511B4AE9-CD73-4ED0-A899-602921314CEC", cAlternateFileName="511B4A~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabaab9cf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabaab9cf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabaacd7e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cab, dwReserved0=0x0, dwReserved1=0x0, cFileName="580DF0A8-7B09-4BAC-BD6B-1096E9BDA073", cAlternateFileName="580DF0~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b14252, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b14252, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b14252, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="5B268694-C256-497F-B57F-0B2D793CBA10", cAlternateFileName="5B2686~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cefda3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cefda3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cefda3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5128, dwReserved0=0x0, dwReserved1=0x0, cFileName="5B7E87C2-FC64-4F92-8D24-251DE6AF63C0", cAlternateFileName="5B7E87~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9fe464, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9fe464, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9fe464, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x487e, dwReserved0=0x0, dwReserved1=0x0, cFileName="5F3382B8-AFBF-4FEA-8B79-20898FE63A3D", cAlternateFileName="5F3382~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbd098a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbd098a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbd1d40, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x242b, dwReserved0=0x0, dwReserved1=0x0, cFileName="6B8DE11F-3D5A-48C6-81AA-977DA661E2C5", cAlternateFileName="6B8DE1~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cfd55e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cfd55e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d37ecc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="6E234531-C2BA-4F08-BC11-2ECA97A03E84", cAlternateFileName="6E2345~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc853d4e0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc853d4e0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc85646d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xbec, dwReserved0=0x0, dwReserved1=0x0, cFileName="6E4EC81F-6A7B-442E-91B3-150ED476524B", cAlternateFileName="6E4EC8~1")) returned 1 [0197.126] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b980a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b980a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b99326, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x401d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2", cAlternateFileName="6E87FF~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cf260c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cf260c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cf260c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb156, dwReserved0=0x0, dwReserved1=0x0, cFileName="719CA5E5-2264-4D2B-B1BC-1979AE2F8481", cAlternateFileName="719CA5~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b05ffa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b07378, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x0, dwReserved1=0x0, cFileName="73949334-7885-4202-9F99-AD59E8565AB6", cAlternateFileName="739493~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc882d53e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc882d53e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc882e8bd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x722, dwReserved0=0x0, dwReserved1=0x0, cFileName="7600EED5-3234-4650-8D9A-67C39E956D87", cAlternateFileName="7600EE~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae28fb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae28fb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae3bb5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94", cAlternateFileName="7C92FC~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b59afa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b59afa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b59afa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x98d6, dwReserved0=0x0, dwReserved1=0x0, cFileName="7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA", cAlternateFileName="7F96D0~1")) returned 1 [0197.127] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a05a2f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a05a2f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a06e54, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc11, dwReserved0=0x0, dwReserved1=0x0, cFileName="806760D6-0D46-4F0D-9A2A-5619D868318C", cAlternateFileName="806760~1")) returned 1 [0197.141] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8565b98, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8565b98, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8565b98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="825BFDEB-777E-4DF1-818C-7CA4FC0D3016", cAlternateFileName="825BFD~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84e7d50, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84e7d50, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84e9287, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="82B38E75-3368-40D2-B1E5-193E0E558D48", cAlternateFileName="82B38E~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba093e4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba093e4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba093e4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507d, dwReserved0=0x0, dwReserved1=0x0, cFileName="8618DFC3-EF76-4235-AA5D-06BEABD6E242", cAlternateFileName="8618DF~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2c9d8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2c9d8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2c9d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x17be, dwReserved0=0x0, dwReserved1=0x0, cFileName="89953CAA-1AB9-4A6E-A488-DFEFC5075387", cAlternateFileName="89953C~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac863d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ac863d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ac9960, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x541f, dwReserved0=0x0, dwReserved1=0x0, cFileName="8EE3590E-CE33-42C6-8250-DF185AF8DAA4", cAlternateFileName="8EE359~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb476eaa3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb476eaa3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb476fe6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="9056E597-0C30-4F42-BA7A-70B004BF042A", cAlternateFileName="9056E5~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49b7e91, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49b7e91, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49b7e91, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="92D09C47-EFFB-4E54-B85D-797F67B0527C", cAlternateFileName="92D09C~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc848065f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc848065f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84819da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="95301B49-34BE-47D5-99D1-1C50A4B80C13", cAlternateFileName="95301B~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb715e7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb715e7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb715e7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x372b, dwReserved0=0x0, dwReserved1=0x0, cFileName="95AFB9A8-DEAD-49F6-9234-BEA10973F0CD", cAlternateFileName="95AFB9~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a305e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a305e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a7fd33, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7d42, dwReserved0=0x0, dwReserved1=0x0, cFileName="9639F732-A0F4-4A33-92A0-01330C0BB8C3", cAlternateFileName="9639F7~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83bbe8a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83bbe8a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83bd386, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="96BAA0E7-CE03-46C0-A45A-8F71ADB9C825", cAlternateFileName="96BAA0~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b07c5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b07c5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b07c5d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="9A557D1E-5B55-45D0-B83F-66D1CCFBCC32", cAlternateFileName="9A557D~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a15964, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a15964, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a16c5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x0, dwReserved1=0x0, cFileName="9CFC7195-9421-404F-A40A-EEBD8F033365", cAlternateFileName="9CFC71~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbdccf8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbdccf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbdccf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x0, dwReserved1=0x0, cFileName="A0D2B79B-05BB-4871-8DE6-E766643BD65E", cAlternateFileName="A0D2B7~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae01a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae01a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae01a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x108a, dwReserved0=0x0, dwReserved1=0x0, cFileName="A1E234BD-B121-49A0-9B4B-BBF6A832161B", cAlternateFileName="A1E234~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829ef008, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829ef008, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829ef008, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x990a, dwReserved0=0x0, dwReserved1=0x0, cFileName="A2F95592-6A7F-475A-878F-C593DA8BBEDD", cAlternateFileName="A2F955~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb0641, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bb0641, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bb19b0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c34, dwReserved0=0x0, dwReserved1=0x0, cFileName="A50A8D38-2A06-4EF5-A84C-B00C714F6B16", cAlternateFileName="A50A8D~1")) returned 1 [0197.142] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89f5df6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89f5df6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89f5df6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc70, dwReserved0=0x0, dwReserved1=0x0, cFileName="A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC", cAlternateFileName="A5DEC7~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49c69cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49c69cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49c69cc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x75b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AA8B315F-D191-411A-80E8-BBCCCE176DA7", cAlternateFileName="AA8B31~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabac2fca, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabac2fca, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabac3f0e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="ABF009F6-7021-47EC-8025-BE55AD5EBB57", cAlternateFileName="ABF009~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c9b2e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c9b2e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c9b2e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x367e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AF769060-9C3B-4F97-8FB8-1EB72198BA39", cAlternateFileName="AF7690~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f96f2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f96f2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9faa6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2132, dwReserved0=0x0, dwReserved1=0x0, cFileName="B1725647-3A36-4C56-9803-89EDCA8238A8", cAlternateFileName="B17256~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c666c7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8c666c7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x148c, dwReserved0=0x0, dwReserved1=0x0, cFileName="B20989ED-6B03-4803-ADD0-4360553EC384", cAlternateFileName="B20989~1")) returned 1 [0197.143] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4df9f3a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4df9f3a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4df9f3a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="B6937276-0D21-44E4-B6A5-2F13F90E1698", cAlternateFileName="B69372~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd8b94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cd8b94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82cd8b94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5505, dwReserved0=0x0, dwReserved1=0x0, cFileName="B74632A4-B059-4F5A-849D-252172A06A99", cAlternateFileName="B74632~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f482a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f482a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f482a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x0, dwReserved1=0x0, cFileName="BB41F806-1043-41B2-9372-8F6E7066247A", cAlternateFileName="BB41F8~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae635e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae635e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae635e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7f46, dwReserved0=0x0, dwReserved1=0x0, cFileName="BFB97937-ABF1-480A-946B-D367067F68C4", cAlternateFileName="BFB979~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c1295, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c1295, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c1295, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3c73, dwReserved0=0x0, dwReserved1=0x0, cFileName="C0B5FEFE-C6C1-439E-B89D-E39A2031E527", cAlternateFileName="C0B5FE~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb474db8b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb474db8b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb474ef1c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ffd, dwReserved0=0x0, dwReserved1=0x0, cFileName="C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A", cAlternateFileName="C3DC5B~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9cfd00, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9cfd00, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d23da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C4181E33-213A-4456-87BA-15FD83064187", cAlternateFileName="C4181E~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4974447, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4974447, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49759af, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2bd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="C52B4A7C-C9FD-485A-8375-F97F3A24C1BA", cAlternateFileName="C52B4A~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83e6a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83e6a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83e6a80, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1167, dwReserved0=0x0, dwReserved1=0x0, cFileName="C7B65EEC-91E0-4362-AC18-80B09C3C95AC", cAlternateFileName="C7B65E~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b15f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829b15f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829b5109, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x634f, dwReserved0=0x0, dwReserved1=0x0, cFileName="C85A59C5-2B02-4194-AB2C-0E6E2B6031A0", cAlternateFileName="C85A59~1")) returned 1 [0197.163] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e2fa78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e2fa78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e30e51, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5543, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9B26F48-B9B2-452D-9E4F-BD539A769B1B", cAlternateFileName="C9B26F~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabad3e63, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabad3e63, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabad3e63, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x0, dwReserved1=0x0, cFileName="CA094F8F-D41E-43AB-8A32-1A2F34851250", cAlternateFileName="CA094F~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8293e9d0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x8293e9d0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8293ff31, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1e19, dwReserved0=0x0, dwReserved1=0x0, cFileName="CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947", cAlternateFileName="CCB1B3~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d94a38, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d94a38, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d94a38, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x422e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CFC05EA4-9A97-47D5-9459-FB2F94EE79CC", cAlternateFileName="CFC05E~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d89a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d89a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d8ae10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x595d, dwReserved0=0x0, dwReserved1=0x0, cFileName="D03B54D7-2F02-4F26-B245-6759FD3E5356", cAlternateFileName="D03B54~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d990d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d990d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9ee668, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="D1658A87-36B4-4565-B36F-CEF71FFC7033", cAlternateFileName="D1658A~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c85c72, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c85c72, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c8700a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3894, dwReserved0=0x0, dwReserved1=0x0, cFileName="D69FD789-7AAA-4B6A-86DB-6AD5F309B97F", cAlternateFileName="D69FD7~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e43432, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e43432, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e43432, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6f72, dwReserved0=0x0, dwReserved1=0x0, cFileName="D7F62263-4202-4285-AB58-35DFBBB7899C", cAlternateFileName="D7F622~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc856808a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc856808a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc856808a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="DB4F9AB3-289C-4C85-93DC-C7725673E79B", cAlternateFileName="DB4F9A~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d69f78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d69f78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d69f78, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2913, dwReserved0=0x0, dwReserved1=0x0, cFileName="DC2A3CBD-DDE4-4C82-98B2-97C578971471", cAlternateFileName="DC2A3C~1")) returned 1 [0197.164] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89439d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89439d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89439d3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2516, dwReserved0=0x0, dwReserved1=0x0, cFileName="E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9", cAlternateFileName="E2B74C~1")) returned 1 [0197.165] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e4e325, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e4e325, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e4f6b9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa99, dwReserved0=0x0, dwReserved1=0x0, cFileName="E36912C5-9C2D-452F-95F8-CFA1FC049148", cAlternateFileName="E36912~1")) returned 1 [0197.165] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8850b3e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8850b3e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8850b3e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x38f, dwReserved0=0x0, dwReserved1=0x0, cFileName="E457C019-B991-4CCC-8425-CCD48E271DFC", cAlternateFileName="E457C0~1")) returned 1 [0197.165] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e928f1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e928f1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e93c87, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="E64AA1EE-3ABD-40DD-9A7A-E7E891151C82", cAlternateFileName="E64AA1~1")) returned 1 [0197.165] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bd5ee3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bd5ee3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bd85f4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3380, dwReserved0=0x0, dwReserved1=0x0, cFileName="E8B41E01-FE51-4F72-9829-70D724467D17", cAlternateFileName="E8B41E~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb679a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb679a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb679a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x292e, dwReserved0=0x0, dwReserved1=0x0, cFileName="EA6554FC-7DB2-4685-948E-52402E811540", cAlternateFileName="EA6554~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8424f42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8424f42, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8427531, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x153e, dwReserved0=0x0, dwReserved1=0x0, cFileName="F0A28B79-40AC-459C-968D-4F68E9798715", cAlternateFileName="F0A28B~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829bd95b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829bd95b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829bef86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7629, dwReserved0=0x0, dwReserved1=0x0, cFileName="F192A1E6-5284-47FF-83DA-D65DCB35FC9F", cAlternateFileName="F192A1~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba00b7d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba00b7d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba00b7d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x18bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="F31F431A-DF78-48BC-9A30-E15E83A7DF3B", cAlternateFileName="F31F43~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4df95, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d4df95, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d4df95, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1362, dwReserved0=0x0, dwReserved1=0x0, cFileName="F8C7174F-633A-4FA0-9187-67153391986A", cAlternateFileName="F8C717~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2675f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2675f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2675f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x447b, dwReserved0=0x0, dwReserved1=0x0, cFileName="F97CF839-8F66-44ED-8DB4-5A4D6D408F2E", cAlternateFileName="F97CF8~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49ec6e1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49ec6e1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49eda26, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e, dwReserved0=0x0, dwReserved1=0x0, cFileName="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9", cAlternateFileName="FDAC00~1")) returned 1 [0197.166] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b81c | out: lpFindFileData=0x1282b81c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0197.166] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0197.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b4a0 | out: lpFileInformation=0x1282b4a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0197.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0197.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.170] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b6b0 | out: lpMode=0x1282b6b0) returned 0 [0197.171] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b6b0, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b6b0*=0x118a, lpOverlapped=0x0) returned 1 [0197.172] CloseHandle (hObject=0x3c4) returned 1 [0197.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\033a5e2e-f52b-4392-a855-eb1b603352f7"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e03b9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e03b9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e03b9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xaff)) returned 1 [0197.173] SetEvent (hEvent=0x1d0) returned 1 [0197.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0431222d-6e07-4867-bed3-3672deae6648"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb2bc31, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb2bc31, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb2d062, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2b3a)) returned 1 [0197.179] SetEvent (hEvent=0x1d0) returned 1 [0197.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\05bddc85-1b21-40a1-ad47-d6ad70518ba9"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ca303e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ca303e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ca303e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3be8)) returned 1 [0197.204] SetEvent (hEvent=0x1d0) returned 1 [0197.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\08dd48c4-4c22-48b1-8676-03955502381b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8494d29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8494d29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8496206, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa96)) returned 1 [0197.334] SetEvent (hEvent=0xfc) returned 1 [0197.334] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0bb3d81c-e14e-48a8-9e37-42996bd92c45"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5398c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b5398c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b54d17, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5ba7)) returned 1 [0197.374] SetEvent (hEvent=0x3f4) returned 1 [0197.374] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0ffedd2d-75f1-4d91-8a68-d07299430a95"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c946be, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c946be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c946be, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14b50)) returned 1 [0197.395] SetEvent (hEvent=0x40c) returned 1 [0197.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\136081f3-73a0-4ff7-b28c-3470de19bbf1"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b28e4c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b28e4c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b28e4c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2426)) returned 1 [0197.494] SetEvent (hEvent=0xfc) returned 1 [0197.494] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\149ef4f4-82e0-49bf-99db-2ea4a1b5fd74"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84be520, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84be520, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84bf915, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1193)) returned 1 [0197.614] SetEvent (hEvent=0x3f4) returned 1 [0197.614] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\15a1ed83-2e0d-4739-b941-ad1703a61a1c"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d9ad45, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d9ad45, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d9ad45, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x812e)) returned 1 [0197.642] SetEvent (hEvent=0x40c) returned 1 [0197.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1604dfc0-3711-40f4-a312-5716bcf1c705"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb6b457, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb6b457, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb6b457, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0)) returned 1 [0197.671] SetEvent (hEvent=0x110) returned 1 [0197.671] SetEvent (hEvent=0xfc) returned 1 [0197.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1a8199fd-6a7f-407e-ba91-64e3c5a3eecb"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc860f3fd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc860f3fd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc86107a9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc69)) returned 1 [0197.766] SetEvent (hEvent=0x110) returned 1 [0197.766] SetEvent (hEvent=0x3f4) returned 1 [0197.766] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1e1d102b-3e38-42d5-97cf-f307c2e53fa9"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f20e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f20e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f20e3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80bb)) returned 1 [0197.908] SetEvent (hEvent=0x110) returned 1 [0197.908] SetEvent (hEvent=0x40c) returned 1 [0197.908] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\21676ba8-01cc-477b-8c3d-258e774a1164"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb5b5f4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb5b5f4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb5dbcb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2084)) returned 1 [0197.967] SetEvent (hEvent=0xfc) returned 1 [0197.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23bf312f-1be9-4411-bff6-fa34461b5139"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4efb86e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4efb86e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4efcbea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6b94)) returned 1 [0198.062] SetEvent (hEvent=0x420) returned 1 [0198.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23fb071d-e9ec-4666-a0cb-7d6993563959"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d4b04, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d4b04, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d5f98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3bcb)) returned 1 [0198.095] SetEvent (hEvent=0x420) returned 1 [0198.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\292eb0b0-cefd-4710-b2bc-b6debb11376b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a897d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a897d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a8ab48, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1fdd)) returned 1 [0198.121] SetEvent (hEvent=0x40c) returned 1 [0198.122] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\29a9f36e-19fa-474e-a88b-9ee7c96dcba2"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49f4ff8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49f4ff8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49f62e6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2fff)) returned 1 [0198.202] SetEvent (hEvent=0x110) returned 1 [0198.202] SetEvent (hEvent=0xfc) returned 1 [0198.202] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2a756dde-34e8-4dc2-855b-44682e9d4845"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb502ff48, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb502ff48, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb503124f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x666c)) returned 1 [0198.245] SetEvent (hEvent=0x3f4) returned 1 [0198.245] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2dfaac69-9c98-47d4-8e3b-6ad109fd232d"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49fb16b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49fb16b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49fb16b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4af4)) returned 1 [0198.307] SetEvent (hEvent=0x420) returned 1 [0198.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2ec88447-26ff-4e32-8d81-5abc75ae65db"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a80f08, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a80f08, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a883fc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507)) returned 1 [0198.338] SetEvent (hEvent=0x40c) returned 1 [0198.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\33f63883-f0ae-4ab6-b4f0-30bb1951b381"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ea9c0d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4ea9c0d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4ea9c0d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8b27)) returned 1 [0198.417] SetEvent (hEvent=0xfc) returned 1 [0198.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3628527b-53b7-45ad-a6db-2bb7cce4b284"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bdad10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bdad10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bdad10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8440)) returned 1 [0198.549] SetEvent (hEvent=0x110) returned 1 [0198.550] SetEvent (hEvent=0x3f4) returned 1 [0198.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\393da17c-492d-4e39-93b9-a0eb68f559ae"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8e2fcd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8e2fcd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8e2fcd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4a91)) returned 1 [0198.597] SetEvent (hEvent=0x19c) returned 1 [0198.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ba4462f-9de4-49de-b3b4-c55de0bc2436"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829648ac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829648ac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829648ac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x63f1)) returned 1 [0198.629] SetEvent (hEvent=0x40c) returned 1 [0198.629] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3c5bb25a-c5b4-4565-a1c7-47ea3c32b62b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c74994, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c74994, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c770d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x235a)) returned 1 [0198.798] SetEvent (hEvent=0xfc) returned 1 [0198.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3e543a2a-53f0-47f8-9f51-ff1b9d7890ad"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba3536d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba3536d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba3536d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a3b)) returned 1 [0198.825] SetEvent (hEvent=0x3f4) returned 1 [0198.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ffae199-5c90-4a06-aa16-96546e1fdfd1"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d79e71, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d79e71, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d7b256, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2aee)) returned 1 [0198.912] SetEvent (hEvent=0x40c) returned 1 [0198.912] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\406e18d5-ec82-4fcc-82a8-2d148d067e02"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82960d16, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82960d16, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82962239, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x341b)) returned 1 [0198.939] SetEvent (hEvent=0xfc) returned 1 [0198.939] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\43f05ac3-1345-4232-9173-e5aeaf85bf98"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84c0c6a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84c0c6a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84c20aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x97c)) returned 1 [0198.967] SetEvent (hEvent=0x19c) returned 1 [0198.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4bcc7fd4-613c-4b15-9dbe-908105e4ed54"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc847f2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc847f2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc847f2b8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcec)) returned 1 [0199.028] SetEvent (hEvent=0x40c) returned 1 [0199.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4ca2e262-1b83-48ab-ba5b-2a052ba6485b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828dd133, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x828dd133, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x828dd133, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4825)) returned 1 [0199.134] SetEvent (hEvent=0xfc) returned 1 [0199.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f183948-a9c6-492e-8cd3-78756d7f03cf"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5074490, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb5074490, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb5074490, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2171)) returned 1 [0199.161] SetEvent (hEvent=0x19c) returned 1 [0199.161] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f9f0aef-1d87-4f0c-910c-0adc7e172289"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84da778, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84da778, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84db9c3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x438)) returned 1 [0199.181] SetEvent (hEvent=0x40c) returned 1 [0199.182] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\511b4ae9-cd73-4ed0-a899-602921314cec"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4b06560, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4b06560, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4b07902, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c73)) returned 1 [0199.260] SetEvent (hEvent=0x110) returned 1 [0199.260] SetEvent (hEvent=0xfc) returned 1 [0199.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\580df0a8-7b09-4bac-bd6b-1096e9bda073"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabaab9cf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabaab9cf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabaacd7e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cab)) returned 1 [0199.306] SetEvent (hEvent=0x19c) returned 1 [0199.306] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b268694-c256-497f-b57f-0b2d793cba10"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b14252, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b14252, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b14252, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23c3)) returned 1 [0199.333] SetEvent (hEvent=0x40c) returned 1 [0199.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b7e87c2-fc64-4f92-8d24-251de6af63c0"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cefda3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cefda3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cefda3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5128)) returned 1 [0199.358] SetEvent (hEvent=0x110) returned 1 [0199.358] SetEvent (hEvent=0xfc) returned 1 [0199.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5f3382b8-afbf-4fea-8b79-20898fe63a3d"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9fe464, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9fe464, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9fe464, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x487e)) returned 1 [0199.512] SetEvent (hEvent=0x110) returned 1 [0199.512] SetEvent (hEvent=0x19c) returned 1 [0199.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6b8de11f-3d5a-48c6-81aa-977da661e2c5"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbd098a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbd098a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbd1d40, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x242b)) returned 1 [0199.666] SetEvent (hEvent=0x110) returned 1 [0199.666] SetEvent (hEvent=0x40c) returned 1 [0199.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e234531-c2ba-4f08-bc11-2eca97a03e84"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cfd55e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cfd55e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d37ecc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7b5)) returned 1 [0199.746] SetEvent (hEvent=0x110) returned 1 [0199.746] SetEvent (hEvent=0xfc) returned 1 [0199.747] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e4ec81f-6a7b-442e-91b3-150ed476524b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc853d4e0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc853d4e0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc85646d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xbec)) returned 1 [0199.788] SetEvent (hEvent=0x3f4) returned 1 [0199.788] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e87ffa6-570d-4f3c-832c-0f0ed39d0de2"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b980a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b980a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b99326, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x401d)) returned 1 [0199.824] SetEvent (hEvent=0x110) returned 1 [0199.824] SetEvent (hEvent=0x40c) returned 1 [0199.824] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\719ca5e5-2264-4d2b-b1bc-1979ae2f8481"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cf260c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cf260c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cf260c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb156)) returned 1 [0199.843] SetEvent (hEvent=0x3f4) returned 1 [0199.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9f99-ad59e8565ab6"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b05ffa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b07378, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x60e)) returned 1 [0199.930] SetEvent (hEvent=0xfc) returned 1 [0199.930] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7600eed5-3234-4650-8d9a-67c39e956d87"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc882d53e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc882d53e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc882e8bd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x722)) returned 1 [0200.008] SetEvent (hEvent=0x40c) returned 1 [0200.008] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7c92fceb-66eb-471d-9ba1-bdee0e12fd94"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae28fb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae28fb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae3bb5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f)) returned 1 [0200.038] SetEvent (hEvent=0x3f4) returned 1 [0200.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7f96d0a4-ecc8-4300-a3c4-8c2b5918bbaa"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b59afa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b59afa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b59afa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x98d6)) returned 1 [0200.069] SetEvent (hEvent=0x110) returned 1 [0200.069] SetEvent (hEvent=0x19c) returned 1 [0200.069] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\806760d6-0d46-4f0d-9a2a-5619d868318c"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a05a2f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a05a2f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a06e54, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc11)) returned 1 [0200.256] SetEvent (hEvent=0x40c) returned 1 [0200.256] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\825bfdeb-777e-4df1-818c-7ca4fc0d3016"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8565b98, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8565b98, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8565b98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c8)) returned 1 [0200.318] SetEvent (hEvent=0x3f4) returned 1 [0200.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\82b38e75-3368-40d2-b1e5-193e0e558d48"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84e7d50, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84e7d50, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84e9287, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9c3)) returned 1 [0200.341] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8618dfc3-ef76-4235-aa5d-06beabd6e242"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba093e4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba093e4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba093e4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507d)) returned 1 [0200.399] SetEvent (hEvent=0x40c) returned 1 [0200.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\89953caa-1ab9-4a6e-a488-dfefc5075387"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2c9d8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2c9d8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2c9d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x17be)) returned 1 [0200.424] SetEvent (hEvent=0x19c) returned 1 [0200.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8ee3590e-ce33-42c6-8250-df185af8daa4"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac863d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ac863d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ac9960, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x541f)) returned 1 [0200.440] SetEvent (hEvent=0x110) returned 1 [0200.440] SetEvent (hEvent=0x420) returned 1 [0200.441] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9056e597-0c30-4f42-ba7a-70b004bf042a"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb476eaa3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb476eaa3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb476fe6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c3c)) returned 1 [0200.441] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8ee3590e-ce33-42c6-8250-df185af8daa4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.442] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.442] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8ee3590e-ce33-42c6-8250-df185af8daa4"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac863d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ac863d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ac9960, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x541f)) returned 1 [0200.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844460 | out: pbBuffer=0x12844460) returned 1 [0200.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b40 | out: pbBuffer=0x12848b40) returned 1 [0200.442] ReadFile (in: hFile=0x15c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a6fd1c*=0x541f, lpOverlapped=0x0) returned 1 [0200.696] GetFileType (hFile=0x15c) returned 0x1 [0200.696] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.696] WriteFile (in: hFile=0x15c, lpBuffer=0x128a2a00*, nNumberOfBytesToWrite=0x541f, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x128a2a00*, lpNumberOfBytesWritten=0x12a6fd00*=0x541f, lpOverlapped=0x12a6fd0c) returned 1 [0200.697] GetFileType (hFile=0x15c) returned 0x1 [0200.697] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x541f, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0200.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0200.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0200.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102f0 | out: pbBuffer=0x128102f0) returned 1 [0200.697] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8ee3590e-ce33-42c6-8250-df185af8daa4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.698] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.698] WriteFile (in: hFile=0x448, lpBuffer=0x12851400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12851400*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.698] CloseHandle (hObject=0x448) returned 1 [0200.698] CloseHandle (hObject=0x15c) returned 1 [0200.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810308 | out: pbBuffer=0x12810308) returned 1 [0200.699] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8ee3590e-ce33-42c6-8250-df185af8daa4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[71D64D60909EDABC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[71d64d60909edabc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.700] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9a557d1e-5b55-45d0-b83f-66d1ccfbcc32"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b07c5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b07c5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b07c5d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd2e)) returned 1 [0200.700] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9cfc7195-9421-404f-a40a-eebd8f033365"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a15964, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a15964, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a16c5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x451)) returned 1 [0200.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9a557d1e-5b55-45d0-b83f-66d1ccfbcc32"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.702] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.702] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9a557d1e-5b55-45d0-b83f-66d1ccfbcc32"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b07c5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b07c5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b07c5d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd2e)) returned 1 [0200.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845d20 | out: pbBuffer=0x12845d20) returned 1 [0200.702] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108b0 | out: pbBuffer=0x128108b0) returned 1 [0200.703] ReadFile (in: hFile=0x15c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a6fd1c*=0xd2e, lpOverlapped=0x0) returned 1 [0200.718] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0200.747] SetEvent (hEvent=0x40c) returned 1 [0200.775] SetEvent (hEvent=0x40c) returned 1 [0200.775] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0200.784] SetEvent (hEvent=0x40c) returned 1 [0200.784] SetEvent (hEvent=0x19c) returned 1 [0200.784] GetFileType (hFile=0x3c4) returned 0x1 [0200.784] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.784] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a1d000*, nNumberOfBytesToWrite=0xd8b, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a1d000*, lpNumberOfBytesWritten=0x12a73d00*=0xd8b, lpOverlapped=0x12a73d0c) returned 1 [0200.785] GetFileType (hFile=0x3c4) returned 0x1 [0200.785] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xd8b, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0200.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0200.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0200.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f0 | out: pbBuffer=0x12a9a1f0) returned 1 [0200.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\96baa0e7-ce03-46c0-a45a-8f71adb9c825"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.786] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.786] WriteFile (in: hFile=0x438, lpBuffer=0x12a22500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a22500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.787] CloseHandle (hObject=0x438) returned 1 [0200.787] CloseHandle (hObject=0x3c4) returned 1 [0200.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0200.787] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\96baa0e7-ce03-46c0-a45a-8f71adb9c825"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[C0703D1A9B7CFDC5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[c0703d1a9b7cfdc5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.789] GetFileType (hFile=0x15c) returned 0x1 [0200.789] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.789] WriteFile (in: hFile=0x15c, lpBuffer=0x12856000*, nNumberOfBytesToWrite=0xd2e, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12856000*, lpNumberOfBytesWritten=0x12a6fd00*=0xd2e, lpOverlapped=0x12a6fd0c) returned 1 [0200.789] GetFileType (hFile=0x15c) returned 0x1 [0200.789] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xd2e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.789] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0200.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0200.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0200.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a308 | out: pbBuffer=0x12a9a308) returned 1 [0200.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9a557d1e-5b55-45d0-b83f-66d1ccfbcc32"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.790] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.790] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a22a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a22a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.791] CloseHandle (hObject=0x3c4) returned 1 [0200.791] CloseHandle (hObject=0x15c) returned 1 [0200.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0200.791] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9a557d1e-5b55-45d0-b83f-66d1ccfbcc32"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[5F737B93E3763F68]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[5f737b93e3763f68]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.792] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a0d2b79b-05bb-4871-8de6-e766643bd65e"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbdccf8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbdccf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbdccf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x135f)) returned 1 [0200.793] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a1e234bd-b121-49a0-9b4b-bbf6a832161b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae01a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae01a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae01a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x108a)) returned 1 [0200.793] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a2f95592-6a7f-475a-878f-c593da8bbedd"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829ef008, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829ef008, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829ef008, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x990a)) returned 1 [0200.793] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a50a8d38-2a06-4ef5-a84c-b00c714f6b16"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb0641, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bb0641, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bb19b0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c34)) returned 1 [0200.794] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a5dec71f-cf32-4aad-a02a-3b306b7f1fcc"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89f5df6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89f5df6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89f5df6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0200.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a50a8d38-2a06-4ef5-a84c-b00c714f6b16"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.795] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a50a8d38-2a06-4ef5-a84c-b00c714f6b16"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb0641, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bb0641, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bb19b0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c34)) returned 1 [0200.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286a0 | out: pbBuffer=0x129286a0) returned 1 [0200.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b0d0 | out: pbBuffer=0x12a9b0d0) returned 1 [0200.795] ReadFile (in: hFile=0x15c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a6fd1c*=0x2c34, lpOverlapped=0x0) returned 1 [0200.810] GetFileType (hFile=0x15c) returned 0x1 [0200.811] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.811] WriteFile (in: hFile=0x15c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x2c34, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12a6fd00*=0x2c34, lpOverlapped=0x12a6fd0c) returned 1 [0200.811] GetFileType (hFile=0x15c) returned 0x1 [0200.811] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2c34, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0200.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0200.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0200.812] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b188 | out: pbBuffer=0x12a9b188) returned 1 [0200.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a50a8d38-2a06-4ef5-a84c-b00c714f6b16"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.812] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.812] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a22f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a22f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.813] CloseHandle (hObject=0x1a0) returned 1 [0200.813] CloseHandle (hObject=0x15c) returned 1 [0200.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b1a0 | out: pbBuffer=0x12a9b1a0) returned 1 [0200.813] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a50a8d38-2a06-4ef5-a84c-b00c714f6b16"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[24BEBD9F6C5A6F44]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[24bebd9f6c5a6f44]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a5dec71f-cf32-4aad-a02a-3b306b7f1fcc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.815] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.815] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a5dec71f-cf32-4aad-a02a-3b306b7f1fcc"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89f5df6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89f5df6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89f5df6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc70)) returned 1 [0200.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129288a0 | out: pbBuffer=0x129288a0) returned 1 [0200.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b1e8 | out: pbBuffer=0x12a9b1e8) returned 1 [0200.817] ReadFile (in: hFile=0x15c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6fd1c*=0xc70, lpOverlapped=0x0) returned 1 [0200.833] GetFileType (hFile=0x15c) returned 0x1 [0200.833] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.833] WriteFile (in: hFile=0x15c, lpBuffer=0x12aec000*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12aec000*, lpNumberOfBytesWritten=0x12a6fd00*=0xc70, lpOverlapped=0x12a6fd0c) returned 1 [0200.834] GetFileType (hFile=0x15c) returned 0x1 [0200.834] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xc70, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0200.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0200.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0200.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b2a0 | out: pbBuffer=0x12a9b2a0) returned 1 [0200.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a5dec71f-cf32-4aad-a02a-3b306b7f1fcc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.835] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.835] WriteFile (in: hFile=0x448, lpBuffer=0x12a23400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a23400*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.835] CloseHandle (hObject=0x448) returned 1 [0200.835] CloseHandle (hObject=0x15c) returned 1 [0200.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b2b8 | out: pbBuffer=0x12a9b2b8) returned 1 [0200.836] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a5dec71f-cf32-4aad-a02a-3b306b7f1fcc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[01B211BDB9BE236A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[01b211bdb9be236a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\abf009f6-7021-47ec-8025-be55ad5ebb57"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.837] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\abf009f6-7021-47ec-8025-be55ad5ebb57"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabac2fca, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabac2fca, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabac3f0e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14c5)) returned 1 [0200.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928aa0 | out: pbBuffer=0x12928aa0) returned 1 [0200.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b300 | out: pbBuffer=0x12a9b300) returned 1 [0200.837] ReadFile (in: hFile=0x15c, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12a6fd1c*=0x14c5, lpOverlapped=0x0) returned 1 [0200.864] GetFileType (hFile=0x15c) returned 0x1 [0200.864] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.864] WriteFile (in: hFile=0x15c, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x14c5, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x12a6fd00*=0x14c5, lpOverlapped=0x12a6fd0c) returned 1 [0200.864] GetFileType (hFile=0x15c) returned 0x1 [0200.864] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x14c5, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835581 | out: pbBuffer=0x12835581) returned 1 [0200.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835681 | out: pbBuffer=0x12835681) returned 1 [0200.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835781 | out: pbBuffer=0x12835781) returned 1 [0200.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b3b8 | out: pbBuffer=0x12a9b3b8) returned 1 [0200.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\abf009f6-7021-47ec-8025-be55ad5ebb57"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.865] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.865] WriteFile (in: hFile=0x448, lpBuffer=0x12a23900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a23900*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.866] CloseHandle (hObject=0x448) returned 1 [0200.866] CloseHandle (hObject=0x15c) returned 1 [0200.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b3d0 | out: pbBuffer=0x12a9b3d0) returned 1 [0200.866] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\abf009f6-7021-47ec-8025-be55ad5ebb57"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FD7D02BC7D9FC971]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[fd7d02bc7d9fc971]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b1725647-3a36-4c56-9803-89edca8238a8"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.868] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b1725647-3a36-4c56-9803-89edca8238a8"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f96f2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f96f2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9faa6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2132)) returned 1 [0200.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ca0 | out: pbBuffer=0x12928ca0) returned 1 [0200.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b418 | out: pbBuffer=0x12a9b418) returned 1 [0200.868] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0200.873] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0200.873] SetEvent (hEvent=0x110) returned 1 [0200.873] SetEvent (hEvent=0x19c) returned 1 [0200.874] ReadFile (in: hFile=0x15c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a6fd1c*=0x2132, lpOverlapped=0x0) returned 1 [0200.879] GetFileType (hFile=0x15c) returned 0x1 [0200.879] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.879] WriteFile (in: hFile=0x15c, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x2132, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a6fd00*=0x2132, lpOverlapped=0x12a6fd0c) returned 1 [0200.880] GetFileType (hFile=0x15c) returned 0x1 [0200.880] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2132, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0200.880] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0200.881] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0200.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0200.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b1725647-3a36-4c56-9803-89edca8238a8"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.892] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.893] WriteFile (in: hFile=0x438, lpBuffer=0x12c32a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.893] CloseHandle (hObject=0x438) returned 1 [0200.893] CloseHandle (hObject=0x15c) returned 1 [0200.893] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0200.893] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b1725647-3a36-4c56-9803-89edca8238a8"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[872EAB4EC2AD38B1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[872eab4ec2ad38b1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.894] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0200.929] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bfb97937-abf1-480a-946b-d367067f68c4"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae635e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae635e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae635e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7f46)) returned 1 [0200.930] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c0b5fefe-c6c1-439e-b89d-e39a2031e527"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c1295, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c1295, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c1295, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3c73)) returned 1 [0200.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bfb97937-abf1-480a-946b-d367067f68c4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.931] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bfb97937-abf1-480a-946b-d367067f68c4"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae635e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae635e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae635e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7f46)) returned 1 [0200.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0200.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c345a0 | out: pbBuffer=0x12c345a0) returned 1 [0200.931] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12829d1c*=0x7f46, lpOverlapped=0x0) returned 1 [0200.959] GetFileType (hFile=0x3c4) returned 0x1 [0200.959] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.959] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x7f46, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12829d00*=0x7f46, lpOverlapped=0x12829d0c) returned 1 [0200.959] GetFileType (hFile=0x3c4) returned 0x1 [0200.960] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x7f46, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.960] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0200.960] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0200.960] SetEvent (hEvent=0x420) returned 1 [0200.960] SetEvent (hEvent=0x1d0) returned 1 [0200.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0200.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0200.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34658 | out: pbBuffer=0x12c34658) returned 1 [0200.961] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bfb97937-abf1-480a-946b-d367067f68c4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.962] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.962] WriteFile (in: hFile=0x448, lpBuffer=0x12856000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12856000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.962] CloseHandle (hObject=0x448) returned 1 [0200.962] CloseHandle (hObject=0x3c4) returned 1 [0200.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34670 | out: pbBuffer=0x12c34670) returned 1 [0200.963] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bfb97937-abf1-480a-946b-d367067f68c4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[9EA651095A57C9BE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[9ea651095a57c9be]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.965] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0200.976] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0200.976] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0200.977] SetEvent (hEvent=0x1d0) returned 1 [0200.977] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0200.984] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0200.984] GetFileType (hFile=0x1a0) returned 0x1 [0200.984] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.984] WriteFile (in: hFile=0x1a0, lpBuffer=0x128e4000*, nNumberOfBytesToWrite=0x1ffd, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x128e4000*, lpNumberOfBytesWritten=0x12a6dd00*=0x1ffd, lpOverlapped=0x12a6dd0c) returned 1 [0200.985] GetFileType (hFile=0x1a0) returned 0x1 [0200.985] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1ffd, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0200.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0200.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0200.986] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0200.986] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c3dc5bd1-4ab1-4bdd-acb0-fcca65ee3d2a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.986] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.986] WriteFile (in: hFile=0x3c4, lpBuffer=0x129b4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.986] CloseHandle (hObject=0x3c4) returned 1 [0200.986] CloseHandle (hObject=0x1a0) returned 1 [0200.987] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0200.987] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c3dc5bd1-4ab1-4bdd-acb0-fcca65ee3d2a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[074788E58CF6FA28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[074788e58cf6fa28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.988] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c85a59c5-2b02-4194-ab2c-0e6e2b6031a0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.988] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.988] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c85a59c5-2b02-4194-ab2c-0e6e2b6031a0"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b15f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829b15f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829b5109, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x634f)) returned 1 [0200.988] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844400 | out: pbBuffer=0x12844400) returned 1 [0200.988] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0200.988] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12a6dd1c*=0x634f, lpOverlapped=0x0) returned 1 [0201.006] GetFileType (hFile=0x1a0) returned 0x1 [0201.006] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.006] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bd6000*, nNumberOfBytesToWrite=0x634f, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12bd6000*, lpNumberOfBytesWritten=0x12a6dd00*=0x634f, lpOverlapped=0x12a6dd0c) returned 1 [0201.007] GetFileType (hFile=0x1a0) returned 0x1 [0201.007] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x634f, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0201.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0201.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0201.007] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0201.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c85a59c5-2b02-4194-ab2c-0e6e2b6031a0"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.008] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.008] WriteFile (in: hFile=0x438, lpBuffer=0x129b4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.008] CloseHandle (hObject=0x438) returned 1 [0201.008] CloseHandle (hObject=0x1a0) returned 1 [0201.008] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484f0 | out: pbBuffer=0x128484f0) returned 1 [0201.008] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c85a59c5-2b02-4194-ab2c-0e6e2b6031a0"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[BB3F911E4EF13CD2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[bb3f911e4ef13cd2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ccb1b3fc-5e0c-4241-abc1-ca67b6c56947"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.009] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.009] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ccb1b3fc-5e0c-4241-abc1-ca67b6c56947"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8293e9d0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x8293e9d0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8293ff31, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1e19)) returned 1 [0201.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448a0 | out: pbBuffer=0x128448a0) returned 1 [0201.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848538 | out: pbBuffer=0x12848538) returned 1 [0201.009] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x1e19, lpOverlapped=0x0) returned 1 [0201.036] GetFileType (hFile=0x1a0) returned 0x1 [0201.036] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.036] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x1e19, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12a6dd00*=0x1e19, lpOverlapped=0x12a6dd0c) returned 1 [0201.037] GetFileType (hFile=0x1a0) returned 0x1 [0201.037] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1e19, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0201.037] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0201.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0201.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0201.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ccb1b3fc-5e0c-4241-abc1-ca67b6c56947"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.044] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.044] WriteFile (in: hFile=0x448, lpBuffer=0x129b4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4a00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.045] CloseHandle (hObject=0x448) returned 1 [0201.045] CloseHandle (hObject=0x1a0) returned 1 [0201.045] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848638 | out: pbBuffer=0x12848638) returned 1 [0201.045] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ccb1b3fc-5e0c-4241-abc1-ca67b6c56947"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[57B32DA82635AADB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[57b32da82635aadb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d03b54d7-2f02-4f26-b245-6759fd3e5356"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.046] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.046] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d03b54d7-2f02-4f26-b245-6759fd3e5356"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d89a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d89a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d8ae10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x595d)) returned 1 [0201.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845280 | out: pbBuffer=0x12845280) returned 1 [0201.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486b0 | out: pbBuffer=0x128486b0) returned 1 [0201.047] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a6dd1c*=0x595d, lpOverlapped=0x0) returned 1 [0201.131] SetEvent (hEvent=0x110) returned 1 [0201.131] GetFileType (hFile=0x1a0) returned 0x1 [0201.132] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.132] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x595d, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12a6dd00*=0x595d, lpOverlapped=0x12a6dd0c) returned 1 [0201.132] GetFileType (hFile=0x1a0) returned 0x1 [0201.132] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x595d, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0201.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0201.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0201.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0201.133] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d03b54d7-2f02-4f26-b245-6759fd3e5356"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.134] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.134] WriteFile (in: hFile=0x448, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.134] CloseHandle (hObject=0x448) returned 1 [0201.134] CloseHandle (hObject=0x1a0) returned 1 [0201.135] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0201.135] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d03b54d7-2f02-4f26-b245-6759fd3e5356"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A4BD82F0340131DB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a4bd82f0340131db]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.136] SetEvent (hEvent=0x1d0) returned 1 [0201.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\db4f9ab3-289c-4c85-93dc-c7725673e79b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.136] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.137] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\db4f9ab3-289c-4c85-93dc-c7725673e79b"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc856808a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc856808a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc856808a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfe2)) returned 1 [0201.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0201.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810288 | out: pbBuffer=0x12810288) returned 1 [0201.137] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a6dd1c*=0xfe2, lpOverlapped=0x0) returned 1 [0201.139] GetFileType (hFile=0x1a0) returned 0x1 [0201.139] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.139] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a9e000*, nNumberOfBytesToWrite=0xfe2, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a9e000*, lpNumberOfBytesWritten=0x12a6dd00*=0xfe2, lpOverlapped=0x12a6dd0c) returned 1 [0201.139] GetFileType (hFile=0x1a0) returned 0x1 [0201.139] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfe2, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0201.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0201.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0201.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810340 | out: pbBuffer=0x12810340) returned 1 [0201.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\db4f9ab3-289c-4c85-93dc-c7725673e79b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.141] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.141] WriteFile (in: hFile=0x448, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.141] CloseHandle (hObject=0x448) returned 1 [0201.141] CloseHandle (hObject=0x1a0) returned 1 [0201.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810358 | out: pbBuffer=0x12810358) returned 1 [0201.142] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\db4f9ab3-289c-4c85-93dc-c7725673e79b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[86ABE665B90631A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[86abe665b90631a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.143] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\dc2a3cbd-dde4-4c82-98b2-97c578971471"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d69f78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d69f78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d69f78, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2913)) returned 1 [0201.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e2b74c9d-38f9-4af3-849b-6f6ed185ffc9"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89439d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89439d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89439d3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2516)) returned 1 [0201.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\dc2a3cbd-dde4-4c82-98b2-97c578971471"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.147] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\dc2a3cbd-dde4-4c82-98b2-97c578971471"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d69f78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d69f78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d69f78, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2913)) returned 1 [0201.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98640 | out: pbBuffer=0x12a98640) returned 1 [0201.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810900 | out: pbBuffer=0x12810900) returned 1 [0201.147] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x2913, lpOverlapped=0x0) returned 1 [0201.218] SetEvent (hEvent=0x110) returned 1 [0201.218] GetFileType (hFile=0x1a0) returned 0x1 [0201.218] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.218] WriteFile (in: hFile=0x1a0, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x2913, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12a6dd00*=0x2913, lpOverlapped=0x12a6dd0c) returned 1 [0201.218] GetFileType (hFile=0x1a0) returned 0x1 [0201.218] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2913, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d81 | out: pbBuffer=0x12801d81) returned 1 [0201.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801e81 | out: pbBuffer=0x12801e81) returned 1 [0201.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0201.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811268 | out: pbBuffer=0x12811268) returned 1 [0201.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\dc2a3cbd-dde4-4c82-98b2-97c578971471"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.219] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.219] WriteFile (in: hFile=0x448, lpBuffer=0x12924a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12924a00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.219] CloseHandle (hObject=0x448) returned 1 [0201.220] CloseHandle (hObject=0x1a0) returned 1 [0201.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811280 | out: pbBuffer=0x12811280) returned 1 [0201.220] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\dc2a3cbd-dde4-4c82-98b2-97c578971471"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[76F856F0CD68E2C6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[76f856f0cd68e2c6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.221] SetEvent (hEvent=0x1d0) returned 1 [0201.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e8b41e01-fe51-4f72-9829-70d724467d17"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.221] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e8b41e01-fe51-4f72-9829-70d724467d17"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bd5ee3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bd5ee3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bd85f4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3380)) returned 1 [0201.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98e40 | out: pbBuffer=0x12a98e40) returned 1 [0201.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128112c8 | out: pbBuffer=0x128112c8) returned 1 [0201.222] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bb2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x3380, lpOverlapped=0x0) returned 1 [0201.228] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0201.232] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0201.232] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0201.232] SetEvent (hEvent=0x110) returned 1 [0201.232] SetEvent (hEvent=0x3f4) returned 1 [0201.232] GetFileType (hFile=0x1a0) returned 0x1 [0201.232] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.232] WriteFile (in: hFile=0x1a0, lpBuffer=0x12856000*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12856000*, lpNumberOfBytesWritten=0x12a6dd00*=0x3380, lpOverlapped=0x12a6dd0c) returned 1 [0201.233] GetFileType (hFile=0x1a0) returned 0x1 [0201.233] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3380, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0201.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0201.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0201.234] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811380 | out: pbBuffer=0x12811380) returned 1 [0201.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e8b41e01-fe51-4f72-9829-70d724467d17"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.234] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.235] WriteFile (in: hFile=0x448, lpBuffer=0x12924f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12924f00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.235] CloseHandle (hObject=0x448) returned 1 [0201.235] CloseHandle (hObject=0x1a0) returned 1 [0201.235] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811398 | out: pbBuffer=0x12811398) returned 1 [0201.235] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e8b41e01-fe51-4f72-9829-70d724467d17"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[CD7AE2BD505C6A89]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[cd7ae2bd505c6a89]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.236] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ea6554fc-7db2-4685-948e-52402e811540"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.237] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.237] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ea6554fc-7db2-4685-948e-52402e811540"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb679a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb679a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb679a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x292e)) returned 1 [0201.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99060 | out: pbBuffer=0x12a99060) returned 1 [0201.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128113e0 | out: pbBuffer=0x128113e0) returned 1 [0201.237] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a6dd1c*=0x292e, lpOverlapped=0x0) returned 1 [0201.366] SetEvent (hEvent=0x110) returned 1 [0201.366] GetFileType (hFile=0x1a0) returned 0x1 [0201.366] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.367] WriteFile (in: hFile=0x1a0, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x292e, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12a6dd00*=0x292e, lpOverlapped=0x12a6dd0c) returned 1 [0201.367] GetFileType (hFile=0x1a0) returned 0x1 [0201.367] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x292e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.367] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0201.367] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0201.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0201.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128108a8 | out: pbBuffer=0x128108a8) returned 1 [0201.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ea6554fc-7db2-4685-948e-52402e811540"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.368] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.368] WriteFile (in: hFile=0x448, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.368] CloseHandle (hObject=0x448) returned 1 [0201.369] CloseHandle (hObject=0x1a0) returned 1 [0201.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108c0 | out: pbBuffer=0x128108c0) returned 1 [0201.369] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\ea6554fc-7db2-4685-948e-52402e811540"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[B6866DCD4B76AC24]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[b6866dcd4b76ac24]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.370] SetEvent (hEvent=0x3f4) returned 1 [0201.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f97cf839-8f66-44ed-8db4-5a4d6d408f2e"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0201.371] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.371] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f97cf839-8f66-44ed-8db4-5a4d6d408f2e"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2675f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2675f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2675f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x447b)) returned 1 [0201.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98620 | out: pbBuffer=0x12a98620) returned 1 [0201.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810908 | out: pbBuffer=0x12810908) returned 1 [0201.371] ReadFile (in: hFile=0x1a0, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x447b, lpOverlapped=0x0) returned 1 [0201.567] GetFileType (hFile=0x1a0) returned 0x1 [0201.567] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.567] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a5a000*, nNumberOfBytesToWrite=0x447b, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a5a000*, lpNumberOfBytesWritten=0x12a6dd00*=0x447b, lpOverlapped=0x12a6dd0c) returned 1 [0201.567] GetFileType (hFile=0x1a0) returned 0x1 [0201.567] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x447b, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0201.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0201.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0201.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0201.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102e8 | out: pbBuffer=0x128102e8) returned 1 [0201.568] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f97cf839-8f66-44ed-8db4-5a4d6d408f2e"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0201.568] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0201.568] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.568] CloseHandle (hObject=0x42c) returned 1 [0201.568] CloseHandle (hObject=0x1a0) returned 1 [0201.569] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810300 | out: pbBuffer=0x12810300) returned 1 [0201.569] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f97cf839-8f66-44ed-8db4-5a4d6d408f2e"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[664E6E1E26D199D2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[664e6e1e26d199d2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cb2b47, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8cb2b47, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8cb2b47, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d02)) returned 1 [0201.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bb7bfa, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x20bb7bfa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x20bb8ff9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0201.592] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0201.623] SetEvent (hEvent=0x40c) returned 1 [0201.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfcf021, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cfcf021, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cfcf021, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0201.637] SetEvent (hEvent=0x40c) returned 1 [0201.637] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b96fdbf, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x14a91)) returned 1 [0201.660] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0201.739] SetEvent (hEvent=0x420) returned 1 [0201.739] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50ff70b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb50ff70b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb50ff70b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c3e)) returned 1 [0202.489] SetEvent (hEvent=0x1d0) returned 1 [0202.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0202.770] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0202.787] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50ff70b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb50ff70b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb50ff70b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c3e)) returned 1 [0202.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844360 | out: pbBuffer=0x12844360) returned 1 [0202.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811090 | out: pbBuffer=0x12811090) returned 1 [0202.962] ReadFile (in: hFile=0x15c, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x12c3e, lpOverlapped=0x0) returned 1 [0203.050] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0203.050] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0203.050] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x5781bc17, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x9d540b29, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x4d2aa)) returned 1 [0203.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128443a0 | out: pbBuffer=0x128443a0) returned 1 [0203.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128110a0 | out: pbBuffer=0x128110a0) returned 1 [0203.060] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0203.456] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0203.552] SetEvent (hEvent=0x40c) returned 1 [0203.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0203.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0203.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0203.710] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a030 | out: pbBuffer=0x12a9a030) returned 1 [0203.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0203.720] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0203.720] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0203.720] CloseHandle (hObject=0x448) returned 1 [0203.720] CloseHandle (hObject=0x3c4) returned 1 [0203.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a048 | out: pbBuffer=0x12a9a048) returned 1 [0203.882] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[954331E982B35FC6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[954331e982b35fc6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0203.883] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otele.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.062] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0204.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7c65b, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7c65b, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7c65b, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117)) returned 1 [0204.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0204.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a090 | out: pbBuffer=0x12a9a090) returned 1 [0204.063] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x117, lpOverlapped=0x0) returned 1 [0204.064] GetFileType (hFile=0x438) returned 0x1 [0204.064] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0204.064] WriteFile (in: hFile=0x438, lpBuffer=0x128f4fc0*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x128f4fc0*, lpNumberOfBytesWritten=0x12a6dd00*=0x117, lpOverlapped=0x12a6dd0c) returned 1 [0204.065] GetFileType (hFile=0x438) returned 0x1 [0204.065] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x117, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0204.092] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0204.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0204.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0204.134] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a158 | out: pbBuffer=0x12a9a158) returned 1 [0204.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otele.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.135] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0204.135] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.157] CloseHandle (hObject=0x3c4) returned 1 [0204.157] CloseHandle (hObject=0x438) returned 1 [0204.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0204.157] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otele.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[3BFA83417EEAA28D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[3bfa83417eeaa28d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.159] SetEvent (hEvent=0xfc) returned 1 [0204.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otele.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.159] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0204.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec815d6, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec815d6, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec82851, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c)) returned 1 [0204.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e680 | out: pbBuffer=0x1280e680) returned 1 [0204.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0204.161] ReadFile (in: hFile=0x438, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a6dd1c*=0x12c, lpOverlapped=0x0) returned 1 [0204.162] GetFileType (hFile=0x438) returned 0x1 [0204.162] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0204.163] WriteFile (in: hFile=0x438, lpBuffer=0x12c38280*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12c38280*, lpNumberOfBytesWritten=0x12a6dd00*=0x12c, lpOverlapped=0x12a6dd0c) returned 1 [0204.163] GetFileType (hFile=0x438) returned 0x1 [0204.163] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x12c, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0204.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0204.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0204.164] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0204.164] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a290 | out: pbBuffer=0x12a9a290) returned 1 [0204.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otele.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.165] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0204.165] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0204.178] CloseHandle (hObject=0x3c4) returned 1 [0204.178] CloseHandle (hObject=0x438) returned 1 [0204.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2a8 | out: pbBuffer=0x12a9a2a8) returned 1 [0204.179] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otele.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[A9C11D73E39E0F82]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[a9c11d73e39e0f82]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.401] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.411] SetEvent (hEvent=0x420) returned 1 [0204.411] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otele.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0204.412] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0204.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3052704, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3052704, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c)) returned 1 [0204.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844960 | out: pbBuffer=0x12844960) returned 1 [0204.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810780 | out: pbBuffer=0x12810780) returned 1 [0204.413] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0204.415] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.432] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0204.433] SetEvent (hEvent=0x110) returned 1 [0204.433] SetEvent (hEvent=0x420) returned 1 [0204.446] ReadFile (in: hFile=0x15c, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12a6dd1c*=0x12c, lpOverlapped=0x0) returned 1 [0204.457] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0204.477] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.477] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0204.477] SetEvent (hEvent=0x3f4) returned 1 [0204.477] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0204.483] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.483] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.499] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.665] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.676] SetEvent (hEvent=0x40c) returned 1 [0204.676] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f743688, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8f743688, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91beba26, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0204.676] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.700] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.711] SetEvent (hEvent=0x40c) returned 1 [0204.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92ed8427, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92ed8427, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93350a85, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0204.712] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.735] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.757] SetEvent (hEvent=0x40c) returned 1 [0204.757] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94bc0dc5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94bc0dc5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94ebbc59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0204.757] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0204.782] SetEvent (hEvent=0x40c) returned 1 [0204.783] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x959c295b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x959c295b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf8000)) returned 1 [0204.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8edba01f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.001] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8edba01f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0205.002] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8edba01f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.002] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8edba01f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8f89abc5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.002] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.002] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0205.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.086] SetEvent (hEvent=0x110) returned 1 [0205.086] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.112] WriteFile (in: hFile=0x448, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.114] CloseHandle (hObject=0x448) returned 1 [0205.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8edba01f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8f89abc5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0205.160] SetEvent (hEvent=0x19c) returned 1 [0205.160] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x907a79a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.266] SetEvent (hEvent=0x110) returned 1 [0205.266] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.267] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x907a79a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0205.279] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x907a79a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.280] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a79a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90ea89ac, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.280] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.280] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0205.377] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.377] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.378] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.430] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.430] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.432] CloseHandle (hObject=0x3c4) returned 1 [0205.432] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a79a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90ea89ac, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0205.439] SetEvent (hEvent=0x19c) returned 1 [0205.439] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91510d84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.444] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.444] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91510d84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0205.444] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91510d84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.445] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91510d84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.445] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.445] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0205.445] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.445] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.445] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.446] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.446] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.448] CloseHandle (hObject=0x3c4) returned 1 [0205.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91510d84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0205.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.449] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.449] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0205.449] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.449] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.449] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.449] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0205.450] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.451] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.451] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.453] CloseHandle (hObject=0x3c4) returned 1 [0205.453] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0205.473] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.473] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.473] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0205.473] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.474] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e232ee, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952c1a4e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.474] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.474] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0205.474] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.476] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.476] WriteFile (in: hFile=0x448, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.478] CloseHandle (hObject=0x448) returned 1 [0205.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e232ee, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952c1a4e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0205.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x962b3645, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.530] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.531] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x962b3645, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0205.531] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x962b3645, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.531] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962b3645, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96647060, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.531] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.531] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0205.531] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.532] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.532] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.613] SetEvent (hEvent=0x110) returned 1 [0205.613] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.614] WriteFile (in: hFile=0x448, lpBuffer=0x12b3c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12b3c000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.615] CloseHandle (hObject=0x448) returned 1 [0205.616] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962b3645, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96647060, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0205.624] SetEvent (hEvent=0x19c) returned 1 [0205.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96f11a4d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.628] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0205.655] SetEvent (hEvent=0x19c) returned 1 [0205.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.655] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96f11a4d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0205.656] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96f11a4d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.656] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f11a4d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97317979, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.656] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.656] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0205.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.657] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.657] WriteFile (in: hFile=0x15c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.659] CloseHandle (hObject=0x15c) returned 1 [0205.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f11a4d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97317979, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0205.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97a3ea55, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.667] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.667] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97a3ea55, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0205.667] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97a3ea55, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.667] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97edd415, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0205.667] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.667] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0205.667] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.668] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.668] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.670] CloseHandle (hObject=0x15c) returned 1 [0205.670] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97edd415, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0205.670] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.681] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.681] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0205.682] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.682] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.682] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0205.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.683] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0205.683] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0205.684] CloseHandle (hObject=0x3c4) returned 1 [0205.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0205.685] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0205.685] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13ec46bb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf54b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x141bf54b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14742dc7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x149cb56a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x149cb56a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14e439d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1513eaa7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1513eaa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1526fd00, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1583f985, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1583f985, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15a2f89d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15de92d7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15de92d7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15f66b03, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16071ad7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16071ad7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x161c908f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x164ea204, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x164ea204, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ba724f0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c4220a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4220a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1d118c6c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0205.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21721d25, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x21721d25, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x218eb79d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e196bc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27eb206a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13d93484, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="is", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x153086e5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15e0f45b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ka", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16582b22, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x173aa99c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="km-kh", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x18b820b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a48ae1d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a975942, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kok", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae142b4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b37172b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ky", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c4ba8d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x246849d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0205.707] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0205.707] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0205.717] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0205.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0205.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.719] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0205.719] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0205.721] CloseHandle (hObject=0x3c4) returned 1 [0205.721] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13ec46bb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0205.729] SetEvent (hEvent=0x1d0) returned 1 [0205.729] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf54b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x141bf54b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14742dc7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0205.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x149cb56a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x149cb56a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14e439d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0205.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1513eaa7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1513eaa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1526fd00, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0205.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1583f985, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1583f985, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15a2f89d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0205.794] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0205.826] SetEvent (hEvent=0x10c) returned 1 [0205.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15de92d7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15de92d7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15f66b03, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0205.842] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0205.906] SetEvent (hEvent=0x10c) returned 1 [0205.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16071ad7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16071ad7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x161c908f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0205.922] SetEvent (hEvent=0x110) returned 1 [0205.922] SetEvent (hEvent=0xfc) returned 1 [0205.922] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x164ea204, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x164ea204, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ba724f0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0205.947] SetEvent (hEvent=0x19c) returned 1 [0205.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c4220a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4220a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1d118c6c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0205.955] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21721d25, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x21721d25, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x218eb79d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0205.965] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.097] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.192] SetEvent (hEvent=0x19c) returned 1 [0206.193] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1425801e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.193] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1425801e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0206.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1425801e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425801e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.193] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0206.193] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.194] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0206.194] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.194] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.195] CloseHandle (hObject=0x44c) returned 1 [0206.196] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425801e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0206.196] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.222] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.231] SetEvent (hEvent=0x420) returned 1 [0206.231] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.232] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.232] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a89f12, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x151d75c6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0206.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0206.232] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a2e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a2e000*, lpNumberOfBytesRead=0x129a7d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0206.237] GetFileType (hFile=0x3c4) returned 0x1 [0206.237] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.237] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x129a7d00*=0x160c0, lpOverlapped=0x129a7d0c) returned 1 [0206.238] GetFileType (hFile=0x3c4) returned 0x1 [0206.238] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0206.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0206.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0206.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848728 | out: pbBuffer=0x12848728) returned 1 [0206.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.239] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.239] WriteFile (in: hFile=0x42c, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.239] CloseHandle (hObject=0x42c) returned 1 [0206.239] CloseHandle (hObject=0x3c4) returned 1 [0206.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848750 | out: pbBuffer=0x12848750) returned 1 [0206.239] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\#_THIS_FILE_IS_ENCRYPTED_[DD70FEF0E1309AD2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\#_this_file_is_encrypted_[dd70fef0e1309ad2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.241] SetEvent (hEvent=0x420) returned 1 [0206.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.241] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x158d8246, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15bf948f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0206.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844500 | out: pbBuffer=0x12844500) returned 1 [0206.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487b8 | out: pbBuffer=0x128487b8) returned 1 [0206.241] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0206.245] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0206.246] SetEvent (hEvent=0x110) returned 1 [0206.246] SetEvent (hEvent=0x420) returned 1 [0206.246] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b80000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b80000*, lpNumberOfBytesRead=0x129a7d1c*=0xfcc0, lpOverlapped=0x0) returned 1 [0206.254] GetFileType (hFile=0x3c4) returned 0x1 [0206.254] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.254] WriteFile (in: hFile=0x3c4, lpBuffer=0x12bc0000*, nNumberOfBytesToWrite=0xfcc0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12bc0000*, lpNumberOfBytesWritten=0x129a7d00*=0xfcc0, lpOverlapped=0x129a7d0c) returned 1 [0206.255] GetFileType (hFile=0x3c4) returned 0x1 [0206.255] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0206.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0206.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0206.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128488c0 | out: pbBuffer=0x128488c0) returned 1 [0206.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.256] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.256] WriteFile (in: hFile=0x42c, lpBuffer=0x12b00500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00500*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.256] CloseHandle (hObject=0x42c) returned 1 [0206.256] CloseHandle (hObject=0x3c4) returned 1 [0206.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128488f8 | out: pbBuffer=0x128488f8) returned 1 [0206.256] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\#_THIS_FILE_IS_ENCRYPTED_[77A9419603227DD1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\#_this_file_is_encrypted_[77a9419603227dd1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.257] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.258] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1610a43c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16392bdd, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0206.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ac0 | out: pbBuffer=0x12844ac0) returned 1 [0206.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848970 | out: pbBuffer=0x12848970) returned 1 [0206.258] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x129a7d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0206.271] GetFileType (hFile=0x3c4) returned 0x1 [0206.272] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.272] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d24000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12d24000*, lpNumberOfBytesWritten=0x129a7d00*=0x164c0, lpOverlapped=0x129a7d0c) returned 1 [0206.272] GetFileType (hFile=0x3c4) returned 0x1 [0206.272] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0206.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0206.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0206.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848a58 | out: pbBuffer=0x12848a58) returned 1 [0206.274] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.275] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.275] WriteFile (in: hFile=0x42c, lpBuffer=0x12b00a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00a00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.275] CloseHandle (hObject=0x42c) returned 1 [0206.275] CloseHandle (hObject=0x3c4) returned 1 [0206.275] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a70 | out: pbBuffer=0x12848a70) returned 1 [0206.275] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\#_THIS_FILE_IS_ENCRYPTED_[CDBDB6360543AEDE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\#_this_file_is_encrypted_[cdbdb6360543aede]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.277] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.277] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169161d2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17206ef6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844fa0 | out: pbBuffer=0x12844fa0) returned 1 [0206.277] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ac8 | out: pbBuffer=0x12848ac8) returned 1 [0206.277] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d3c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d3c000*, lpNumberOfBytesRead=0x129a7d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0206.284] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.338] GetFileType (hFile=0x3c4) returned 0x1 [0206.338] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.339] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x129a7d00*=0x160c0, lpOverlapped=0x129a7d0c) returned 1 [0206.339] GetFileType (hFile=0x3c4) returned 0x1 [0206.339] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0206.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0206.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0206.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0b0 | out: pbBuffer=0x12a9a0b0) returned 1 [0206.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.341] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.341] WriteFile (in: hFile=0x42c, lpBuffer=0x12918500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12918500*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.342] CloseHandle (hObject=0x42c) returned 1 [0206.342] CloseHandle (hObject=0x3c4) returned 1 [0206.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0d8 | out: pbBuffer=0x12a9a0d8) returned 1 [0206.342] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\#_THIS_FILE_IS_ENCRYPTED_[219247A20401BA84]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\#_this_file_is_encrypted_[219247a20401ba84]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.389] SetEvent (hEvent=0x110) returned 1 [0206.389] SetEvent (hEvent=0x1d0) returned 1 [0206.389] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.391] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.391] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f23e2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0206.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e460 | out: pbBuffer=0x1280e460) returned 1 [0206.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a720 | out: pbBuffer=0x12a9a720) returned 1 [0206.391] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x129a7d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0206.399] GetFileType (hFile=0x3c4) returned 0x1 [0206.400] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.400] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aba000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12aba000*, lpNumberOfBytesWritten=0x129a7d00*=0x156c0, lpOverlapped=0x129a7d0c) returned 1 [0206.400] GetFileType (hFile=0x3c4) returned 0x1 [0206.400] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0206.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0206.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0206.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a7d8 | out: pbBuffer=0x12a9a7d8) returned 1 [0206.402] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0206.402] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.402] WriteFile (in: hFile=0x438, lpBuffer=0x12918a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12918a00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.402] CloseHandle (hObject=0x438) returned 1 [0206.402] CloseHandle (hObject=0x3c4) returned 1 [0206.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7f0 | out: pbBuffer=0x12a9a7f0) returned 1 [0206.403] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\#_THIS_FILE_IS_ENCRYPTED_[D8B69DCCC48B342B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\#_this_file_is_encrypted_[d8b69dccc48b342b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.530] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.537] SetEvent (hEvent=0xfc) returned 1 [0206.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0206.537] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0206.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1989ef6a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a464b30, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0206.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0206.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810070 | out: pbBuffer=0x12810070) returned 1 [0206.538] ReadFile (in: hFile=0x448, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x1282fd1c*=0x172c0, lpOverlapped=0x0) returned 1 [0206.552] GetFileType (hFile=0x448) returned 0x1 [0206.552] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.552] WriteFile (in: hFile=0x448, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x172c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x1282fd00*=0x172c0, lpOverlapped=0x1282fd0c) returned 1 [0206.553] GetFileType (hFile=0x448) returned 0x1 [0206.553] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x172c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0206.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0206.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0206.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0206.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810148 | out: pbBuffer=0x12810148) returned 1 [0206.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.555] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0206.555] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b3a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b3a000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0206.555] CloseHandle (hObject=0x1a0) returned 1 [0206.556] CloseHandle (hObject=0x448) returned 1 [0206.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0206.556] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\#_THIS_FILE_IS_ENCRYPTED_[C1A3E47C4115DDAB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\#_this_file_is_encrypted_[c1a3e47c4115ddab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.570] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0206.583] SetEvent (hEvent=0x420) returned 1 [0206.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0206.584] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7abf56, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a94f788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0206.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0206.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101a8 | out: pbBuffer=0x128101a8) returned 1 [0206.585] ReadFile (in: hFile=0x448, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x129a7d1c*=0xf2c0, lpOverlapped=0x0) returned 1 [0206.636] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0207.160] SetEvent (hEvent=0x10c) returned 1 [0207.196] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0207.265] SetEvent (hEvent=0x10c) returned 1 [0208.127] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1cc, buf=0x12854000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1cc, lpOverlapped=0x128e6088) returned 0 [0208.146] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0208.392] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 0 [0208.392] SetEvent (hEvent=0x19c) returned 1 [0208.392] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fab4, ulCount=0x10, ulNumEntriesRemoved=0x33c2fa98, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fab4, ulNumEntriesRemoved=0x33c2fa98) returned 0 [0208.392] SwitchToThread () returned 1 [0208.434] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0208.693] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0208.751] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0208.931] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0209.013] SetEvent (hEvent=0x1d0) returned 1 [0209.013] SetEvent (hEvent=0x3f4) returned 1 [0209.013] SetEvent (hEvent=0x1b8) returned 1 [0209.013] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0209.018] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0209.018] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0209.024] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0209.024] SetEvent (hEvent=0x1d0) returned 1 [0209.024] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0209.075] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0210.439] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0210.484] SetEvent (hEvent=0x1d0) returned 1 [0210.484] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0210.490] SetEvent (hEvent=0x1d0) returned 1 [0210.490] SetEvent (hEvent=0x3f4) returned 1 [0210.490] SwitchToThread () returned 1 [0210.505] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0211.061] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0213.487] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0213.916] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.102] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.120] SetEvent (hEvent=0xfc) returned 1 [0214.121] SetEvent (hEvent=0xf4) returned 1 [0214.121] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.139] SetEvent (hEvent=0x40c) returned 1 [0214.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.140] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12cc1d0c | out: lpMode=0x12cc1d0c) returned 0 [0214.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), fInfoLevelId=0x0, lpFileInformation=0x12cc1ad0 | out: lpFileInformation=0x12cc1ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb9ac6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbbb9ac6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xddeae4a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0)) returned 1 [0214.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0214.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0214.140] ReadFile (in: hFile=0x1a0, lpBuffer=0x129a4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12cc1d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a4000*, lpNumberOfBytesRead=0x12cc1d1c*=0x20000, lpOverlapped=0x0) returned 1 [0214.224] SetEvent (hEvent=0x110) returned 1 [0214.225] GetFileType (hFile=0x1a0) returned 0x1 [0214.225] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12cc1ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.225] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12cc1d00, lpOverlapped=0x12cc1d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12cc1d00*=0x20000, lpOverlapped=0x12cc1d0c) returned 1 [0214.226] GetFileType (hFile=0x1a0) returned 0x1 [0214.226] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12cc1ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0214.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0214.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0214.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e88 | out: pbBuffer=0x12848e88) returned 1 [0214.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0214.227] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12cc1d0c | out: lpMode=0x12cc1d0c) returned 0 [0214.227] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12cc1d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12cc1d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.361] CloseHandle (hObject=0x3c4) returned 1 [0214.361] CloseHandle (hObject=0x1a0) returned 1 [0214.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849048 | out: pbBuffer=0x12849048) returned 1 [0214.363] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[6EF5D1F7D0A5AE17]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[6ef5d1f7d0a5ae17]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.385] SetEvent (hEvent=0xf4) returned 1 [0214.385] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.386] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12cc1d0c | out: lpMode=0x12cc1d0c) returned 0 [0214.386] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12cc1ad0 | out: lpFileInformation=0x12cc1ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5d4c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2484cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0214.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eda0 | out: pbBuffer=0x1280eda0) returned 1 [0214.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849090 | out: pbBuffer=0x12849090) returned 1 [0214.386] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12cc1d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12cc1d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0214.402] GetFileType (hFile=0x1a0) returned 0x1 [0214.403] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12cc1ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.403] WriteFile (in: hFile=0x1a0, lpBuffer=0x129dc000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12cc1d00, lpOverlapped=0x12cc1d0c | out: lpBuffer=0x129dc000*, lpNumberOfBytesWritten=0x12cc1d00*=0x14cc0, lpOverlapped=0x12cc1d0c) returned 1 [0214.403] GetFileType (hFile=0x1a0) returned 0x1 [0214.403] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12cc1ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0214.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0214.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0214.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128492b0 | out: pbBuffer=0x128492b0) returned 1 [0214.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.408] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12cc1d0c | out: lpMode=0x12cc1d0c) returned 0 [0214.408] WriteFile (in: hFile=0x42c, lpBuffer=0x12d0e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12cc1d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d0e500*, lpNumberOfBytesWritten=0x12cc1d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.408] CloseHandle (hObject=0x42c) returned 1 [0214.408] CloseHandle (hObject=0x1a0) returned 1 [0214.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128492d8 | out: pbBuffer=0x128492d8) returned 1 [0214.408] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\#_THIS_FILE_IS_ENCRYPTED_[96FEB377FC4AFF39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\#_this_file_is_encrypted_[96feb377fc4aff39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.525] SetEvent (hEvent=0x110) returned 1 [0214.525] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.603] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.632] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.655] SetEvent (hEvent=0xfc) returned 1 [0214.655] SwitchToThread () returned 1 [0214.672] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.712] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.713] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0214.713] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c6b62, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1083ed90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0214.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0214.713] ReadFile (in: hFile=0x15c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12be5d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0214.781] GetFileType (hFile=0x15c) returned 0x1 [0214.781] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.781] WriteFile (in: hFile=0x15c, lpBuffer=0x1294c000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x1294c000*, lpNumberOfBytesWritten=0x12be5d00*=0x15ec0, lpOverlapped=0x12be5d0c) returned 1 [0214.782] GetFileType (hFile=0x15c) returned 0x1 [0214.782] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.782] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b301 | out: pbBuffer=0x1286b301) returned 1 [0214.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b401 | out: pbBuffer=0x1286b401) returned 1 [0214.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b501 | out: pbBuffer=0x1286b501) returned 1 [0214.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848788 | out: pbBuffer=0x12848788) returned 1 [0214.783] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.784] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0214.784] WriteFile (in: hFile=0x438, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.784] CloseHandle (hObject=0x438) returned 1 [0214.784] CloseHandle (hObject=0x15c) returned 1 [0214.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487b0 | out: pbBuffer=0x128487b0) returned 1 [0214.785] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\#_THIS_FILE_IS_ENCRYPTED_[0B19E83D49DF29C5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\#_this_file_is_encrypted_[0b19e83d49df29c5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.828] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0214.834] SetEvent (hEvent=0x10c) returned 1 [0214.834] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.834] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0214.834] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13967473, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e071a6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98060 | out: pbBuffer=0x12a98060) returned 1 [0214.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34038 | out: pbBuffer=0x12c34038) returned 1 [0214.835] ReadFile (in: hFile=0x15c, lpBuffer=0x12d32000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d32000*, lpNumberOfBytesRead=0x12be5d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0214.901] GetFileType (hFile=0x15c) returned 0x1 [0214.901] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.901] WriteFile (in: hFile=0x15c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be5d00*=0x15ec0, lpOverlapped=0x12be5d0c) returned 1 [0215.392] GetFileType (hFile=0x15c) returned 0x1 [0215.392] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0215.405] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0215.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0215.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0215.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340d0 | out: pbBuffer=0x12c340d0) returned 1 [0215.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0215.420] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0215.420] WriteFile (in: hFile=0x448, lpBuffer=0x1285a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285a500*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0215.442] CloseHandle (hObject=0x448) returned 1 [0215.442] CloseHandle (hObject=0x15c) returned 1 [0215.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340e8 | out: pbBuffer=0x12c340e8) returned 1 [0215.500] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\#_THIS_FILE_IS_ENCRYPTED_[FB64BF631AF457FD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\#_this_file_is_encrypted_[fb64bf631af457fd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0215.527] SetEvent (hEvent=0x40c) returned 1 [0215.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0215.538] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0215.538] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14b24ea6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0215.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0215.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0215.539] ReadFile (in: hFile=0x42c, lpBuffer=0x12d10000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d10000*, lpNumberOfBytesRead=0x12be5d1c*=0x168c0, lpOverlapped=0x0) returned 1 [0216.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170a2d96, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17292a39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0217.335] SetEvent (hEvent=0xfc) returned 1 [0217.335] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0217.357] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0217.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170a2d96, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17292a39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0217.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0217.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0217.478] ReadFile (in: hFile=0x15c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0217.633] GetFileType (hFile=0x15c) returned 0x1 [0217.633] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0217.634] WriteFile (in: hFile=0x15c, lpBuffer=0x12c0a000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c0a000*, lpNumberOfBytesWritten=0x12829d00*=0x164c0, lpOverlapped=0x12829d0c) returned 1 [0217.634] GetFileType (hFile=0x15c) returned 0x1 [0217.634] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0218.064] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0218.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0218.313] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0218.425] SetEvent (hEvent=0x420) returned 1 [0218.425] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0218.795] SetEvent (hEvent=0x420) returned 1 [0218.795] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0218.898] SetEvent (hEvent=0xf4) returned 1 [0218.959] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0218.998] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0219.006] SetEvent (hEvent=0x1d0) returned 1 [0219.006] SetEvent (hEvent=0x1b8) returned 1 [0219.006] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0219.040] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0219.041] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0219.067] SetEvent (hEvent=0x1b8) returned 1 [0219.067] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0219.075] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0221.875] GetFileType (hFile=0x42c) returned 0x1 [0221.875] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0221.875] WriteFile (in: hFile=0x42c, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12be7d00*=0x123c, lpOverlapped=0x12be7d0c) returned 1 [0221.878] GetFileType (hFile=0x42c) returned 0x1 [0221.878] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x123c, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0223.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0223.281] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0223.282] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0223.282] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0223.431] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34328 | out: pbBuffer=0x12c34328) returned 1 [0223.431] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0223.431] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0223.431] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0223.577] CloseHandle (hObject=0x448) returned 1 [0223.577] CloseHandle (hObject=0x15c) returned 1 [0223.976] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34360 | out: pbBuffer=0x12c34360) returned 1 [0224.005] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[959F36C33457BD97]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[959f36c33457bd97]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.377] SetEvent (hEvent=0x110) returned 1 [0224.390] SetEvent (hEvent=0x420) returned 1 [0224.390] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.391] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.392] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f96ed39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f96ed39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fa075cf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0224.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ede0 | out: pbBuffer=0x1280ede0) returned 1 [0224.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8608 | out: pbBuffer=0x128e8608) returned 1 [0224.444] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12be9d1c*=0x72c0, lpOverlapped=0x0) returned 1 [0224.460] GetFileType (hFile=0x42c) returned 0x1 [0224.460] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.461] WriteFile (in: hFile=0x42c, lpBuffer=0x12962000*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12962000*, lpNumberOfBytesWritten=0x12be9d00*=0x72c0, lpOverlapped=0x12be9d0c) returned 1 [0224.461] GetFileType (hFile=0x42c) returned 0x1 [0224.461] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x72c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.461] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0224.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0224.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0224.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e86c0 | out: pbBuffer=0x128e86c0) returned 1 [0224.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0224.463] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.463] WriteFile (in: hFile=0x1a0, lpBuffer=0x12cf6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf6000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.463] CloseHandle (hObject=0x1a0) returned 1 [0224.511] CloseHandle (hObject=0x42c) returned 1 [0224.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e86d8 | out: pbBuffer=0x128e86d8) returned 1 [0224.511] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[6177A5D1744D5559]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[6177a5d1744d5559]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.608] SetEvent (hEvent=0x40c) returned 1 [0224.608] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0224.620] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0224.620] SetEvent (hEvent=0x40c) returned 1 [0224.620] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0224.638] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0224.638] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0224.652] SetEvent (hEvent=0x40c) returned 1 [0224.652] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0224.660] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0224.660] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.661] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0224.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50390d5d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50390d5d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x505a6c82, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0224.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0224.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0224.662] ReadFile (in: hFile=0x42c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.670] GetFileType (hFile=0x42c) returned 0x1 [0224.670] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.671] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0224.672] GetFileType (hFile=0x42c) returned 0x1 [0224.672] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0224.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0224.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0224.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0224.673] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0224.673] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0224.673] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.683] CloseHandle (hObject=0x1a0) returned 1 [0224.691] CloseHandle (hObject=0x42c) returned 1 [0224.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0224.707] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[F392D56BEFE3F918]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[f392d56befe3f918]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.940] SetEvent (hEvent=0x110) returned 1 [0224.940] SetEvent (hEvent=0x40c) returned 1 [0224.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0224.941] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0224.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ade11a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50ade11a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50fc8d11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0224.941] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ac0 | out: pbBuffer=0x12844ac0) returned 1 [0224.941] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848548 | out: pbBuffer=0x12848548) returned 1 [0224.942] ReadFile (in: hFile=0x1a0, lpBuffer=0x12a02000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a02000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.952] GetFileType (hFile=0x1a0) returned 0x1 [0224.952] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.952] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c8c000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c8c000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0224.953] GetFileType (hFile=0x1a0) returned 0x1 [0224.953] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0224.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0224.953] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0224.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0224.954] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0224.954] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0224.954] WriteFile (in: hFile=0x44c, lpBuffer=0x12cf6f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf6f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.960] CloseHandle (hObject=0x44c) returned 1 [0224.969] CloseHandle (hObject=0x1a0) returned 1 [0224.976] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848648 | out: pbBuffer=0x12848648) returned 1 [0224.977] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[F0C1116DEDCF40BE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[f0c1116dedcf40be]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.509] SetEvent (hEvent=0x110) returned 1 [0225.510] SetEvent (hEvent=0x40c) returned 1 [0225.510] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0225.510] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0225.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aa9ab3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51aa9ab3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5456dd0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0225.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0225.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0225.511] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ca6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca6000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0225.738] GetFileType (hFile=0x1a0) returned 0x1 [0225.738] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.738] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d4a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d4a000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0225.739] GetFileType (hFile=0x1a0) returned 0x1 [0225.739] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0225.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0225.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0225.739] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341a0 | out: pbBuffer=0x12c341a0) returned 1 [0225.739] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0225.740] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0225.740] WriteFile (in: hFile=0x44c, lpBuffer=0x12aeaa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aeaa00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.759] CloseHandle (hObject=0x44c) returned 1 [0225.781] CloseHandle (hObject=0x1a0) returned 1 [0225.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848570 | out: pbBuffer=0x12848570) returned 1 [0225.829] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[64A0017CA88E8A70]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[64a0017ca88e8a70]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0226.669] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0229.073] SetEvent (hEvent=0x40c) returned 1 [0229.074] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0236.098] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0236.104] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0237.584] SetEvent (hEvent=0x1d0) returned 1 [0237.584] SetEvent (hEvent=0x19c) returned 1 [0237.584] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0243.088] SetEvent (hEvent=0x1d0) returned 1 [0243.088] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0244.164] SetEvent (hEvent=0xf4) returned 1 [0244.164] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0244.825] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0244.928] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.217] SetEvent (hEvent=0x1b8) returned 1 [0245.261] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.297] SetEvent (hEvent=0x1b8) returned 1 [0245.297] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.340] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.341] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12db5ad0 | out: lpFileInformation=0x12db5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c221446, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fb3372a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0245.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0245.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0245.341] ReadFile (in: hFile=0x44c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12db5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12db5d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0245.405] GetFileType (hFile=0x44c) returned 0x1 [0245.405] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.405] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12db5d00, lpOverlapped=0x12db5d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12db5d00*=0x15ac0, lpOverlapped=0x12db5d0c) returned 1 [0245.406] GetFileType (hFile=0x44c) returned 0x1 [0245.406] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0245.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0245.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0245.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0245.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.407] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0245.407] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12db5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x12db5d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.407] CloseHandle (hObject=0x3e4) returned 1 [0245.407] CloseHandle (hObject=0x44c) returned 1 [0245.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0245.407] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\#_THIS_FILE_IS_ENCRYPTED_[9A8600EE27BF3A83]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\#_this_file_is_encrypted_[9a8600ee27bf3a83]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.409] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.453] SetEvent (hEvent=0xf4) returned 1 [0245.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\onedrive.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.454] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0245.454] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e2ad9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12862516, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0245.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e540 | out: pbBuffer=0x1280e540) returned 1 [0245.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0245.455] ReadFile (in: hFile=0x42c, lpBuffer=0x129ae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ae000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.484] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.525] SetEvent (hEvent=0xf4) returned 1 [0245.525] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.670] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.784] SetEvent (hEvent=0xfc) returned 1 [0245.784] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.785] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0245.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bb4b96d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4bb4b96d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x390a2)) returned 1 [0245.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e9a0 | out: pbBuffer=0x1280e9a0) returned 1 [0245.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848500 | out: pbBuffer=0x12848500) returned 1 [0245.785] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0245.792] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0245.792] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0245.792] SetEvent (hEvent=0x110) returned 1 [0245.792] SetEvent (hEvent=0xfc) returned 1 [0245.792] ReadFile (in: hFile=0x3e4, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12855d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.804] GetFileType (hFile=0x3e4) returned 0x1 [0245.804] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.804] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12855d00*=0x20000, lpOverlapped=0x12855d0c) returned 1 [0245.805] GetFileType (hFile=0x3e4) returned 0x1 [0245.805] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0245.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0245.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0245.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485b8 | out: pbBuffer=0x128485b8) returned 1 [0245.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0245.806] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0245.806] WriteFile (in: hFile=0x450, lpBuffer=0x12a48f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.806] CloseHandle (hObject=0x450) returned 1 [0245.813] CloseHandle (hObject=0x3e4) returned 1 [0245.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0245.830] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[FE1B41C4B79276BD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[fe1b41c4b79276bd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0246.102] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0246.269] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0246.787] SetEvent (hEvent=0x40c) returned 1 [0246.787] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0246.789] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0246.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce65674c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xce65674c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed3dd471, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0246.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e740 | out: pbBuffer=0x1280e740) returned 1 [0246.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a78 | out: pbBuffer=0x12848a78) returned 1 [0246.803] ReadFile (in: hFile=0x458, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12855d1c*=0xf5f6, lpOverlapped=0x0) returned 1 [0246.854] GetFileType (hFile=0x458) returned 0x1 [0246.854] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0246.854] WriteFile (in: hFile=0x458, lpBuffer=0x12a30000*, nNumberOfBytesToWrite=0xf5f6, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a30000*, lpNumberOfBytesWritten=0x12855d00*=0xf5f6, lpOverlapped=0x12855d0c) returned 1 [0246.855] GetFileType (hFile=0x458) returned 0x1 [0246.855] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xf5f6, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0246.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0246.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0246.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0246.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848b50 | out: pbBuffer=0x12848b50) returned 1 [0246.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0246.921] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0246.921] WriteFile (in: hFile=0x450, lpBuffer=0x12a48a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0246.922] CloseHandle (hObject=0x450) returned 1 [0247.000] CloseHandle (hObject=0x458) returned 1 [0247.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b68 | out: pbBuffer=0x12848b68) returned 1 [0247.137] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[A047D2BD40E6C36D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[a047d2bd40e6c36d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0250.077] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0250.305] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0250.305] ReadFile (in: hFile=0x458, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12db5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12db5d1c*=0x1b4, lpOverlapped=0x0) returned 1 [0250.307] GetFileType (hFile=0x458) returned 0x1 [0250.307] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0250.307] WriteFile (in: hFile=0x458, lpBuffer=0x12b03340*, nNumberOfBytesToWrite=0x1b4, lpNumberOfBytesWritten=0x12db5d00, lpOverlapped=0x12db5d0c | out: lpBuffer=0x12b03340*, lpNumberOfBytesWritten=0x12db5d00*=0x1b4, lpOverlapped=0x12db5d0c) returned 1 [0250.308] GetFileType (hFile=0x458) returned 0x1 [0250.308] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x1b4, lpNewFilePointer=0x0, dwMoveMethod=0x12db5ce4 | out: lpNewFilePointer=0x0) returned 1 [0250.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd301 | out: pbBuffer=0x12afd301) returned 1 [0251.210] CloseHandle (hObject=0x42c) returned 1 [0251.479] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0251.479] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0251.480] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0251.613] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0251.726] SetEvent (hEvent=0x19c) returned 1 [0251.895] SetEvent (hEvent=0x1d0) returned 1 [0251.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a381 | out: pbBuffer=0x1286a381) returned 1 [0251.908] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4d0 | out: pbBuffer=0x12a9a4d0) returned 1 [0251.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0251.921] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0251.921] WriteFile (in: hFile=0x42c, lpBuffer=0x12da0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da0000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0251.922] CloseHandle (hObject=0x42c) returned 1 [0251.922] CloseHandle (hObject=0x44c) returned 1 [0251.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4e8 | out: pbBuffer=0x12a9a4e8) returned 1 [0252.024] SetEvent (hEvent=0x1d0) returned 1 [0252.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a508 | out: pbBuffer=0x12a9a508) returned 1 [0252.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\policy.vpol"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.025] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.025] WriteFile (in: hFile=0x3e4, lpBuffer=0x12da0500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da0500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.030] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.117] CloseHandle (hObject=0x3e4) returned 1 [0252.117] CloseHandle (hObject=0x458) returned 1 [0252.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0252.118] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\policy.vpol"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\#_THIS_FILE_IS_ENCRYPTED_[ECFF687979007CAB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\#_this_file_is_encrypted_[ecff687979007cab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.120] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.442] SetEvent (hEvent=0xf4) returned 1 [0252.442] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.443] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.443] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0252.444] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0252.444] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x1282fd1c*=0x4000, lpOverlapped=0x0) returned 1 [0252.481] GetFileType (hFile=0x3e4) returned 0x1 [0252.481] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0252.482] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1282fd00*=0x4000, lpOverlapped=0x1282fd0c) returned 1 [0252.482] GetFileType (hFile=0x3e4) returned 0x1 [0252.482] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0252.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0252.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0252.482] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0252.483] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810150 | out: pbBuffer=0x12810150) returned 1 [0252.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.483] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.483] WriteFile (in: hFile=0x458, lpBuffer=0x12da0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12da0a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0252.483] CloseHandle (hObject=0x458) returned 1 [0252.483] CloseHandle (hObject=0x3e4) returned 1 [0252.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810168 | out: pbBuffer=0x12810168) returned 1 [0252.484] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[9AD0B8638C6C4A3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[9ad0b8638c6c4a3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.485] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.551] SetEvent (hEvent=0xf4) returned 1 [0252.551] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.551] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0252.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101b0 | out: pbBuffer=0x128101b0) returned 1 [0252.553] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0252.555] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.555] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0252.555] SetEvent (hEvent=0x110) returned 1 [0252.555] SetEvent (hEvent=0xf4) returned 1 [0252.555] SetEvent (hEvent=0x40c) returned 1 [0252.555] ReadFile (in: hFile=0x458, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12851d1c*=0x4000, lpOverlapped=0x0) returned 1 [0252.562] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.579] SetEvent (hEvent=0xf4) returned 1 [0252.579] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.589] SetEvent (hEvent=0xf4) returned 1 [0252.589] SetEvent (hEvent=0x1d0) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x903edf7e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9056b602, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9056b602, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9035563d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9035563d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9035563d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9037b75e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9037b75e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9037b75e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0252.589] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.589] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.590] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.593] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.593] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.595] CloseHandle (hObject=0x3e4) returned 1 [0252.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9056b602, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9056b602, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9035563d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9035563d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9035563d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.611] SetEvent (hEvent=0x1d0) returned 1 [0252.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9037b75e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9037b75e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9037b75e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.611] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0252.612] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.612] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.612] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0252.612] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.613] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.614] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.615] CloseHandle (hObject=0x3e4) returned 1 [0252.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.615] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.615] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0252.615] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.616] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.616] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0252.616] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.616] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.617] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.618] CloseHandle (hObject=0x3e4) returned 1 [0252.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.699] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.699] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0252.705] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0252.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0252.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0252.706] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.706] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.707] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.708] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.708] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.709] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0252.709] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0252.710] CloseHandle (hObject=0x42c) returned 1 [0252.710] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.713] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.713] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0252.716] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.716] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.717] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.719] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.719] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.721] CloseHandle (hObject=0x42c) returned 1 [0252.721] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.722] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.724] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.724] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.724] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.724] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.725] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.725] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.727] CloseHandle (hObject=0x42c) returned 1 [0252.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.727] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0252.727] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.727] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.727] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0252.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.728] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.728] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.729] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.729] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.730] CloseHandle (hObject=0x42c) returned 1 [0252.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.731] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.731] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.731] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.731] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.731] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.732] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.732] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.734] CloseHandle (hObject=0x42c) returned 1 [0252.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.734] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0252.734] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.734] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.734] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0252.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.735] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.735] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.735] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.735] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2d300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.737] CloseHandle (hObject=0x42c) returned 1 [0252.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.742] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0252.742] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.742] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.743] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0252.743] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.743] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.743] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.744] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.744] WriteFile (in: hFile=0x458, lpBuffer=0x12c2e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2e600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.745] CloseHandle (hObject=0x458) returned 1 [0252.745] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.746] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.746] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.746] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.746] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.746] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.747] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.747] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.748] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.748] WriteFile (in: hFile=0x458, lpBuffer=0x12c2f900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2f900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.749] CloseHandle (hObject=0x458) returned 1 [0252.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.749] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.750] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.751] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.751] WriteFile (in: hFile=0x458, lpBuffer=0x12c30c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c30c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.753] CloseHandle (hObject=0x458) returned 1 [0252.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.757] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0252.758] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.758] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0252.758] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.758] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0252.758] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.766] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.766] WriteFile (in: hFile=0x3e4, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.768] CloseHandle (hObject=0x3e4) returned 1 [0252.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.768] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0252.772] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.772] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6131ff94, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6131ff94, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0252.772] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0252.772] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0252.772] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.772] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0252.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.779] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0252.779] WriteFile (in: hFile=0x3e4, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0252.781] CloseHandle (hObject=0x3e4) returned 1 [0252.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6131ff94, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6131ff94, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0252.782] SetEvent (hEvent=0xf4) returned 1 [0252.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd000)) returned 1 [0252.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.863] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.864] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.864] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.864] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.864] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.866] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.866] WriteFile (in: hFile=0x458, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.868] CloseHandle (hObject=0x458) returned 1 [0252.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90d2b129, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90d2b129, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.871] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90d2b129, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90d2b129, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x611a2928, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611a2928, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611a2928, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0252.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9104c20e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9104c20e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0252.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0252.873] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0252.874] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.874] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.880] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.880] WriteFile (in: hFile=0x458, lpBuffer=0x12923900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12923900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.882] CloseHandle (hObject=0x458) returned 1 [0252.882] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x611a2928, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611a2928, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611a2928, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.883] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9104c20e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9104c20e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.883] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.884] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0252.884] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x611a2928, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611a2928, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611a2928, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.884] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fa00 | out: pbBuffer=0x1280fa00) returned 1 [0252.884] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849cf0 | out: pbBuffer=0x12849cf0) returned 1 [0252.884] ReadFile (in: hFile=0x458, lpBuffer=0x12a04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a04000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0252.884] CloseHandle (hObject=0x458) returned 1 [0252.884] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0252.885] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0252.885] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9104c20e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9104c20e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fa20 | out: pbBuffer=0x1280fa20) returned 1 [0252.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849d10 | out: pbBuffer=0x12849d10) returned 1 [0252.885] ReadFile (in: hFile=0x458, lpBuffer=0x12aa6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa6000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0252.909] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0252.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.982] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0252.982] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88e20 | out: pbBuffer=0x12b88e20) returned 1 [0252.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34cf8 | out: pbBuffer=0x12c34cf8) returned 1 [0252.982] ReadFile (in: hFile=0x44c, lpBuffer=0x12cd4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd4000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.982] CloseHandle (hObject=0x44c) returned 1 [0252.983] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.378] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.632] SetEvent (hEvent=0x1d0) returned 1 [0253.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.633] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0253.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0253.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0253.633] ReadFile (in: hFile=0x42c, lpBuffer=0x12cb4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb4000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.633] CloseHandle (hObject=0x42c) returned 1 [0253.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.634] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.634] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0253.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8018 | out: pbBuffer=0x128e8018) returned 1 [0253.635] ReadFile (in: hFile=0x42c, lpBuffer=0x12cf4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf4000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0253.654] GetFileType (hFile=0x42c) returned 0x1 [0253.655] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.655] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0253.655] GetFileType (hFile=0x42c) returned 0x1 [0253.655] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0253.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0253.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0253.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0253.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80d0 | out: pbBuffer=0x128e80d0) returned 1 [0253.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.656] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0253.656] WriteFile (in: hFile=0x458, lpBuffer=0x12ad8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ad8000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0253.657] CloseHandle (hObject=0x458) returned 1 [0253.657] CloseHandle (hObject=0x42c) returned 1 [0253.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0253.657] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[821F27C8FDEBF81D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[821f27c8fdebf81d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.666] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.788] SetEvent (hEvent=0x1d0) returned 1 [0253.790] SetEvent (hEvent=0x3f4) returned 1 [0253.790] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0253.803] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.803] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0253.815] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.816] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0253.816] SetEvent (hEvent=0x1d0) returned 1 [0253.816] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0253.846] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0253.846] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.847] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.847] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a803aaf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a803aaf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0253.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0253.847] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12855d1c*=0x8000, lpOverlapped=0x0) returned 1 [0253.874] GetFileType (hFile=0x3e4) returned 0x1 [0253.874] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.874] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12855d00*=0x8000, lpOverlapped=0x12855d0c) returned 1 [0253.875] GetFileType (hFile=0x3e4) returned 0x1 [0253.875] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.875] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0253.875] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0253.875] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0253.875] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0253.875] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0253.876] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.876] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.876] CloseHandle (hObject=0x44c) returned 1 [0253.876] CloseHandle (hObject=0x3e4) returned 1 [0253.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0253.877] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[32288DC2E338489D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[32288dc2e338489d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.053] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0254.116] SetEvent (hEvent=0xf4) returned 1 [0254.117] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.118] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.118] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0254.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0254.118] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0254.118] ReadFile (in: hFile=0x458, lpBuffer=0x12cd4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd4000*, lpNumberOfBytesRead=0x1282fd1c*=0x7000, lpOverlapped=0x0) returned 1 [0254.155] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0254.200] GetFileType (hFile=0x458) returned 0x1 [0254.200] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.200] WriteFile (in: hFile=0x458, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x1282fd00*=0x7000, lpOverlapped=0x1282fd0c) returned 1 [0254.238] GetFileType (hFile=0x458) returned 0x1 [0254.239] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x7000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0254.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0254.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0254.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0254.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484f8 | out: pbBuffer=0x128484f8) returned 1 [0254.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0254.240] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0254.240] WriteFile (in: hFile=0x450, lpBuffer=0x12ac8500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac8500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.241] CloseHandle (hObject=0x450) returned 1 [0254.241] CloseHandle (hObject=0x458) returned 1 [0254.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848510 | out: pbBuffer=0x12848510) returned 1 [0254.241] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[93188E9DCEBB57FE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[93188e9dcebb57fe]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.245] SetEvent (hEvent=0x3f4) returned 1 [0254.245] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.411] SetEvent (hEvent=0x40c) returned 1 [0259.412] SetEvent (hEvent=0x3f4) returned 1 [0259.412] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.510] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.522] SetEvent (hEvent=0x1d0) returned 1 [0259.522] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.523] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.523] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.523] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.523] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.523] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.524] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.524] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0259.525] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.525] WriteFile (in: hFile=0x450, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.527] CloseHandle (hObject=0x450) returned 1 [0259.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.527] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0259.527] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.528] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.528] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0259.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0259.556] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.557] WriteFile (in: hFile=0x450, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.558] CloseHandle (hObject=0x450) returned 1 [0259.559] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.570] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.570] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.570] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.570] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.570] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0259.579] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.579] WriteFile (in: hFile=0x450, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.580] CloseHandle (hObject=0x450) returned 1 [0259.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.590] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0259.590] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.590] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.591] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0259.591] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.597] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.597] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.598] CloseHandle (hObject=0x3e4) returned 1 [0259.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0259.603] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.603] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0259.603] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.603] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0259.604] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.605] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.605] WriteFile (in: hFile=0x458, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.606] CloseHandle (hObject=0x458) returned 1 [0259.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.607] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0259.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x88a4ee47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0259.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0259.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0259.609] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.609] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0259.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.614] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.614] WriteFile (in: hFile=0x458, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.616] CloseHandle (hObject=0x458) returned 1 [0259.616] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x88a4ee47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0259.617] SetEvent (hEvent=0x19c) returned 1 [0259.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xf000)) returned 1 [0259.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.623] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.624] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.624] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.625] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.625] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.625] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.625] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.625] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.626] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.626] WriteFile (in: hFile=0x3e4, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.627] CloseHandle (hObject=0x3e4) returned 1 [0259.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.628] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.628] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x70956fc, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x70956fc, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0259.646] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.646] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.649] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.649] WriteFile (in: hFile=0x3e4, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.650] CloseHandle (hObject=0x3e4) returned 1 [0259.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x70956fc, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x70956fc, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.652] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.652] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929e00 | out: pbBuffer=0x12929e00) returned 1 [0259.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35600 | out: pbBuffer=0x12c35600) returned 1 [0259.653] ReadFile (in: hFile=0x3e4, lpBuffer=0x129fe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129fe000*, lpNumberOfBytesRead=0x12851d1c*=0x2000, lpOverlapped=0x0) returned 1 [0259.660] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.673] SwitchToThread () returned 1 [0259.705] SetEvent (hEvent=0x3f4) returned 1 [0259.705] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.737] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0259.853] SetEvent (hEvent=0x3f4) returned 1 [0259.853] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.854] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0259.854] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0259.855] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0259.855] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0259.855] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a5fd1c*=0x7000, lpOverlapped=0x0) returned 1 [0260.259] GetFileType (hFile=0x42c) returned 0x1 [0260.259] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.259] WriteFile (in: hFile=0x42c, lpBuffer=0x12bba000*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12bba000*, lpNumberOfBytesWritten=0x12a5fd00*=0x7000, lpOverlapped=0x12a5fd0c) returned 1 [0260.260] GetFileType (hFile=0x42c) returned 0x1 [0260.260] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x7000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0260.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0260.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0260.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0260.260] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.261] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0260.261] WriteFile (in: hFile=0x458, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0260.261] CloseHandle (hObject=0x458) returned 1 [0260.261] CloseHandle (hObject=0x42c) returned 1 [0260.261] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0260.261] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[0DBDACEFA9A4DFAE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[0dbdacefa9a4dfae]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.271] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.425] SetEvent (hEvent=0x3f4) returned 1 [0260.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.426] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0260.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0260.426] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0260.426] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.426] CloseHandle (hObject=0x42c) returned 1 [0260.426] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.427] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.427] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8046aa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0260.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0260.428] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0260.447] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.447] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0260.448] SetEvent (hEvent=0x3f4) returned 1 [0260.448] ReadFile (in: hFile=0x42c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.452] GetFileType (hFile=0x42c) returned 0x1 [0260.453] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.453] WriteFile (in: hFile=0x42c, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0260.453] GetFileType (hFile=0x42c) returned 0x1 [0260.453] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.453] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0260.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0260.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0260.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341e8 | out: pbBuffer=0x12c341e8) returned 1 [0260.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.454] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.454] WriteFile (in: hFile=0x458, lpBuffer=0x12c38a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0260.455] CloseHandle (hObject=0x458) returned 1 [0260.455] CloseHandle (hObject=0x42c) returned 1 [0260.455] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34200 | out: pbBuffer=0x12c34200) returned 1 [0260.455] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[0E4BD048B3A3F907]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[0e4bd048b3a3f907]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.458] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0260.472] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.472] SetEvent (hEvent=0x3f4) returned 1 [0260.472] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0260.480] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.480] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0260.485] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0260.485] SetEvent (hEvent=0x110) returned 1 [0260.485] SetEvent (hEvent=0x40c) returned 1 [0260.485] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0260.489] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.491] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0260.491] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844d00 | out: pbBuffer=0x12844d00) returned 1 [0260.491] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101d8 | out: pbBuffer=0x128101d8) returned 1 [0260.491] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.505] GetFileType (hFile=0x458) returned 0x1 [0260.505] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.505] WriteFile (in: hFile=0x458, lpBuffer=0x12866000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12866000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0260.506] GetFileType (hFile=0x458) returned 0x1 [0260.506] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0260.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0260.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0260.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102a0 | out: pbBuffer=0x128102a0) returned 1 [0260.507] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.507] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0260.507] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0260.507] CloseHandle (hObject=0x42c) returned 1 [0260.509] CloseHandle (hObject=0x458) returned 1 [0260.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102b8 | out: pbBuffer=0x128102b8) returned 1 [0260.510] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[70CEEEEE01649BB8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[70ceeeee01649bb8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.511] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.673] SetEvent (hEvent=0x3f4) returned 1 [0260.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.675] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0260.675] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845280 | out: pbBuffer=0x12845280) returned 1 [0260.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810300 | out: pbBuffer=0x12810300) returned 1 [0260.676] ReadFile (in: hFile=0x458, lpBuffer=0x1299c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x1299c000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.676] CloseHandle (hObject=0x458) returned 1 [0260.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.677] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0260.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128452a0 | out: pbBuffer=0x128452a0) returned 1 [0260.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810310 | out: pbBuffer=0x12810310) returned 1 [0260.677] ReadFile (in: hFile=0x458, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.771] GetFileType (hFile=0x458) returned 0x1 [0260.772] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.772] WriteFile (in: hFile=0x458, lpBuffer=0x12a4e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a4e000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0260.772] GetFileType (hFile=0x458) returned 0x1 [0260.772] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0260.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0260.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0260.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0260.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c8 | out: pbBuffer=0x128103c8) returned 1 [0260.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.774] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0260.774] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0260.774] CloseHandle (hObject=0x42c) returned 1 [0260.774] CloseHandle (hObject=0x458) returned 1 [0260.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0260.775] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[BD4949EADF79E844]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[bd4949eadf79e844]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.777] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.941] SetEvent (hEvent=0x3f4) returned 1 [0260.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.942] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.942] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7a50d3c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280efe0 | out: pbBuffer=0x1280efe0) returned 1 [0260.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9268 | out: pbBuffer=0x128e9268) returned 1 [0260.943] ReadFile (in: hFile=0x458, lpBuffer=0x129dc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129dc000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.953] GetFileType (hFile=0x458) returned 0x1 [0260.953] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.953] WriteFile (in: hFile=0x458, lpBuffer=0x12a3c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12a3c000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0260.954] GetFileType (hFile=0x458) returned 0x1 [0260.954] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835501 | out: pbBuffer=0x12835501) returned 1 [0260.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835601 | out: pbBuffer=0x12835601) returned 1 [0260.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835701 | out: pbBuffer=0x12835701) returned 1 [0260.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9320 | out: pbBuffer=0x128e9320) returned 1 [0260.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.955] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.955] WriteFile (in: hFile=0x3e4, lpBuffer=0x12be2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12be2000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0260.956] CloseHandle (hObject=0x3e4) returned 1 [0260.956] CloseHandle (hObject=0x458) returned 1 [0260.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9338 | out: pbBuffer=0x128e9338) returned 1 [0260.956] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[09A22D743C019C27]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[09a22d743c019c27]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.968] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.982] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0260.984] SetEvent (hEvent=0x40c) returned 1 [0260.984] SetEvent (hEvent=0x420) returned 1 [0260.984] SetEvent (hEvent=0x19c) returned 1 [0260.984] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0261.099] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0261.576] SetEvent (hEvent=0x420) returned 1 [0261.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.577] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0261.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0261.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0261.578] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0261.578] CloseHandle (hObject=0x3e4) returned 1 [0261.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.579] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0261.579] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0261.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0261.580] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d44000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0261.580] CloseHandle (hObject=0x3e4) returned 1 [0261.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.581] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0261.581] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.581] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.581] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0261.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.582] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.582] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.584] CloseHandle (hObject=0x3e4) returned 1 [0261.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.584] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0261.585] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.585] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.585] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0261.585] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.586] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.586] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b11300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.588] CloseHandle (hObject=0x3e4) returned 1 [0261.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.589] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.601] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0261.638] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0261.654] SetEvent (hEvent=0x40c) returned 1 [0261.654] SwitchToThread () returned 1 [0261.741] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0261.836] SetEvent (hEvent=0x40c) returned 1 [0261.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.837] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0261.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0261.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0261.837] ReadFile (in: hFile=0x42c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0261.838] CloseHandle (hObject=0x42c) returned 1 [0261.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.838] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0261.838] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61efc6ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x622b61f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x622b61f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0261.839] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0261.839] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8018 | out: pbBuffer=0x128e8018) returned 1 [0261.839] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0261.864] GetFileType (hFile=0x42c) returned 0x1 [0261.864] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0261.864] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0261.865] GetFileType (hFile=0x42c) returned 0x1 [0261.865] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0261.865] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0261.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0261.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0261.866] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80d0 | out: pbBuffer=0x128e80d0) returned 1 [0261.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0261.866] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0261.866] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0261.868] CloseHandle (hObject=0x44c) returned 1 [0261.868] CloseHandle (hObject=0x42c) returned 1 [0261.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0261.868] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[E1058254C9EAB5D5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[e1058254c9eab5d5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.870] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.043] SetEvent (hEvent=0x420) returned 1 [0262.043] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.048] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0262.048] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.048] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.048] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0262.049] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.050] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.050] WriteFile (in: hFile=0x458, lpBuffer=0x12db2000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db2000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.051] CloseHandle (hObject=0x458) returned 1 [0262.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.052] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0262.052] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.052] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.052] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0262.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.053] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.053] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.054] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.054] WriteFile (in: hFile=0x458, lpBuffer=0x12db3300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db3300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.055] CloseHandle (hObject=0x458) returned 1 [0262.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.060] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.066] SetEvent (hEvent=0x3f4) returned 1 [0262.066] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.066] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.071] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.072] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.072] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.072] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.073] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.073] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.073] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.073] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.076] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.076] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.077] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0262.077] WriteFile (in: hFile=0x458, lpBuffer=0x12be2000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12be2000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0262.079] CloseHandle (hObject=0x458) returned 1 [0262.079] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.085] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0262.100] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.100] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0262.101] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.103] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.103] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.104] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.104] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.106] CloseHandle (hObject=0x458) returned 1 [0262.106] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.109] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.109] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0262.109] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.109] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.109] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0262.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.113] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.113] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.115] CloseHandle (hObject=0x458) returned 1 [0262.115] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.115] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0262.116] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.116] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.116] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0262.116] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.117] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.117] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.120] CloseHandle (hObject=0x458) returned 1 [0262.120] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.121] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.121] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.121] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.121] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.121] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.121] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.121] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.122] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.123] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.123] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.124] CloseHandle (hObject=0x458) returned 1 [0262.124] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.125] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.125] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.125] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.126] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.126] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.126] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.126] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.126] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.127] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.127] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.129] CloseHandle (hObject=0x458) returned 1 [0262.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.129] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0262.129] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.129] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.130] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0262.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.131] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.131] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.133] CloseHandle (hObject=0x458) returned 1 [0262.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.133] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.133] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.134] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.136] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.136] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.138] CloseHandle (hObject=0x458) returned 1 [0262.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.138] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.139] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.139] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.139] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.139] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.140] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.140] WriteFile (in: hFile=0x458, lpBuffer=0x12db4600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db4600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.145] CloseHandle (hObject=0x458) returned 1 [0262.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.148] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.149] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.149] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0262.149] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.149] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.150] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.153] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.153] WriteFile (in: hFile=0x458, lpBuffer=0x12db5900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12db5900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.157] CloseHandle (hObject=0x458) returned 1 [0262.157] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.157] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.161] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.161] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8a8edde, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8a8edde, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0262.161] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0262.161] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0262.161] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.161] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.168] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.168] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.169] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.169] WriteFile (in: hFile=0x458, lpBuffer=0x12db6c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12db6c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.171] CloseHandle (hObject=0x458) returned 1 [0262.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8a8edde, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8a8edde, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.171] SetEvent (hEvent=0x40c) returned 1 [0262.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.172] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.173] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0262.173] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.173] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.173] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0262.173] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.176] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.176] WriteFile (in: hFile=0x458, lpBuffer=0x12be3300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12be3300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.178] CloseHandle (hObject=0x458) returned 1 [0262.178] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.178] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.178] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.179] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0262.179] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0262.179] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.179] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.180] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.180] WriteFile (in: hFile=0x458, lpBuffer=0x12be4600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12be4600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.181] CloseHandle (hObject=0x458) returned 1 [0262.182] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.182] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.183] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f5e0 | out: pbBuffer=0x1280f5e0) returned 1 [0262.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496e0 | out: pbBuffer=0x128496e0) returned 1 [0262.183] ReadFile (in: hFile=0x458, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0262.183] CloseHandle (hObject=0x458) returned 1 [0262.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.184] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f600 | out: pbBuffer=0x1280f600) returned 1 [0262.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496f0 | out: pbBuffer=0x128496f0) returned 1 [0262.184] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.191] GetFileType (hFile=0x458) returned 0x1 [0262.191] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.192] WriteFile (in: hFile=0x458, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0262.192] GetFileType (hFile=0x458) returned 0x1 [0262.192] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0262.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0262.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0262.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497c8 | out: pbBuffer=0x128497c8) returned 1 [0262.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.193] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.193] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0262.193] CloseHandle (hObject=0x3e4) returned 1 [0262.193] CloseHandle (hObject=0x458) returned 1 [0262.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849800 | out: pbBuffer=0x12849800) returned 1 [0262.194] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[485EAC7A12CC56E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\#_this_file_is_encrypted_[485eac7a12cc56e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.218] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.316] SetEvent (hEvent=0x420) returned 1 [0262.316] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.320] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0262.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b891e0 | out: pbBuffer=0x12b891e0) returned 1 [0262.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811050 | out: pbBuffer=0x12811050) returned 1 [0262.321] ReadFile (in: hFile=0x42c, lpBuffer=0x12d64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d64000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0262.321] CloseHandle (hObject=0x42c) returned 1 [0262.321] SetEvent (hEvent=0x40c) returned 1 [0262.321] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.332] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0262.350] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.046] SetEvent (hEvent=0x420) returned 1 [0263.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.047] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xd000)) returned 1 [0263.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0263.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0263.047] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12853d1c*=0xd000, lpOverlapped=0x0) returned 1 [0263.054] GetFileType (hFile=0x42c) returned 0x1 [0263.054] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.054] WriteFile (in: hFile=0x42c, lpBuffer=0x12c6a000*, nNumberOfBytesToWrite=0xd000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c6a000*, lpNumberOfBytesWritten=0x12853d00*=0xd000, lpOverlapped=0x12853d0c) returned 1 [0263.055] GetFileType (hFile=0x42c) returned 0x1 [0263.055] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xd000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0263.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0263.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0263.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0263.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0263.056] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.056] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.057] CloseHandle (hObject=0x44c) returned 1 [0263.057] CloseHandle (hObject=0x42c) returned 1 [0263.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0263.057] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[023F17DBE93537EE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[023f17dbe93537ee]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.058] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.092] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.120] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.142] SetEvent (hEvent=0x420) returned 1 [0263.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.143] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.143] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f900 | out: pbBuffer=0x1280f900) returned 1 [0263.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ca0 | out: pbBuffer=0x12849ca0) returned 1 [0263.143] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0263.143] CloseHandle (hObject=0x42c) returned 1 [0263.143] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.414] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.940] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0263.951] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0265.083] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0265.314] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0266.149] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 0 [0266.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.151] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0266.151] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0266.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0266.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0266.151] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a49d1c*=0xa000, lpOverlapped=0x0) returned 1 [0266.226] GetFileType (hFile=0x42c) returned 0x1 [0266.226] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.226] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0xa000, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12a49d00*=0xa000, lpOverlapped=0x12a49d0c) returned 1 [0266.227] GetFileType (hFile=0x42c) returned 0x1 [0266.227] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xa000, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0266.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0266.227] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0266.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0266.228] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0266.228] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0266.228] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0266.229] CloseHandle (hObject=0x458) returned 1 [0266.229] CloseHandle (hObject=0x42c) returned 1 [0266.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0266.229] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[4C6B9EE2FA07CCD5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[4c6b9ee2fa07ccd5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0266.231] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 0 [0266.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.232] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0266.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0266.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0266.233] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a4bd1c*=0x0, lpOverlapped=0x0) returned 1 [0266.233] CloseHandle (hObject=0x42c) returned 1 [0266.233] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 0 [0266.233] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fab4, ulCount=0x10, ulNumEntriesRemoved=0x33c2fa98, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fab4, ulNumEntriesRemoved=0x33c2fa98) returned 0 [0266.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.234] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.234] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.234] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.234] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.236] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0266.236] WriteFile (in: hFile=0x42c, lpBuffer=0x12c18000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c18000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0266.238] CloseHandle (hObject=0x42c) returned 1 [0266.238] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.239] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.239] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.239] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.239] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.239] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.241] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0266.241] WriteFile (in: hFile=0x42c, lpBuffer=0x12c19300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c19300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0266.242] CloseHandle (hObject=0x42c) returned 1 [0266.243] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.419] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.525] SetEvent (hEvent=0x110) returned 1 [0266.525] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.525] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.525] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.525] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.525] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 1 [0266.526] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.526] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.549] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.693] SetEvent (hEvent=0x110) returned 1 [0266.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.728] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.728] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.738] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0266.868] SetEvent (hEvent=0x110) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.868] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.869] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0266.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.873] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.873] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.876] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab58681a, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab58681a, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3e2e5c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3e2e5c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3706b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3706b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.877] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 1 [0266.892] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.892] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.893] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0266.894] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.894] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0266.894] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.894] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.894] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.894] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.894] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.895] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.895] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0266.895] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.895] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.896] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.897] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.898] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.898] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0266.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.900] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0266.901] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.901] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0266.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.913] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0266.913] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.913] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0266.913] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.913] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0266.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.914] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0266.914] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.915] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.915] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0266.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.917] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0266.917] WriteFile (in: hFile=0x42c, lpBuffer=0x12bb0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0266.920] CloseHandle (hObject=0x42c) returned 1 [0266.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.921] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0266.921] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.921] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8wekyb3d8bbwe", cAlternateFileName="8WEKYB~1")) returned 1 [0266.921] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.921] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0266.921] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.975] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0266.976] WriteFile (in: hFile=0x42c, lpBuffer=0x12bb1300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12bb1300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0266.977] CloseHandle (hObject=0x42c) returned 1 [0266.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0266.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0266.978] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0266.978] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0266.979] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0266.979] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Licenses", cAlternateFileName="")) returned 1 [0266.979] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsAlarms", cAlternateFileName="MICROS~1.WIN")) returned 1 [0266.979] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0266.979] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0266.979] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0266.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0266.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.022] SetEvent (hEvent=0x110) returned 1 [0267.022] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0267.022] WriteFile (in: hFile=0x42c, lpBuffer=0x12bb2600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12bb2600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0267.027] CloseHandle (hObject=0x42c) returned 1 [0267.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.027] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0267.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.028] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.028] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0267.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.030] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0267.030] WriteFile (in: hFile=0x42c, lpBuffer=0x12bb3900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bb3900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0267.031] CloseHandle (hObject=0x42c) returned 1 [0267.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.032] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0267.032] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.032] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.032] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0267.032] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.034] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0267.034] WriteFile (in: hFile=0x42c, lpBuffer=0x12bb4c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bb4c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0267.035] CloseHandle (hObject=0x42c) returned 1 [0267.035] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\microsoft.windowsalarms"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\microsoft.windowsalarms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.039] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0267.039] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.039] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.039] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0267.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xc7b890de, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xc7b890de, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0267.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.040] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xc7b890de, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xc7b890de, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xc7b890de, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xc7b890de, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884124f0, ftCreationTime.dwHighDateTime=0x1d81d66, ftLastAccessTime.dwLowDateTime=0x6e293b20, ftLastAccessTime.dwHighDateTime=0x1d81d98, ftLastWriteTime.dwLowDateTime=0x6e293b20, ftLastWriteTime.dwHighDateTime=0x1d81d98, nFileSizeHigh=0x0, nFileSizeLow=0xc3b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="3JeOyHF.avi", cAlternateFileName="")) returned 1 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a7ae70, ftCreationTime.dwHighDateTime=0x1d82779, ftLastAccessTime.dwLowDateTime=0xd0a6eda0, ftLastAccessTime.dwHighDateTime=0x1d828fc, ftLastWriteTime.dwLowDateTime=0xd0a6eda0, ftLastWriteTime.dwHighDateTime=0x1d828fc, nFileSizeHigh=0x0, nFileSizeLow=0x143c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="4Ck9GPqxNq.m4a", cAlternateFileName="4CK9GP~1.M4A")) returned 1 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc00f7940, ftCreationTime.dwHighDateTime=0x1d8249b, ftLastAccessTime.dwLowDateTime=0x98a0db20, ftLastAccessTime.dwHighDateTime=0x1d826e3, ftLastWriteTime.dwLowDateTime=0x98a0db20, ftLastWriteTime.dwHighDateTime=0x1d826e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e20, dwReserved0=0x0, dwReserved1=0x0, cFileName="5HAbN1aHwdYEqK.avi", cAlternateFileName="5HABN1~1.AVI")) returned 1 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x111ecba0, ftCreationTime.dwHighDateTime=0x1d81d36, ftLastAccessTime.dwLowDateTime=0x8385a6e0, ftLastAccessTime.dwHighDateTime=0x1d82444, ftLastWriteTime.dwLowDateTime=0x8385a6e0, ftLastWriteTime.dwHighDateTime=0x1d82444, nFileSizeHigh=0x0, nFileSizeLow=0x68b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="7DwtJZlB.ots", cAlternateFileName="")) returned 1 [0267.040] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73935900, ftCreationTime.dwHighDateTime=0x1d8282f, ftLastAccessTime.dwLowDateTime=0x29289f20, ftLastAccessTime.dwHighDateTime=0x1d828fb, ftLastWriteTime.dwLowDateTime=0x29289f20, ftLastWriteTime.dwHighDateTime=0x1d828fb, nFileSizeHigh=0x0, nFileSizeLow=0x8d97, dwReserved0=0x0, dwReserved1=0x0, cFileName="7J6Oqdxf.xls", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40509250, ftCreationTime.dwHighDateTime=0x1d82934, ftLastAccessTime.dwLowDateTime=0xd5da5040, ftLastAccessTime.dwHighDateTime=0x1d82970, ftLastWriteTime.dwLowDateTime=0xd5da5040, ftLastWriteTime.dwHighDateTime=0x1d82970, nFileSizeHigh=0x0, nFileSizeLow=0x1b07, dwReserved0=0x0, dwReserved1=0x0, cFileName="A32eqEYT3zUx.mp4", cAlternateFileName="A32EQE~1.MP4")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4405b970, ftCreationTime.dwHighDateTime=0x1d81caf, ftLastAccessTime.dwLowDateTime=0x19a200, ftLastAccessTime.dwHighDateTime=0x1d81f0f, ftLastWriteTime.dwLowDateTime=0x19a200, ftLastWriteTime.dwHighDateTime=0x1d81f0f, nFileSizeHigh=0x0, nFileSizeLow=0x18905, dwReserved0=0x0, dwReserved1=0x0, cFileName="A4T9378rzN.gif", cAlternateFileName="A4T937~1.GIF")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a1ac380, ftCreationTime.dwHighDateTime=0x1d827ec, ftLastAccessTime.dwLowDateTime=0x238a4c70, ftLastAccessTime.dwHighDateTime=0x1d828d9, ftLastWriteTime.dwLowDateTime=0x238a4c70, ftLastWriteTime.dwHighDateTime=0x1d828d9, nFileSizeHigh=0x0, nFileSizeLow=0x1b8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="A4vIO.xlsx", cAlternateFileName="A4VIO~1.XLS")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecefdb40, ftCreationTime.dwHighDateTime=0x1d81d24, ftLastAccessTime.dwLowDateTime=0xdca26c10, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xdca26c10, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x1f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALLS85J2YU51TsHzc3b.ods", cAlternateFileName="ALLS85~1.ODS")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ae71280, ftCreationTime.dwHighDateTime=0x1d827ff, ftLastAccessTime.dwLowDateTime=0xa7ac1f0, ftLastAccessTime.dwHighDateTime=0x1d829bb, ftLastWriteTime.dwLowDateTime=0xa7ac1f0, ftLastWriteTime.dwHighDateTime=0x1d829bb, nFileSizeHigh=0x0, nFileSizeLow=0x1580a, dwReserved0=0x0, dwReserved1=0x0, cFileName="aRkyjp.gif", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262752f0, ftCreationTime.dwHighDateTime=0x1d81a8a, ftLastAccessTime.dwLowDateTime=0x84ab52c0, ftLastAccessTime.dwHighDateTime=0x1d81e10, ftLastWriteTime.dwLowDateTime=0x84ab52c0, ftLastWriteTime.dwHighDateTime=0x1d81e10, nFileSizeHigh=0x0, nFileSizeLow=0x6a81, dwReserved0=0x0, dwReserved1=0x0, cFileName="AyRUpK5H.docx", cAlternateFileName="AYRUPK~1.DOC")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec1b5e30, ftCreationTime.dwHighDateTime=0x1d819f8, ftLastAccessTime.dwLowDateTime=0xd0e43c0, ftLastAccessTime.dwHighDateTime=0x1d81ea7, ftLastWriteTime.dwLowDateTime=0xd0e43c0, ftLastWriteTime.dwHighDateTime=0x1d81ea7, nFileSizeHigh=0x0, nFileSizeLow=0x1cea, dwReserved0=0x0, dwReserved1=0x0, cFileName="bMGPI7GDlhh-74.m4a", cAlternateFileName="BMGPI7~1.M4A")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf47598e0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0xdcc9d390, ftLastAccessTime.dwHighDateTime=0x1d828ac, ftLastWriteTime.dwLowDateTime=0xdcc9d390, ftLastWriteTime.dwHighDateTime=0x1d828ac, nFileSizeHigh=0x0, nFileSizeLow=0x16cca, dwReserved0=0x0, dwReserved1=0x0, cFileName="ckyL13X157_Yjd.avi", cAlternateFileName="CKYL13~1.AVI")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x308cb7e0, ftCreationTime.dwHighDateTime=0x1d82713, ftLastAccessTime.dwLowDateTime=0x7da17940, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x7da17940, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0x14d3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMPSVLqM3.mp4", cAlternateFileName="DMPSVL~1.MP4")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbddd8a60, ftCreationTime.dwHighDateTime=0x1d82796, ftLastAccessTime.dwLowDateTime=0xf1b38d70, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0xf1b38d70, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x1273f, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPMgLenoE.mp4", cAlternateFileName="EPMGLE~1.MP4")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239e84c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239e84c, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf239e84c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gen_py", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa0b0060, ftCreationTime.dwHighDateTime=0x1d820a4, ftLastAccessTime.dwLowDateTime=0x9ea60670, ftLastAccessTime.dwHighDateTime=0x1d820e5, ftLastWriteTime.dwLowDateTime=0x9ea60670, ftLastWriteTime.dwHighDateTime=0x1d820e5, nFileSizeHigh=0x0, nFileSizeLow=0xa33c, dwReserved0=0x0, dwReserved1=0x0, cFileName="HtBW3C.m4a", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9521ccd0, ftCreationTime.dwHighDateTime=0x1d81deb, ftLastAccessTime.dwLowDateTime=0xa3249fe0, ftLastAccessTime.dwHighDateTime=0x1d8276b, ftLastWriteTime.dwLowDateTime=0xa3249fe0, ftLastWriteTime.dwHighDateTime=0x1d8276b, nFileSizeHigh=0x0, nFileSizeLow=0x764d, dwReserved0=0x0, dwReserved1=0x0, cFileName="h_hvOUv.swf", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ada6c0, ftCreationTime.dwHighDateTime=0x1d81aa0, ftLastAccessTime.dwLowDateTime=0x8cd36f60, ftLastAccessTime.dwHighDateTime=0x1d81fb8, ftLastWriteTime.dwLowDateTime=0x8cd36f60, ftLastWriteTime.dwHighDateTime=0x1d81fb8, nFileSizeHigh=0x0, nFileSizeLow=0xc02b, dwReserved0=0x0, dwReserved1=0x0, cFileName="INIfYxN6if.jpg", cAlternateFileName="INIFYX~1.JPG")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3315510, ftCreationTime.dwHighDateTime=0x1d82767, ftLastAccessTime.dwLowDateTime=0x1a8b10c0, ftLastAccessTime.dwHighDateTime=0x1d82891, ftLastWriteTime.dwLowDateTime=0x1a8b10c0, ftLastWriteTime.dwHighDateTime=0x1d82891, nFileSizeHigh=0x0, nFileSizeLow=0xcae9, dwReserved0=0x0, dwReserved1=0x0, cFileName="JrFhAxKHX5fo_8-.jpg", cAlternateFileName="JRFHAX~1.JPG")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x206b75f0, ftCreationTime.dwHighDateTime=0x1d820e6, ftLastAccessTime.dwLowDateTime=0xc0cbf9d0, ftLastAccessTime.dwHighDateTime=0x1d8292d, ftLastWriteTime.dwLowDateTime=0xc0cbf9d0, ftLastWriteTime.dwHighDateTime=0x1d8292d, nFileSizeHigh=0x0, nFileSizeLow=0xd5e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="JURtp.wav", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c19cfa0, ftCreationTime.dwHighDateTime=0x1d8291d, ftLastAccessTime.dwLowDateTime=0x22986f90, ftLastAccessTime.dwHighDateTime=0x1d8291f, ftLastWriteTime.dwLowDateTime=0x22986f90, ftLastWriteTime.dwHighDateTime=0x1d8291f, nFileSizeHigh=0x0, nFileSizeLow=0x36bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="KBTERo45xW pin4LQ.rtf", cAlternateFileName="KBTERO~1.RTF")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd1af23, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdd1af23, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdd1af23, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KnoA7FD.tmp", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c845d20, ftCreationTime.dwHighDateTime=0x1d8253f, ftLastAccessTime.dwLowDateTime=0x399dc150, ftLastAccessTime.dwHighDateTime=0x1d829e1, ftLastWriteTime.dwLowDateTime=0x399dc150, ftLastWriteTime.dwHighDateTime=0x1d829e1, nFileSizeHigh=0x0, nFileSizeLow=0x1dd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ldcNmdHB 4uiaPZ0.png", cAlternateFileName="LDCNMD~1.PNG")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf58e146b, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf58e146b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58e146b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4245690, ftCreationTime.dwHighDateTime=0x1d82898, ftLastAccessTime.dwLowDateTime=0xf7b71700, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xf7b71700, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0xa94f, dwReserved0=0x0, dwReserved1=0x0, cFileName="mE 0BznU4CsLZ8.ppt", cAlternateFileName="ME0BZN~1.PPT")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2fc5f00, ftCreationTime.dwHighDateTime=0x1d81dc8, ftLastAccessTime.dwLowDateTime=0x5e848820, ftLastAccessTime.dwHighDateTime=0x1d828c2, ftLastWriteTime.dwLowDateTime=0x5e848820, ftLastWriteTime.dwHighDateTime=0x1d828c2, nFileSizeHigh=0x0, nFileSizeLow=0x15ea2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MQ9ouEKAZi19qY.swf", cAlternateFileName="MQ9OUE~1.SWF")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa24d0, ftCreationTime.dwHighDateTime=0x1d820a3, ftLastAccessTime.dwLowDateTime=0xd18d4810, ftLastAccessTime.dwHighDateTime=0x1d8217f, ftLastWriteTime.dwLowDateTime=0xd18d4810, ftLastWriteTime.dwHighDateTime=0x1d8217f, nFileSizeHigh=0x0, nFileSizeLow=0xa6eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="MUUIz3me61vcXxlVyHi.pps", cAlternateFileName="MUUIZ3~1.PPS")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70afb3b0, ftCreationTime.dwHighDateTime=0x1d82603, ftLastAccessTime.dwLowDateTime=0x98a7ef80, ftLastAccessTime.dwHighDateTime=0x1d82771, ftLastWriteTime.dwLowDateTime=0x98a7ef80, ftLastWriteTime.dwHighDateTime=0x1d82771, nFileSizeHigh=0x0, nFileSizeLow=0xcea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qod0j-KX2DK56BunTz.swf", cAlternateFileName="QOD0J-~1.SWF")) returned 1 [0267.041] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae8e3100, ftCreationTime.dwHighDateTime=0x1d81d90, ftLastAccessTime.dwLowDateTime=0xa24877a0, ftLastAccessTime.dwHighDateTime=0x1d82571, ftLastWriteTime.dwLowDateTime=0xa24877a0, ftLastWriteTime.dwHighDateTime=0x1d82571, nFileSizeHigh=0x0, nFileSizeLow=0x2aac, dwReserved0=0x0, dwReserved1=0x0, cFileName="r64DJ-Ss6Z2PhehK.jpg", cAlternateFileName="R64DJ-~1.JPG")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ceb8e0, ftCreationTime.dwHighDateTime=0x1d823ea, ftLastAccessTime.dwLowDateTime=0xcf12c100, ftLastAccessTime.dwHighDateTime=0x1d82486, ftLastWriteTime.dwLowDateTime=0xcf12c100, ftLastWriteTime.dwHighDateTime=0x1d82486, nFileSizeHigh=0x0, nFileSizeLow=0x146ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="rloQMu5c-GxC4zr3Gf.swf", cAlternateFileName="RLOQMU~1.SWF")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13015f10, ftCreationTime.dwHighDateTime=0x1d825cd, ftLastAccessTime.dwLowDateTime=0x9d4afa70, ftLastAccessTime.dwHighDateTime=0x1d82760, ftLastWriteTime.dwLowDateTime=0x9d4afa70, ftLastWriteTime.dwHighDateTime=0x1d82760, nFileSizeHigh=0x0, nFileSizeLow=0x1fc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="rqFpkxvRIQQ_.wav", cAlternateFileName="RQFPKX~1.WAV")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356b0c70, ftCreationTime.dwHighDateTime=0x1d82665, ftLastAccessTime.dwLowDateTime=0xc9ce6cf0, ftLastAccessTime.dwHighDateTime=0x1d827cc, ftLastWriteTime.dwLowDateTime=0xc9ce6cf0, ftLastWriteTime.dwHighDateTime=0x1d827cc, nFileSizeHigh=0x0, nFileSizeLow=0x13c38, dwReserved0=0x0, dwReserved1=0x0, cFileName="SVu-lUmZjtzZVrEivHI.gif", cAlternateFileName="SVU-LU~1.GIF")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5611db0, ftCreationTime.dwHighDateTime=0x1d82491, ftLastAccessTime.dwLowDateTime=0xbe2e40e0, ftLastAccessTime.dwHighDateTime=0x1d829a3, ftLastWriteTime.dwLowDateTime=0xbe2e40e0, ftLastWriteTime.dwHighDateTime=0x1d829a3, nFileSizeHigh=0x0, nFileSizeLow=0xf47a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tmjt46ivzmGJLB.ppt", cAlternateFileName="TMJT46~1.PPT")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c775940, ftCreationTime.dwHighDateTime=0x1d82a04, ftLastAccessTime.dwLowDateTime=0x2bcb35c0, ftLastAccessTime.dwHighDateTime=0x1d82a14, ftLastWriteTime.dwLowDateTime=0x2bcb35c0, ftLastWriteTime.dwHighDateTime=0x1d82a14, nFileSizeHigh=0x0, nFileSizeLow=0x10007, dwReserved0=0x0, dwReserved1=0x0, cFileName="txpRRLn2D.jpg", cAlternateFileName="TXPRRL~1.JPG")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15d0b780, ftCreationTime.dwHighDateTime=0x1d82042, ftLastAccessTime.dwLowDateTime=0x82179410, ftLastAccessTime.dwHighDateTime=0x1d82077, ftLastWriteTime.dwLowDateTime=0x82179410, ftLastWriteTime.dwHighDateTime=0x1d82077, nFileSizeHigh=0x0, nFileSizeLow=0xfc07, dwReserved0=0x0, dwReserved1=0x0, cFileName="ujzi_c.swf", cAlternateFileName="")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37b86830, ftCreationTime.dwHighDateTime=0x1d8211d, ftLastAccessTime.dwLowDateTime=0xe19c2010, ftLastAccessTime.dwHighDateTime=0x1d82944, ftLastWriteTime.dwLowDateTime=0xe19c2010, ftLastWriteTime.dwHighDateTime=0x1d82944, nFileSizeHigh=0x0, nFileSizeLow=0x1820d, dwReserved0=0x0, dwReserved1=0x0, cFileName="upibLQsn2F_Ad.wav", cAlternateFileName="UPIBLQ~1.WAV")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d99f20, ftCreationTime.dwHighDateTime=0x1d819e5, ftLastAccessTime.dwLowDateTime=0x143f4a40, ftLastAccessTime.dwHighDateTime=0x1d824f1, ftLastWriteTime.dwLowDateTime=0x143f4a40, ftLastWriteTime.dwHighDateTime=0x1d824f1, nFileSizeHigh=0x0, nFileSizeLow=0x1fbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="wOMfc5SjGAE a.pps", cAlternateFileName="WOMFC5~1.PPS")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x796e2fe0, ftCreationTime.dwHighDateTime=0x1d8294b, ftLastAccessTime.dwLowDateTime=0x5f277f60, ftLastAccessTime.dwHighDateTime=0x1d829f5, ftLastWriteTime.dwLowDateTime=0x5f277f60, ftLastWriteTime.dwHighDateTime=0x1d829f5, nFileSizeHigh=0x0, nFileSizeLow=0xdcb1, dwReserved0=0x0, dwReserved1=0x0, cFileName="wz2nYDFysrbRUqT.swf", cAlternateFileName="WZ2NYD~1.SWF")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bf837d0, ftCreationTime.dwHighDateTime=0x1d824cc, ftLastAccessTime.dwLowDateTime=0x145b8260, ftLastAccessTime.dwHighDateTime=0x1d82581, ftLastWriteTime.dwLowDateTime=0x145b8260, ftLastWriteTime.dwHighDateTime=0x1d82581, nFileSizeHigh=0x0, nFileSizeLow=0x10a76, dwReserved0=0x0, dwReserved1=0x0, cFileName="XarX.mp3", cAlternateFileName="")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc0cff10, ftCreationTime.dwHighDateTime=0x1d81fed, ftLastAccessTime.dwLowDateTime=0x4077c60, ftLastAccessTime.dwHighDateTime=0x1d821e0, ftLastWriteTime.dwLowDateTime=0x4077c60, ftLastWriteTime.dwHighDateTime=0x1d821e0, nFileSizeHigh=0x0, nFileSizeLow=0xbd85, dwReserved0=0x0, dwReserved1=0x0, cFileName="xImQcXgZ.gif", cAlternateFileName="")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1398df0, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0xdac0e0d0, ftLastAccessTime.dwHighDateTime=0x1d82883, ftLastWriteTime.dwLowDateTime=0xdac0e0d0, ftLastWriteTime.dwHighDateTime=0x1d82883, nFileSizeHigh=0x0, nFileSizeLow=0x1052d, dwReserved0=0x0, dwReserved1=0x0, cFileName="yb jiQAntYnxzFwzz.jpg", cAlternateFileName="YBJIQA~1.JPG")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda170a60, ftCreationTime.dwHighDateTime=0x1d8222f, ftLastAccessTime.dwLowDateTime=0xc7f1cf0, ftLastAccessTime.dwHighDateTime=0x1d82888, ftLastWriteTime.dwLowDateTime=0xc7f1cf0, ftLastWriteTime.dwHighDateTime=0x1d82888, nFileSizeHigh=0x0, nFileSizeLow=0x903a, dwReserved0=0x0, dwReserved1=0x0, cFileName="YssYwKH23NPbsGQUl.pptx", cAlternateFileName="YSSYWK~1.PPT")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xf9301951, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf9301951, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf9301951, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF3A515BE1EBE96124.TMP", cAlternateFileName="~DF3A5~1.TMP")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x966cdbcc, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966cdbcc, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966cdbcc, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF693F1CB0BE56B709.TMP", cAlternateFileName="~DF693~1.TMP")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966b2d4d, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966b2d4d, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966c3f90, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF7D668A32F29FF678.TMP", cAlternateFileName="~DF7D6~1.TMP")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xf65db879, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65db879, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65db879, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFA67B34E0D55BF895.TMP", cAlternateFileName="~DFA67~1.TMP")) returned 1 [0267.042] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.042] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0267.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.044] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0267.044] WriteFile (in: hFile=0x42c, lpBuffer=0x12bbc000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12bbc000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0267.046] CloseHandle (hObject=0x42c) returned 1 [0267.046] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\3JeOyHF.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\3jeoyhf.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884124f0, ftCreationTime.dwHighDateTime=0x1d81d66, ftLastAccessTime.dwLowDateTime=0x6e293b20, ftLastAccessTime.dwHighDateTime=0x1d81d98, ftLastWriteTime.dwLowDateTime=0x6e293b20, ftLastWriteTime.dwHighDateTime=0x1d81d98, nFileSizeHigh=0x0, nFileSizeLow=0xc3b7)) returned 1 [0267.046] SetEvent (hEvent=0x104) returned 1 [0267.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\4Ck9GPqxNq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4ck9gpqxnq.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a7ae70, ftCreationTime.dwHighDateTime=0x1d82779, ftLastAccessTime.dwLowDateTime=0xd0a6eda0, ftLastAccessTime.dwHighDateTime=0x1d828fc, ftLastWriteTime.dwLowDateTime=0xd0a6eda0, ftLastWriteTime.dwHighDateTime=0x1d828fc, nFileSizeHigh=0x0, nFileSizeLow=0x143c4)) returned 1 [0267.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\5HAbN1aHwdYEqK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\5habn1ahwdyeqk.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc00f7940, ftCreationTime.dwHighDateTime=0x1d8249b, ftLastAccessTime.dwLowDateTime=0x98a0db20, ftLastAccessTime.dwHighDateTime=0x1d826e3, ftLastWriteTime.dwLowDateTime=0x98a0db20, ftLastWriteTime.dwHighDateTime=0x1d826e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e20)) returned 1 [0267.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7DwtJZlB.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7dwtjzlb.ots"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x111ecba0, ftCreationTime.dwHighDateTime=0x1d81d36, ftLastAccessTime.dwLowDateTime=0x8385a6e0, ftLastAccessTime.dwHighDateTime=0x1d82444, ftLastWriteTime.dwLowDateTime=0x8385a6e0, ftLastWriteTime.dwHighDateTime=0x1d82444, nFileSizeHigh=0x0, nFileSizeLow=0x68b2)) returned 1 [0267.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7J6Oqdxf.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7j6oqdxf.xls"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73935900, ftCreationTime.dwHighDateTime=0x1d8282f, ftLastAccessTime.dwLowDateTime=0x29289f20, ftLastAccessTime.dwHighDateTime=0x1d828fb, ftLastWriteTime.dwLowDateTime=0x29289f20, ftLastWriteTime.dwHighDateTime=0x1d828fb, nFileSizeHigh=0x0, nFileSizeLow=0x8d97)) returned 1 [0267.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7DwtJZlB.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7dwtjzlb.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.049] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0267.049] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7DwtJZlB.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7dwtjzlb.ots"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x111ecba0, ftCreationTime.dwHighDateTime=0x1d81d36, ftLastAccessTime.dwLowDateTime=0x8385a6e0, ftLastAccessTime.dwHighDateTime=0x1d82444, ftLastWriteTime.dwLowDateTime=0x8385a6e0, ftLastWriteTime.dwHighDateTime=0x1d82444, nFileSizeHigh=0x0, nFileSizeLow=0x68b2)) returned 1 [0267.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98ce0 | out: pbBuffer=0x12a98ce0) returned 1 [0267.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8110 | out: pbBuffer=0x128e8110) returned 1 [0267.060] ReadFile (in: hFile=0x42c, lpBuffer=0x12bc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc4000*, lpNumberOfBytesRead=0x12829d1c*=0x68b2, lpOverlapped=0x0) returned 1 [0267.100] GetFileType (hFile=0x42c) returned 0x1 [0267.100] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.100] WriteFile (in: hFile=0x42c, lpBuffer=0x12d1a000*, nNumberOfBytesToWrite=0x68b2, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d1a000*, lpNumberOfBytesWritten=0x12829d00*=0x68b2, lpOverlapped=0x12829d0c) returned 1 [0267.101] GetFileType (hFile=0x42c) returned 0x1 [0267.101] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x68b2, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0267.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0267.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0267.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8418 | out: pbBuffer=0x128e8418) returned 1 [0267.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7DwtJZlB.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7dwtjzlb.ots"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.120] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0267.120] WriteFile (in: hFile=0x450, lpBuffer=0x12d3a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d3a000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.121] CloseHandle (hObject=0x450) returned 1 [0267.121] CloseHandle (hObject=0x42c) returned 1 [0267.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8430 | out: pbBuffer=0x128e8430) returned 1 [0267.121] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7DwtJZlB.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7dwtjzlb.ots"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[84A367A66772B702]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[84a367a66772b702]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7J6Oqdxf.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7j6oqdxf.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.124] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0267.125] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7J6Oqdxf.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7j6oqdxf.xls"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73935900, ftCreationTime.dwHighDateTime=0x1d8282f, ftLastAccessTime.dwLowDateTime=0x29289f20, ftLastAccessTime.dwHighDateTime=0x1d828fb, ftLastWriteTime.dwLowDateTime=0x29289f20, ftLastWriteTime.dwHighDateTime=0x1d828fb, nFileSizeHigh=0x0, nFileSizeLow=0x8d97)) returned 1 [0267.125] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98ee0 | out: pbBuffer=0x12a98ee0) returned 1 [0267.125] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8478 | out: pbBuffer=0x128e8478) returned 1 [0267.177] SwitchToThread () returned 1 [0267.181] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.184] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.184] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0267.185] SetEvent (hEvent=0x40c) returned 1 [0267.186] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.219] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.219] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.222] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.222] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0267.222] SetEvent (hEvent=0x1b8) returned 1 [0267.222] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.245] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.245] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\5HAbN1aHwdYEqK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\5habn1ahwdyeqk.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.246] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\5HAbN1aHwdYEqK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\5habn1ahwdyeqk.avi"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc00f7940, ftCreationTime.dwHighDateTime=0x1d8249b, ftLastAccessTime.dwLowDateTime=0x98a0db20, ftLastAccessTime.dwHighDateTime=0x1d826e3, ftLastWriteTime.dwLowDateTime=0x98a0db20, ftLastWriteTime.dwHighDateTime=0x1d826e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e20)) returned 1 [0267.246] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0267.246] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0267.246] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12851d1c*=0x6e20, lpOverlapped=0x0) returned 1 [0267.247] GetFileType (hFile=0x458) returned 0x1 [0267.247] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.247] WriteFile (in: hFile=0x458, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0x6e20, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x12851d00*=0x6e20, lpOverlapped=0x12851d0c) returned 1 [0267.248] GetFileType (hFile=0x458) returned 0x1 [0267.248] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x6e20, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0267.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0267.249] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0267.249] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0267.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\5HAbN1aHwdYEqK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\5habn1ahwdyeqk.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.249] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.249] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.249] CloseHandle (hObject=0x45c) returned 1 [0267.357] SetEvent (hEvent=0x110) returned 1 [0267.357] CloseHandle (hObject=0x458) returned 1 [0267.360] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0267.360] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\5HAbN1aHwdYEqK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\5habn1ahwdyeqk.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[72372ACD67B33063]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[72372acd67b33063]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.419] SetEvent (hEvent=0x110) returned 1 [0267.419] SetEvent (hEvent=0x40c) returned 1 [0267.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EPMgLenoE.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\epmglenoe.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.421] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EPMgLenoE.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\epmglenoe.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbddd8a60, ftCreationTime.dwHighDateTime=0x1d82796, ftLastAccessTime.dwLowDateTime=0xf1b38d70, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0xf1b38d70, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x1273f)) returned 1 [0267.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e740 | out: pbBuffer=0x1280e740) returned 1 [0267.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848588 | out: pbBuffer=0x12848588) returned 1 [0267.421] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.424] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.424] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0267.425] SetEvent (hEvent=0x40c) returned 1 [0267.425] ReadFile (in: hFile=0x450, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12851d1c*=0x1273f, lpOverlapped=0x0) returned 1 [0267.428] GetFileType (hFile=0x450) returned 0x1 [0267.428] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.428] WriteFile (in: hFile=0x450, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x1273f, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12851d00*=0x1273f, lpOverlapped=0x12851d0c) returned 1 [0267.428] GetFileType (hFile=0x450) returned 0x1 [0267.428] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1273f, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.428] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0267.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0267.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0267.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486a0 | out: pbBuffer=0x128486a0) returned 1 [0267.429] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EPMgLenoE.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\epmglenoe.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.429] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.429] WriteFile (in: hFile=0x458, lpBuffer=0x128b0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.430] CloseHandle (hObject=0x458) returned 1 [0267.434] CloseHandle (hObject=0x450) returned 1 [0267.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0267.438] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EPMgLenoE.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\epmglenoe.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[3BE52C07CF99C52D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[3be52c07cf99c52d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.502] SetEvent (hEvent=0x110) returned 1 [0267.502] SetEvent (hEvent=0x40c) returned 1 [0267.502] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JrFhAxKHX5fo_8-.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jrfhaxkhx5fo_8-.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.503] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JrFhAxKHX5fo_8-.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jrfhaxkhx5fo_8-.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3315510, ftCreationTime.dwHighDateTime=0x1d82767, ftLastAccessTime.dwLowDateTime=0x1a8b10c0, ftLastAccessTime.dwHighDateTime=0x1d82891, ftLastWriteTime.dwLowDateTime=0x1a8b10c0, ftLastWriteTime.dwHighDateTime=0x1d82891, nFileSizeHigh=0x0, nFileSizeLow=0xcae9)) returned 1 [0267.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98800 | out: pbBuffer=0x12a98800) returned 1 [0267.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810298 | out: pbBuffer=0x12810298) returned 1 [0267.503] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12851d1c*=0xcae9, lpOverlapped=0x0) returned 1 [0267.505] GetFileType (hFile=0x450) returned 0x1 [0267.505] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.505] WriteFile (in: hFile=0x450, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0xcae9, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12851d00*=0xcae9, lpOverlapped=0x12851d0c) returned 1 [0267.506] GetFileType (hFile=0x450) returned 0x1 [0267.506] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xcae9, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0267.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0267.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0267.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810350 | out: pbBuffer=0x12810350) returned 1 [0267.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JrFhAxKHX5fo_8-.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jrfhaxkhx5fo_8-.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.507] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.507] WriteFile (in: hFile=0x45c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.507] CloseHandle (hObject=0x45c) returned 1 [0267.513] CloseHandle (hObject=0x450) returned 1 [0267.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0267.519] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JrFhAxKHX5fo_8-.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jrfhaxkhx5fo_8-.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[72BE2CBEA1A8BE9F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[72be2cbea1a8be9f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.621] SetEvent (hEvent=0x40c) returned 1 [0267.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Qod0j-KX2DK56BunTz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\qod0j-kx2dk56buntz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.622] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Qod0j-KX2DK56BunTz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\qod0j-kx2dk56buntz.swf"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70afb3b0, ftCreationTime.dwHighDateTime=0x1d82603, ftLastAccessTime.dwLowDateTime=0x98a7ef80, ftLastAccessTime.dwHighDateTime=0x1d82771, ftLastWriteTime.dwLowDateTime=0x98a7ef80, ftLastWriteTime.dwHighDateTime=0x1d82771, nFileSizeHigh=0x0, nFileSizeLow=0xcea)) returned 1 [0267.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99d40 | out: pbBuffer=0x12a99d40) returned 1 [0267.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811250 | out: pbBuffer=0x12811250) returned 1 [0267.623] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.629] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.630] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0267.630] SetEvent (hEvent=0x110) returned 1 [0267.630] SetEvent (hEvent=0x40c) returned 1 [0267.630] ReadFile (in: hFile=0x44c, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12851d1c*=0xcea, lpOverlapped=0x0) returned 1 [0267.631] GetFileType (hFile=0x44c) returned 0x1 [0267.631] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.631] WriteFile (in: hFile=0x44c, lpBuffer=0x12d24000*, nNumberOfBytesToWrite=0xcea, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12d24000*, lpNumberOfBytesWritten=0x12851d00*=0xcea, lpOverlapped=0x12851d0c) returned 1 [0267.631] GetFileType (hFile=0x44c) returned 0x1 [0267.631] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xcea, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b601 | out: pbBuffer=0x1286b601) returned 1 [0267.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b701 | out: pbBuffer=0x1286b701) returned 1 [0267.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b801 | out: pbBuffer=0x1286b801) returned 1 [0267.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811308 | out: pbBuffer=0x12811308) returned 1 [0267.632] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Qod0j-KX2DK56BunTz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\qod0j-kx2dk56buntz.swf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.632] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.632] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.633] CloseHandle (hObject=0x42c) returned 1 [0267.633] CloseHandle (hObject=0x44c) returned 1 [0267.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811320 | out: pbBuffer=0x12811320) returned 1 [0267.633] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Qod0j-KX2DK56BunTz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\qod0j-kx2dk56buntz.swf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[B8C8A860E9339BFB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[b8c8a860e9339bfb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.636] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.641] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.641] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.645] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.645] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0267.647] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb28, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb28, ulNumEntriesRemoved=0x33c2fb0c) returned 0 [0267.647] SetEvent (hEvent=0x104) returned 1 [0267.647] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x102 [0267.676] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34010 | out: pbBuffer=0x12c34010) returned 1 [0267.676] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MUUIz3me61vcXxlVyHi.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\muuiz3me61vcxxlvyhi.pps"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[DEF42BF948C98AA6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[def42bf948c98aa6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\SVu-lUmZjtzZVrEivHI.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\svu-lumzjtzzvreivhi.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.677] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\SVu-lUmZjtzZVrEivHI.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\svu-lumzjtzzvreivhi.gif"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x356b0c70, ftCreationTime.dwHighDateTime=0x1d82665, ftLastAccessTime.dwLowDateTime=0xc9ce6cf0, ftLastAccessTime.dwHighDateTime=0x1d827cc, ftLastWriteTime.dwLowDateTime=0xc9ce6cf0, ftLastWriteTime.dwHighDateTime=0x1d827cc, nFileSizeHigh=0x0, nFileSizeLow=0x13c38)) returned 1 [0267.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0267.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34058 | out: pbBuffer=0x12c34058) returned 1 [0267.678] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12851d1c*=0x13c38, lpOverlapped=0x0) returned 1 [0267.680] GetFileType (hFile=0x42c) returned 0x1 [0267.680] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.680] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x13c38, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12851d00*=0x13c38, lpOverlapped=0x12851d0c) returned 1 [0267.680] GetFileType (hFile=0x42c) returned 0x1 [0267.680] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x13c38, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc081 | out: pbBuffer=0x12afc081) returned 1 [0267.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0267.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0267.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0267.681] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\SVu-lUmZjtzZVrEivHI.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\svu-lumzjtzzvreivhi.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.681] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.681] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.681] CloseHandle (hObject=0x458) returned 1 [0267.682] CloseHandle (hObject=0x42c) returned 1 [0267.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34148 | out: pbBuffer=0x12c34148) returned 1 [0267.682] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\SVu-lUmZjtzZVrEivHI.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\svu-lumzjtzzvreivhi.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[9BAEE2536B168445]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[9baee2536b168445]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.768] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.781] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf23fc808, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fdb96, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xa)) returned 1 [0267.781] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929f80 | out: pbBuffer=0x12929f80) returned 1 [0267.781] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a350 | out: pbBuffer=0x12a9a350) returned 1 [0267.781] ReadFile (in: hFile=0x450, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x12851d1c*=0xa, lpOverlapped=0x0) returned 1 [0267.783] GetFileType (hFile=0x450) returned 0x1 [0267.783] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.783] WriteFile (in: hFile=0x450, lpBuffer=0x12a9a360*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a9a360*, lpNumberOfBytesWritten=0x12851d00*=0xa, lpOverlapped=0x12851d0c) returned 1 [0267.783] GetFileType (hFile=0x450) returned 0x1 [0267.783] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xa, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835781 | out: pbBuffer=0x12835781) returned 1 [0267.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835881 | out: pbBuffer=0x12835881) returned 1 [0267.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835981 | out: pbBuffer=0x12835981) returned 1 [0267.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a418 | out: pbBuffer=0x12a9a418) returned 1 [0267.784] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0267.784] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.784] WriteFile (in: hFile=0x45c, lpBuffer=0x12c33900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c33900*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.784] CloseHandle (hObject=0x45c) returned 1 [0267.788] CloseHandle (hObject=0x450) returned 1 [0267.788] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a430 | out: pbBuffer=0x12a9a430) returned 1 [0267.788] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\#_THIS_FILE_IS_ENCRYPTED_[A72B2FA448A061F7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\#_this_file_is_encrypted_[a72b2fa448a061f7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.843] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.878] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0267.886] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\r64DJ-Ss6Z2PhehK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\r64dj-ss6z2phehk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.887] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.888] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\r64DJ-Ss6Z2PhehK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\r64dj-ss6z2phehk.jpg"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae8e3100, ftCreationTime.dwHighDateTime=0x1d81d90, ftLastAccessTime.dwLowDateTime=0xa24877a0, ftLastAccessTime.dwHighDateTime=0x1d82571, ftLastWriteTime.dwLowDateTime=0xa24877a0, ftLastWriteTime.dwHighDateTime=0x1d82571, nFileSizeHigh=0x0, nFileSizeLow=0x2aac)) returned 1 [0267.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0267.888] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0267.888] ReadFile (in: hFile=0x44c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282bd1c*=0x2aac, lpOverlapped=0x0) returned 1 [0267.889] GetFileType (hFile=0x44c) returned 0x1 [0267.889] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.890] WriteFile (in: hFile=0x44c, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x2aac, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x1282bd00*=0x2aac, lpOverlapped=0x1282bd0c) returned 1 [0267.890] GetFileType (hFile=0x44c) returned 0x1 [0267.890] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2aac, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.890] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0267.890] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0267.890] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0267.891] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0267.891] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\r64DJ-Ss6Z2PhehK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\r64dj-ss6z2phehk.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.891] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.891] WriteFile (in: hFile=0x42c, lpBuffer=0x12da4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12da4000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.891] CloseHandle (hObject=0x42c) returned 1 [0267.894] CloseHandle (hObject=0x44c) returned 1 [0267.899] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0267.899] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\r64DJ-Ss6Z2PhehK.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\r64dj-ss6z2phehk.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[0B1FBFADCF1E4C5E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[0b1fbfadcf1e4c5e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.278] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0269.478] SetEvent (hEvent=0x1b8) returned 1 [0269.478] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0270.140] SetEvent (hEvent=0xf4) returned 1 [0270.140] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0270.793] SetEvent (hEvent=0x1b8) returned 1 [0270.793] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0270.809] SetEvent (hEvent=0x1d0) returned 1 [0270.809] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\fb0d848f74f70bb2eaa93746d24d9749"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5c4b8fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14a)) returned 1 [0270.809] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.660] SetEvent (hEvent=0x19c) returned 1 [0274.660] SetEvent (hEvent=0xf4) returned 1 [0274.660] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.663] SetEvent (hEvent=0x19c) returned 1 [0274.663] SetEvent (hEvent=0xf4) returned 1 [0274.663] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.667] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.673] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.735] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.784] SetEvent (hEvent=0x104) returned 1 [0274.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9776d1cd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9776d1cd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9776d1cd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1093)) returned 1 [0274.785] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.803] SetEvent (hEvent=0x104) returned 1 [0274.804] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de9b8d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97de9b8d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97deae93, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c74)) returned 1 [0274.804] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.821] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.832] SetEvent (hEvent=0x1b8) returned 1 [0274.832] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0274.848] SetEvent (hEvent=0x104) returned 1 [0274.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98403091, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98403091, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98404408, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23e7)) returned 1 [0274.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984400fa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984400fa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x984400fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x10e6)) returned 1 [0274.928] SetEvent (hEvent=0x104) returned 1 [0274.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980f6e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980f6e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980f6e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cca)) returned 1 [0274.975] SetEvent (hEvent=0x1b8) returned 1 [0274.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9824557b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9824557b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9824557b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15dc)) returned 1 [0275.004] SetEvent (hEvent=0xf4) returned 1 [0275.004] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978020a2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978020a2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x978034d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xe63)) returned 1 [0275.035] SetEvent (hEvent=0x104) returned 1 [0275.035] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983aecac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983aecac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983affea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1318)) returned 1 [0275.136] SetEvent (hEvent=0x110) returned 1 [0275.136] SetEvent (hEvent=0x1b8) returned 1 [0275.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983bfdac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983bfdac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983bfdac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1930)) returned 1 [0275.169] SetEvent (hEvent=0xf4) returned 1 [0275.169] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98c45cf1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c45cf1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c47043, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15fe)) returned 1 [0275.203] SetEvent (hEvent=0x104) returned 1 [0275.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9879b688, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9879b688, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9879b688, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1831)) returned 1 [0275.247] SetEvent (hEvent=0x1b8) returned 1 [0275.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ad5311, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ad5311, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98ad5311, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc03)) returned 1 [0275.288] SetEvent (hEvent=0xf4) returned 1 [0275.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98913495, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98913495, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98913495, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x141f)) returned 1 [0275.329] SetEvent (hEvent=0x1d0) returned 1 [0275.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0275.336] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0275.336] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9763f96c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9763f96c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9764341c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x515ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851216[[fn=apasixtheditionofficeonline]].xsl", cAlternateFileName="TM0285~2.XSL")) returned 1 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9779cbce, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9779cbce, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9779f2aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851217[[fn=chicago]].xsl", cAlternateFileName="TM0285~4.XSL")) returned 1 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97625f0b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97625f0b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9762869a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4181d, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851218[[fn=gb]].xsl", cAlternateFileName="TM0285~1.XSL")) returned 1 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978514f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978514f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97853bdd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e7cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851219[[fn=gostname]].xsl", cAlternateFileName="TM003E~1.XSL")) returned 1 [0275.342] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976cbe5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x976cbe5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x976d0c4a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d498, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851220[[fn=gosttitle]].xsl", cAlternateFileName="TM0285~3.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983d213f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d213f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d4a29, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x456ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851221[[fn=harvardanglia2008officeonline]].xsl", cAlternateFileName="TM8026~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982fc8d7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982fc8d7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x982fc8d7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x47d22, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851222[[fn=ieee2006officeonline]].xsl", cAlternateFileName="TMA855~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98050de7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98050de7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98055ce4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41f76, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851223[[fn=iso690]].xsl", cAlternateFileName="TM536F~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977efc44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977efc44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977f0f37, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x35031, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851224[[fn=iso690nmerical]].xsl", cAlternateFileName="TM9858~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9786c3ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9786c3ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9786d825, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e39b, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851225[[fn=mlaseventheditionofficeonline]].xsl", cAlternateFileName="TM49BE~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977a2c28, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977a2c28, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977a3fe6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x540ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851226[[fn=turabian]].xsl", cAlternateFileName="TME914~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9830edbc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9830edbc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98311346, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d467, dwReserved0=0x0, dwReserved1=0x0, cFileName="TM02851227[[fn=sist02]].xsl", cAlternateFileName="TMC2F6~1.XSL")) returned 1 [0275.343] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0275.343] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0275.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0275.345] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0275.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.347] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0275.347] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0275.349] CloseHandle (hObject=0x44c) returned 1 [0275.349] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851216[[fn=apasixtheditionofficeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9763f96c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9763f96c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9764341c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x515ca)) returned 1 [0275.349] SetEvent (hEvent=0x1d0) returned 1 [0275.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851217[[fn=chicago]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9779cbce, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9779cbce, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9779f2aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486d2)) returned 1 [0275.350] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851216[[fn=apasixtheditionofficeonline]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.351] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851216[[fn=apasixtheditionofficeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9763f96c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9763f96c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9764341c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x515ca)) returned 1 [0275.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88ce0 | out: pbBuffer=0x12b88ce0) returned 1 [0275.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ce0 | out: pbBuffer=0x128e8ce0) returned 1 [0275.351] ReadFile (in: hFile=0x44c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.364] GetFileType (hFile=0x44c) returned 0x1 [0275.364] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.364] WriteFile (in: hFile=0x44c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.365] GetFileType (hFile=0x44c) returned 0x1 [0275.365] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.365] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0275.365] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0275.365] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0275.366] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8d98 | out: pbBuffer=0x128e8d98) returned 1 [0275.366] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851216[[fn=apasixtheditionofficeonline]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.366] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.366] WriteFile (in: hFile=0x460, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.373] CloseHandle (hObject=0x460) returned 1 [0275.373] CloseHandle (hObject=0x44c) returned 1 [0275.373] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8dc0 | out: pbBuffer=0x128e8dc0) returned 1 [0275.373] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851216[[fn=apasixtheditionofficeonline]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[1E74F1D36D46AEE6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[1e74f1d36d46aee6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.375] SetEvent (hEvent=0x1d0) returned 1 [0275.375] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851217[[fn=chicago]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.376] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.376] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851217[[fn=chicago]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9779cbce, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9779cbce, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9779f2aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486d2)) returned 1 [0275.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88ee0 | out: pbBuffer=0x12b88ee0) returned 1 [0275.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e08 | out: pbBuffer=0x128e8e08) returned 1 [0275.376] ReadFile (in: hFile=0x44c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.384] GetFileType (hFile=0x44c) returned 0x1 [0275.384] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.384] WriteFile (in: hFile=0x44c, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.385] GetFileType (hFile=0x44c) returned 0x1 [0275.385] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0275.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0275.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0275.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8ec0 | out: pbBuffer=0x128e8ec0) returned 1 [0275.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851217[[fn=chicago]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.390] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.390] WriteFile (in: hFile=0x45c, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.394] CloseHandle (hObject=0x45c) returned 1 [0275.394] CloseHandle (hObject=0x44c) returned 1 [0275.394] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ed8 | out: pbBuffer=0x128e8ed8) returned 1 [0275.394] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851217[[fn=chicago]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[2222D9552DAFD4A9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[2222d9552dafd4a9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.396] SetEvent (hEvent=0x40c) returned 1 [0275.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851218[[fn=gb]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.397] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851218[[fn=gb]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97625f0b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97625f0b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9762869a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4181d)) returned 1 [0275.398] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b890e0 | out: pbBuffer=0x12b890e0) returned 1 [0275.398] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8f20 | out: pbBuffer=0x128e8f20) returned 1 [0275.398] ReadFile (in: hFile=0x44c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.407] GetFileType (hFile=0x44c) returned 0x1 [0275.407] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.407] WriteFile (in: hFile=0x44c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.408] GetFileType (hFile=0x44c) returned 0x1 [0275.408] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0275.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0275.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0275.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8fd8 | out: pbBuffer=0x128e8fd8) returned 1 [0275.410] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851218[[fn=gb]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.410] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.410] WriteFile (in: hFile=0x42c, lpBuffer=0x12b12f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.415] CloseHandle (hObject=0x42c) returned 1 [0275.415] CloseHandle (hObject=0x44c) returned 1 [0275.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ff0 | out: pbBuffer=0x128e8ff0) returned 1 [0275.415] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851218[[fn=gb]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[902377323D8BB4AD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[902377323d8bb4ad]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.418] SetEvent (hEvent=0x1d0) returned 1 [0275.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851219[[fn=gostname]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0275.419] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851219[[fn=gostname]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978514f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978514f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97853bdd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e7cc)) returned 1 [0275.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b892e0 | out: pbBuffer=0x12b892e0) returned 1 [0275.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9038 | out: pbBuffer=0x128e9038) returned 1 [0275.420] ReadFile (in: hFile=0x44c, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.435] GetFileType (hFile=0x44c) returned 0x1 [0275.435] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.435] WriteFile (in: hFile=0x44c, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.436] GetFileType (hFile=0x44c) returned 0x1 [0275.436] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0275.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0275.437] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835481 | out: pbBuffer=0x12835481) returned 1 [0275.437] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e96c8 | out: pbBuffer=0x128e96c8) returned 1 [0275.437] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851219[[fn=gostname]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.437] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.437] WriteFile (in: hFile=0x45c, lpBuffer=0x12b13400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b13400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.438] CloseHandle (hObject=0x45c) returned 1 [0275.438] CloseHandle (hObject=0x44c) returned 1 [0275.438] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e96e0 | out: pbBuffer=0x128e96e0) returned 1 [0275.438] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851219[[fn=gostname]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[804FB9129A8230D4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[804fb9129a8230d4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.486] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0275.494] SetEvent (hEvent=0x1d0) returned 1 [0275.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851222[[fn=ieee2006officeonline]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.495] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.495] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851222[[fn=ieee2006officeonline]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982fc8d7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982fc8d7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x982fc8d7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x47d22)) returned 1 [0275.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928440 | out: pbBuffer=0x12928440) returned 1 [0275.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34150 | out: pbBuffer=0x12c34150) returned 1 [0275.496] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0x1) returned 0x0 [0275.498] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2fb20, ulCount=0x10, ulNumEntriesRemoved=0x33c2fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2fb20, ulNumEntriesRemoved=0x33c2fb04) returned 0 [0275.498] SetEvent (hEvent=0x110) returned 1 [0275.498] SetEvent (hEvent=0x1d0) returned 1 [0275.498] ReadFile (in: hFile=0x460, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.505] GetFileType (hFile=0x460) returned 0x1 [0275.505] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.506] WriteFile (in: hFile=0x460, lpBuffer=0x129f6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x129f6000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0275.506] GetFileType (hFile=0x460) returned 0x1 [0275.506] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0275.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0275.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0275.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34208 | out: pbBuffer=0x12c34208) returned 1 [0275.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851222[[fn=ieee2006officeonline]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.508] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.509] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.512] CloseHandle (hObject=0x42c) returned 1 [0275.519] CloseHandle (hObject=0x460) returned 1 [0275.532] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34010 | out: pbBuffer=0x12c34010) returned 1 [0275.532] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851222[[fn=ieee2006officeonline]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[AD376B4D0130D2DB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[ad376b4d0130d2db]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.559] SetEvent (hEvent=0x104) returned 1 [0275.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851226[[fn=turabian]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.560] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.560] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851226[[fn=turabian]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977a2c28, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977a2c28, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977a3fe6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x540ef)) returned 1 [0275.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129287e0 | out: pbBuffer=0x129287e0) returned 1 [0275.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34260 | out: pbBuffer=0x12c34260) returned 1 [0275.560] ReadFile (in: hFile=0x460, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.566] GetFileType (hFile=0x460) returned 0x1 [0275.566] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.567] WriteFile (in: hFile=0x460, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0275.567] GetFileType (hFile=0x460) returned 0x1 [0275.567] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0275.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0275.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0275.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0275.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34318 | out: pbBuffer=0x12c34318) returned 1 [0275.568] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851226[[fn=turabian]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0275.568] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0275.568] WriteFile (in: hFile=0x458, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0275.571] CloseHandle (hObject=0x458) returned 1 [0275.571] CloseHandle (hObject=0x460) returned 1 [0275.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34330 | out: pbBuffer=0x12c34330) returned 1 [0275.572] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851226[[fn=turabian]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[BC86CF1B3AD914A5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[bc86cf1b3ad914a5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.274] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.000] SetEvent (hEvent=0x19c) returned 1 [0278.000] SetEvent (hEvent=0x104) returned 1 [0278.000] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.006] SetEvent (hEvent=0x1d0) returned 1 [0278.006] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.598] SetEvent (hEvent=0xf4) returned 1 [0278.598] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.615] SetEvent (hEvent=0xf4) returned 1 [0278.615] SwitchToThread () returned 1 [0278.619] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.647] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.685] SetEvent (hEvent=0xf4) returned 1 [0278.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\KudpMCK-wvfm_.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\kudpmck-wvfm_.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350e8f50, ftCreationTime.dwHighDateTime=0x1d829ac, ftLastAccessTime.dwLowDateTime=0xd8cc7e00, ftLastAccessTime.dwHighDateTime=0x1d829fb, ftLastWriteTime.dwLowDateTime=0xd8cc7e00, ftLastWriteTime.dwHighDateTime=0x1d829fb, nFileSizeHigh=0x0, nFileSizeLow=0xac40)) returned 1 [0278.686] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.712] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.768] SetEvent (hEvent=0xf4) returned 1 [0278.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Ptd_CEMx.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ptd_cemx.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc108da10, ftCreationTime.dwHighDateTime=0x1d81bab, ftLastAccessTime.dwLowDateTime=0x8ab3dfa0, ftLastAccessTime.dwHighDateTime=0x1d8242a, ftLastWriteTime.dwLowDateTime=0x8ab3dfa0, ftLastWriteTime.dwHighDateTime=0x1d8242a, nFileSizeHigh=0x0, nFileSizeLow=0xe623)) returned 1 [0278.768] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.789] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.816] SetEvent (hEvent=0xf4) returned 1 [0278.816] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpScI-7TEgyIuDUZNpN.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upsci-7tegyiuduznpn.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33445370, ftCreationTime.dwHighDateTime=0x1d81b02, ftLastAccessTime.dwLowDateTime=0x53e41800, ftLastAccessTime.dwHighDateTime=0x1d82105, ftLastWriteTime.dwLowDateTime=0x53e41800, ftLastWriteTime.dwHighDateTime=0x1d82105, nFileSizeHigh=0x0, nFileSizeLow=0xe56e)) returned 1 [0278.816] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.843] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.844] SetEvent (hEvent=0xf4) returned 1 [0278.844] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.846] SetEvent (hEvent=0xf4) returned 1 [0278.847] SetEvent (hEvent=0x19c) returned 1 [0278.847] SwitchToThread () returned 1 [0278.848] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.872] SetEvent (hEvent=0x19c) returned 1 [0278.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\We0X6gEqRDhiUH6OA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\we0x6geqrdhiuh6oa.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62222ed0, ftCreationTime.dwHighDateTime=0x1d81c6d, ftLastAccessTime.dwLowDateTime=0xc42d3520, ftLastAccessTime.dwHighDateTime=0x1d821f9, ftLastWriteTime.dwLowDateTime=0xc42d3520, ftLastWriteTime.dwHighDateTime=0x1d821f9, nFileSizeHigh=0x0, nFileSizeLow=0x17f86)) returned 1 [0278.873] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.898] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0278.940] SetEvent (hEvent=0x19c) returned 1 [0278.940] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2SKrQAol.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2skrqaol.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d5e2e70, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xaf72ba0, ftLastAccessTime.dwHighDateTime=0x1d829c0, ftLastWriteTime.dwLowDateTime=0xaf72ba0, ftLastWriteTime.dwHighDateTime=0x1d829c0, nFileSizeHigh=0x0, nFileSizeLow=0x6e6c)) returned 1 [0278.940] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0279.118] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0279.149] SetEvent (hEvent=0x19c) returned 1 [0279.149] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z_rpRFXyhj7uRUyh_aBs.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z_rprfxyhj7uruyh_abs.docx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb682a30, ftCreationTime.dwHighDateTime=0x1d81aaf, ftLastAccessTime.dwLowDateTime=0x8d4e5d30, ftLastAccessTime.dwHighDateTime=0x1d81d72, ftLastWriteTime.dwLowDateTime=0x8d4e5d30, ftLastWriteTime.dwHighDateTime=0x1d81d72, nFileSizeHigh=0x0, nFileSizeLow=0x73e9)) returned 1 [0279.150] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0279.192] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0279.221] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0279.497] SwitchToThread () returned 1 [0280.153] SetEvent (hEvent=0x19c) returned 1 [0280.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ed3OEBOHI5YM1zXSFg m.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ed3oebohi5ym1zxsfg m.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89ddbc50, ftCreationTime.dwHighDateTime=0x1d81b55, ftLastAccessTime.dwLowDateTime=0x156723e0, ftLastAccessTime.dwHighDateTime=0x1d82990, ftLastWriteTime.dwLowDateTime=0x156723e0, ftLastWriteTime.dwHighDateTime=0x1d82990, nFileSizeHigh=0x0, nFileSizeLow=0x36af)) returned 1 [0280.154] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0281.768] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0290.184] SetEvent (hEvent=0xfc) returned 1 [0290.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\DT6iMyJba.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\dt6imyjba.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c106f0, ftCreationTime.dwHighDateTime=0x1d81dd6, ftLastAccessTime.dwLowDateTime=0x884da520, ftLastAccessTime.dwHighDateTime=0x1d828f8, ftLastWriteTime.dwLowDateTime=0x884da520, ftLastWriteTime.dwHighDateTime=0x1d828f8, nFileSizeHigh=0x0, nFileSizeLow=0x705e)) returned 1 [0290.184] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0291.478] SetEvent (hEvent=0x1b8) returned 1 [0291.487] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0291.579] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0291.980] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0292.031] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 0 [0292.032] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33c2facc, ulCount=0x10, ulNumEntriesRemoved=0x33c2fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33c2facc, ulNumEntriesRemoved=0x33c2fab0) returned 1 [0304.876] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x12c2e014, lpcbTransfer=0x33c2faac, fWait=0, lpdwFlags=0x33c2fabc | out: lpcbTransfer=0x33c2faac, lpdwFlags=0x33c2fabc) returned 1 [0305.593] SetEvent (hEvent=0x420) returned 1 [0305.929] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x18a3, buf=0x12afe000)), lpNumberOfBytesRecvd=0x12c2e034*=0x129, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0xffffffff [0306.014] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0306.304] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0316.669] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) returned 0x0 [0316.782] SwitchToThread () returned 1 [0316.822] WaitForSingleObject (hHandle=0x3f8, dwMilliseconds=0xffffffff) Thread: id = 15 os_tid = 0xfe0 [0132.007] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x33d6ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x33d6ff30*=0x414) returned 1 [0132.008] VirtualQuery (in: lpAddress=0x33d6ff40, lpBuffer=0x33d6ff40, dwLength=0x1c | out: lpBuffer=0x33d6ff40*(BaseAddress=0x33d6f000, AllocationBase=0x33c70000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.008] SetEvent (hEvent=0x10c) returned 1 [0132.008] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.008] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.008] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.008] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.008] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x40c [0132.008] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0132.101] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0132.110] SetEvent (hEvent=0x10c) returned 1 [0132.110] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.111] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.111] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.111] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.111] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0132.208] SetEvent (hEvent=0x10c) returned 1 [0132.208] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.208] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.208] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.208] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.209] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0132.294] SetEvent (hEvent=0x10c) returned 1 [0132.294] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0132.294] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0132.294] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0132.362] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0133.210] SetEvent (hEvent=0x10c) returned 1 [0133.210] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0133.211] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0133.211] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0133.211] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui\\*", lpFindFileData=0x12921a44 | out: lpFindFileData=0x12921a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0133.211] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0164.952] SetEvent (hEvent=0xf4) returned 1 [0164.952] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0166.187] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0166.188] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0166.189] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x644b4868, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x410e)) returned 1 [0166.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a32e20 | out: pbBuffer=0x12a32e20) returned 1 [0166.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849b38 | out: pbBuffer=0x12849b38) returned 1 [0166.189] VirtualAlloc (lpAddress=0x12cae000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12cae000 [0166.190] VirtualAlloc (lpAddress=0x12cce000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12cce000 [0166.239] ReadFile (in: hFile=0x1a0, lpBuffer=0x12cae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cae000*, lpNumberOfBytesRead=0x12921d1c*=0x410e, lpOverlapped=0x0) returned 1 [0166.304] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0166.345] SwitchToThread () returned 1 [0166.361] SetEvent (hEvent=0x3f8) returned 1 [0166.667] SetEvent (hEvent=0x10c) returned 1 [0166.823] SetEvent (hEvent=0x10c) returned 1 [0166.980] SetEvent (hEvent=0x10c) returned 1 [0167.025] SetEvent (hEvent=0x10c) returned 1 [0167.025] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0167.025] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0167.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0167.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810060 | out: pbBuffer=0x12810060) returned 1 [0167.443] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.443] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0167.444] WriteFile (in: hFile=0x1a0, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.444] CloseHandle (hObject=0x1a0) returned 1 [0167.459] CloseHandle (hObject=0x19c) returned 1 [0167.459] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0167.460] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[4E3BF3552D1FC51D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[4e3bf3552d1fc51d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.462] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0167.463] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0167.463] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x643e5724, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8f06)) returned 1 [0167.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3a0 | out: pbBuffer=0x1280e3a0) returned 1 [0167.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100c0 | out: pbBuffer=0x128100c0) returned 1 [0167.464] ReadFile (in: hFile=0x19c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12925d1c*=0x8f06, lpOverlapped=0x0) returned 1 [0167.495] GetFileType (hFile=0x19c) returned 0x1 [0167.496] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.496] WriteFile (in: hFile=0x19c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x8f06, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12925d00*=0x8f06, lpOverlapped=0x12925d0c) returned 1 [0167.496] GetFileType (hFile=0x19c) returned 0x1 [0167.496] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x8f06, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0167.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0167.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0167.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810188 | out: pbBuffer=0x12810188) returned 1 [0167.497] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0167.497] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0167.497] WriteFile (in: hFile=0x41c, lpBuffer=0x12916500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12916500*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.499] CloseHandle (hObject=0x41c) returned 1 [0167.528] CloseHandle (hObject=0x19c) returned 1 [0167.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101a0 | out: pbBuffer=0x128101a0) returned 1 [0167.599] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[7B206129DF018425]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[7b206129df018425]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.689] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.699] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.771] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.802] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.838] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.866] SetEvent (hEvent=0x1d0) returned 1 [0167.867] SwitchToThread () returned 1 [0167.903] SetEvent (hEvent=0x1d0) returned 1 [0167.903] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0167.929] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.929] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0167.953] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0167.953] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0167.954] SetEvent (hEvent=0xfc) returned 1 [0167.954] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0168.011] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0168.011] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0168.663] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0169.376] SetEvent (hEvent=0xfc) returned 1 [0169.376] SetEvent (hEvent=0x1d0) returned 1 [0169.376] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.175] SetEvent (hEvent=0x1b8) returned 1 [0170.175] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.179] SetEvent (hEvent=0x1b8) returned 1 [0170.179] SetEvent (hEvent=0xfc) returned 1 [0170.179] SwitchToThread () returned 1 [0170.182] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.204] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.253] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.394] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.492] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0170.603] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0173.769] SetEvent (hEvent=0x19c) returned 1 [0173.769] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0173.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0173.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0174.025] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848e50 | out: pbBuffer=0x12848e50) returned 1 [0174.116] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.116] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0174.116] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.116] CloseHandle (hObject=0x1a0) returned 1 [0174.118] CloseHandle (hObject=0x42c) returned 1 [0174.119] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e68 | out: pbBuffer=0x12848e68) returned 1 [0174.119] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), lpNewFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\#_THIS_FILE_IS_ENCRYPTED_[7E20F71967736CE9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\#_this_file_is_encrypted_[7e20f71967736ce9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.120] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.218] SetEvent (hEvent=0x19c) returned 1 [0174.218] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0174.219] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.219] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c)) returned 1 [0174.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a981a0 | out: pbBuffer=0x12a981a0) returned 1 [0174.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ed0 | out: pbBuffer=0x12848ed0) returned 1 [0174.220] ReadFile (in: hFile=0x42c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12a67d1c*=0x3a7c, lpOverlapped=0x0) returned 1 [0174.337] SetEvent (hEvent=0x110) returned 1 [0174.337] GetFileType (hFile=0x42c) returned 0x1 [0174.337] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.337] WriteFile (in: hFile=0x42c, lpBuffer=0x12be8000*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12be8000*, lpNumberOfBytesWritten=0x12a67d00*=0x3a7c, lpOverlapped=0x12a67d0c) returned 1 [0174.338] GetFileType (hFile=0x42c) returned 0x1 [0174.338] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0174.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0174.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0174.338] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a5d0 | out: pbBuffer=0x12a9a5d0) returned 1 [0174.339] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.339] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.339] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.339] CloseHandle (hObject=0x1a0) returned 1 [0174.341] CloseHandle (hObject=0x42c) returned 1 [0174.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5e8 | out: pbBuffer=0x12a9a5e8) returned 1 [0174.341] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="C:\\ProgramData\\Microsoft\\MF\\#_THIS_FILE_IS_ENCRYPTED_[98FFE3AA4ED6BE06]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\mf\\#_this_file_is_encrypted_[98ffe3aa4ed6be06]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.343] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.381] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.391] SetEvent (hEvent=0x10c) returned 1 [0174.392] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.392] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0174.392] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eae0 | out: pbBuffer=0x1280eae0) returned 1 [0174.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a808 | out: pbBuffer=0x12a9a808) returned 1 [0174.393] ReadFile (in: hFile=0x428, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12923d1c*=0x10f, lpOverlapped=0x0) returned 1 [0174.394] GetFileType (hFile=0x428) returned 0x1 [0174.394] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.395] WriteFile (in: hFile=0x428, lpBuffer=0x12bef200*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12bef200*, lpNumberOfBytesWritten=0x12923d00*=0x10f, lpOverlapped=0x12923d0c) returned 1 [0174.395] GetFileType (hFile=0x428) returned 0x1 [0174.395] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0174.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0174.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0174.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a8c0 | out: pbBuffer=0x12a9a8c0) returned 1 [0174.396] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.396] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0174.396] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12923d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12923d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.421] CloseHandle (hObject=0x3c4) returned 1 [0174.424] CloseHandle (hObject=0x428) returned 1 [0174.424] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8d8 | out: pbBuffer=0x12a9a8d8) returned 1 [0174.425] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\#_THIS_FILE_IS_ENCRYPTED_[2209A0125D034E1F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\#_this_file_is_encrypted_[2209a0125d034e1f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.441] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.450] SetEvent (hEvent=0x10c) returned 1 [0174.451] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.451] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.451] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e)) returned 1 [0174.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0174.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849048 | out: pbBuffer=0x12849048) returned 1 [0174.452] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0174.492] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.512] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0174.512] SetEvent (hEvent=0x110) returned 1 [0174.513] SetEvent (hEvent=0x10c) returned 1 [0174.514] ReadFile (in: hFile=0x428, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a67d1c*=0x71e, lpOverlapped=0x0) returned 1 [0174.519] GetFileType (hFile=0x428) returned 0x1 [0174.519] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.519] WriteFile (in: hFile=0x428, lpBuffer=0x12a4c000*, nNumberOfBytesToWrite=0x71e, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a4c000*, lpNumberOfBytesWritten=0x12a67d00*=0x71e, lpOverlapped=0x12a67d0c) returned 1 [0174.520] GetFileType (hFile=0x428) returned 0x1 [0174.520] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x71e, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0174.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0174.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0174.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849100 | out: pbBuffer=0x12849100) returned 1 [0174.521] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.521] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0174.521] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.522] CloseHandle (hObject=0x3c4) returned 1 [0174.525] CloseHandle (hObject=0x428) returned 1 [0174.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849128 | out: pbBuffer=0x12849128) returned 1 [0174.526] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[D959BBD2FEF5D87E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\#_this_file_is_encrypted_[d959bbd2fef5d87e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.528] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0174.533] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.534] SetEvent (hEvent=0x10c) returned 1 [0174.534] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0174.542] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.542] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0174.544] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0174.544] SetEvent (hEvent=0x110) returned 1 [0174.544] SetEvent (hEvent=0x19c) returned 1 [0174.544] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0174.550] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.550] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.551] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0174.551] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e)) returned 1 [0174.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0174.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0174.552] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c8c000*, lpNumberOfBytesRead=0x12925d1c*=0x71e, lpOverlapped=0x0) returned 1 [0174.576] GetFileType (hFile=0x3c4) returned 0x1 [0174.576] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.576] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a4c800*, nNumberOfBytesToWrite=0x71e, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12a4c800*, lpNumberOfBytesWritten=0x12925d00*=0x71e, lpOverlapped=0x12925d0c) returned 1 [0174.576] GetFileType (hFile=0x3c4) returned 0x1 [0174.576] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x71e, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0174.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0174.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0174.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0174.577] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.578] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0174.578] WriteFile (in: hFile=0x15c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.578] CloseHandle (hObject=0x15c) returned 1 [0174.582] CloseHandle (hObject=0x3c4) returned 1 [0174.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0174.582] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[4EF15D820765AEF0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\#_this_file_is_encrypted_[4ef15d820765aef0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.583] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.584] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.584] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0174.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0174.585] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ccc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ccc000*, lpNumberOfBytesRead=0x12927d1c*=0x10f, lpOverlapped=0x0) returned 1 [0174.587] GetFileType (hFile=0x3c4) returned 0x1 [0174.587] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.587] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a517a0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12a517a0*, lpNumberOfBytesWritten=0x12927d00*=0x10f, lpOverlapped=0x12927d0c) returned 1 [0174.587] GetFileType (hFile=0x3c4) returned 0x1 [0174.587] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0174.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0174.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0174.588] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0174.588] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.588] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.588] WriteFile (in: hFile=0x15c, lpBuffer=0x12c2ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ea00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.618] SetEvent (hEvent=0x110) returned 1 [0174.619] CloseHandle (hObject=0x15c) returned 1 [0174.620] CloseHandle (hObject=0x3c4) returned 1 [0174.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848438 | out: pbBuffer=0x12848438) returned 1 [0174.620] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\#_THIS_FILE_IS_ENCRYPTED_[B390714CB830659D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\#_this_file_is_encrypted_[b390714cb830659d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.621] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0174.637] SetEvent (hEvent=0x10c) returned 1 [0174.637] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.637] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.637] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168)) returned 1 [0174.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844240 | out: pbBuffer=0x12844240) returned 1 [0174.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0174.638] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d16000*, lpNumberOfBytesRead=0x12921d1c*=0x168, lpOverlapped=0x0) returned 1 [0174.639] GetFileType (hFile=0x3c4) returned 0x1 [0174.639] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.639] WriteFile (in: hFile=0x3c4, lpBuffer=0x128f2780*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x128f2780*, lpNumberOfBytesWritten=0x12921d00*=0x168, lpOverlapped=0x12921d0c) returned 1 [0174.639] GetFileType (hFile=0x3c4) returned 0x1 [0174.639] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x168, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0174.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0174.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0174.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101c0 | out: pbBuffer=0x128101c0) returned 1 [0174.640] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.640] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.640] WriteFile (in: hFile=0x15c, lpBuffer=0x12c22000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22000*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.697] CloseHandle (hObject=0x15c) returned 1 [0174.701] CloseHandle (hObject=0x3c4) returned 1 [0174.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848490 | out: pbBuffer=0x12848490) returned 1 [0174.701] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\power_1.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[28AF6B31E47274C5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\#_this_file_is_encrypted_[28af6b31e47274c5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.977] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0174.977] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.977] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139)) returned 1 [0174.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0174.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0174.987] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b4c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b4c000*, lpNumberOfBytesRead=0x12921d1c*=0x139, lpOverlapped=0x0) returned 1 [0174.988] GetFileType (hFile=0x3c4) returned 0x1 [0174.988] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.988] WriteFile (in: hFile=0x3c4, lpBuffer=0x12866000*, nNumberOfBytesToWrite=0x139, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x12866000*, lpNumberOfBytesWritten=0x12921d00*=0x139, lpOverlapped=0x12921d0c) returned 1 [0174.988] GetFileType (hFile=0x3c4) returned 0x1 [0174.988] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x139, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.988] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0174.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0174.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0174.989] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0174.989] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0174.989] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.989] WriteFile (in: hFile=0x43c, lpBuffer=0x12c88000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c88000*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.119] CloseHandle (hObject=0x43c) returned 1 [0175.135] CloseHandle (hObject=0x3c4) returned 1 [0175.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0175.149] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[1A051E767A432201]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\#_this_file_is_encrypted_[1a051e767a432201]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.263] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0175.303] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0175.331] SetEvent (hEvent=0xfc) returned 1 [0175.331] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0175.344] SetEvent (hEvent=0xfc) returned 1 [0175.344] SetEvent (hEvent=0x420) returned 1 [0175.344] SetEvent (hEvent=0x1d0) returned 1 [0175.344] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0175.424] SetEvent (hEvent=0x3f8) returned 1 [0175.424] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0176.024] SwitchToThread () returned 1 [0176.052] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0176.224] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0176.324] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0176.324] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0176.372] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0176.372] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1692b03, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0176.372] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0176.372] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0176.372] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0176.372] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0176.373] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.374] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.374] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0176.375] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0176.375] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0176.376] CloseHandle (hObject=0x1a0) returned 1 [0176.376] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0176.377] SetEvent (hEvent=0xfc) returned 1 [0176.377] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0176.377] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0176.377] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0176.377] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0176.377] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0176.377] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0176.377] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0176.377] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0176.378] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.378] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.378] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0176.378] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0176.378] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0176.380] CloseHandle (hObject=0x1a0) returned 1 [0176.381] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0176.436] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0176.436] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0176.436] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0176.436] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0176.437] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0176.437] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0176.437] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.437] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0176.437] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0176.438] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0176.438] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0176.439] CloseHandle (hObject=0x438) returned 1 [0176.440] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b)) returned 1 [0176.440] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb)) returned 1 [0176.441] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1692b03, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x36b)) returned 1 [0176.441] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0176.501] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0176.501] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0176.558] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0176.655] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 1 [0193.909] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x33d6faac, fWait=0, lpdwFlags=0x33d6fabc | out: lpcbTransfer=0x33d6faac, lpdwFlags=0x33d6fabc) returned 1 [0194.580] SetEvent (hEvent=0x3f8) returned 1 [0194.580] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0194.625] SetEvent (hEvent=0x1d0) returned 1 [0194.627] SwitchToThread () returned 1 [0194.700] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0194.852] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0194.852] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0195.042] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0195.069] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0195.082] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0195.082] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0195.110] SetEvent (hEvent=0x110) returned 1 [0195.110] SetEvent (hEvent=0x3f4) returned 1 [0195.123] SetEvent (hEvent=0x3f8) returned 1 [0195.123] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0195.205] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0195.205] SetEvent (hEvent=0x1d0) returned 1 [0195.205] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0195.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0195.418] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0195.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4302da2a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4302da2a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x430ec4ba, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19b3)) returned 1 [0195.418] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0195.418] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8018 | out: pbBuffer=0x128e8018) returned 1 [0195.419] ReadFile (in: hFile=0x448, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x19b3, lpOverlapped=0x0) returned 1 [0195.557] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0195.843] GetFileType (hFile=0x448) returned 0x1 [0195.843] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0195.843] WriteFile (in: hFile=0x448, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x19b3, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x1282fd00*=0x19b3, lpOverlapped=0x1282fd0c) returned 1 [0195.843] GetFileType (hFile=0x448) returned 0x1 [0195.843] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x19b3, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0196.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0196.040] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0196.206] SetEvent (hEvent=0x1d0) returned 1 [0196.206] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0196.635] SetEvent (hEvent=0x3cc) returned 1 [0196.635] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0196.723] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0196.767] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0196.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0196.781] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0196.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\08_video_rated_at_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3fc)) returned 1 [0196.781] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0196.781] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0196.781] ReadFile (in: hFile=0x1a0, lpBuffer=0x12cf0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf0000*, lpNumberOfBytesRead=0x12829d1c*=0x3fc, lpOverlapped=0x0) returned 1 [0196.785] GetFileType (hFile=0x1a0) returned 0x1 [0196.785] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.785] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287e400*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1287e400*, lpNumberOfBytesWritten=0x12829d00*=0x3fc, lpOverlapped=0x12829d0c) returned 1 [0196.786] GetFileType (hFile=0x1a0) returned 0x1 [0196.786] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3fc, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0196.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0196.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0196.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0196.786] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810130 | out: pbBuffer=0x12810130) returned 1 [0196.787] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.787] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0196.787] WriteFile (in: hFile=0x3c4, lpBuffer=0x12cee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0196.787] CloseHandle (hObject=0x3c4) returned 1 [0196.791] CloseHandle (hObject=0x1a0) returned 1 [0196.864] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810148 | out: pbBuffer=0x12810148) returned 1 [0196.864] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[73075979514ECC67]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[73075979514ecc67]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.996] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0197.004] SetEvent (hEvent=0xfc) returned 1 [0197.004] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0197.004] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0197.004] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\12_all_video.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fe83ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x437)) returned 1 [0197.005] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98660 | out: pbBuffer=0x12a98660) returned 1 [0197.005] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e85b0 | out: pbBuffer=0x128e85b0) returned 1 [0197.005] ReadFile (in: hFile=0x15c, lpBuffer=0x12ca8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca8000*, lpNumberOfBytesRead=0x12829d1c*=0x437, lpOverlapped=0x0) returned 1 [0197.026] GetFileType (hFile=0x15c) returned 0x1 [0197.026] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.026] WriteFile (in: hFile=0x15c, lpBuffer=0x12aee480*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12aee480*, lpNumberOfBytesWritten=0x12829d00*=0x437, lpOverlapped=0x12829d0c) returned 1 [0197.026] GetFileType (hFile=0x15c) returned 0x1 [0197.027] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x437, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0197.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0197.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b281 | out: pbBuffer=0x1286b281) returned 1 [0197.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8668 | out: pbBuffer=0x128e8668) returned 1 [0197.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\12_all_video.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.028] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0197.028] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0197.028] CloseHandle (hObject=0x3c4) returned 1 [0197.039] CloseHandle (hObject=0x15c) returned 1 [0197.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8680 | out: pbBuffer=0x128e8680) returned 1 [0197.046] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\12_all_video.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[A9B3BD3CBACD7AD0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[a9b3bd3cbacd7ad0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.180] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0431222d-6e07-4867-bed3-3672deae6648"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0197.181] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.181] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0431222d-6e07-4867-bed3-3672deae6648"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb2bc31, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb2bc31, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb2d062, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2b3a)) returned 1 [0197.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928580 | out: pbBuffer=0x12928580) returned 1 [0197.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102b8 | out: pbBuffer=0x128102b8) returned 1 [0197.182] ReadFile (in: hFile=0x15c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6fd1c*=0x2b3a, lpOverlapped=0x0) returned 1 [0197.192] GetFileType (hFile=0x15c) returned 0x1 [0197.192] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.192] WriteFile (in: hFile=0x15c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x2b3a, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a6fd00*=0x2b3a, lpOverlapped=0x12a6fd0c) returned 1 [0197.193] GetFileType (hFile=0x15c) returned 0x1 [0197.193] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2b3a, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0197.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0197.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0197.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810370 | out: pbBuffer=0x12810370) returned 1 [0197.194] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0431222d-6e07-4867-bed3-3672deae6648"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.194] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.194] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ceef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ceef00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.194] CloseHandle (hObject=0x1a0) returned 1 [0197.197] CloseHandle (hObject=0x15c) returned 1 [0197.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810388 | out: pbBuffer=0x12810388) returned 1 [0197.200] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0431222d-6e07-4867-bed3-3672deae6648"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A56E53AA686DBC52]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a56e53aa686dbc52]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.385] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0197.396] SetEvent (hEvent=0x19c) returned 1 [0197.397] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0ffedd2d-75f1-4d91-8a68-d07299430a95"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.397] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0ffedd2d-75f1-4d91-8a68-d07299430a95"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c946be, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c946be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c946be, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14b50)) returned 1 [0197.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0197.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0197.397] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6fd1c*=0x14b50, lpOverlapped=0x0) returned 1 [0197.462] GetFileType (hFile=0x3c4) returned 0x1 [0197.462] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.463] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d30000*, nNumberOfBytesToWrite=0x14b50, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12d30000*, lpNumberOfBytesWritten=0x12a6fd00*=0x14b50, lpOverlapped=0x12a6fd0c) returned 1 [0197.463] GetFileType (hFile=0x3c4) returned 0x1 [0197.463] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x14b50, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0197.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0197.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0197.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0197.464] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128488b0 | out: pbBuffer=0x128488b0) returned 1 [0197.464] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0ffedd2d-75f1-4d91-8a68-d07299430a95"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.464] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0197.464] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.464] CloseHandle (hObject=0x1a0) returned 1 [0197.475] CloseHandle (hObject=0x3c4) returned 1 [0197.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128488c8 | out: pbBuffer=0x128488c8) returned 1 [0197.481] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\0ffedd2d-75f1-4d91-8a68-d07299430a95"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[8D8426A1DC596DAA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[8d8426a1dc596daa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.640] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0197.643] SetEvent (hEvent=0x1d0) returned 1 [0197.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\15a1ed83-2e0d-4739-b941-ad1703a61a1c"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.644] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\15a1ed83-2e0d-4739-b941-ad1703a61a1c"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d9ad45, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d9ad45, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d9ad45, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x812e)) returned 1 [0197.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844460 | out: pbBuffer=0x12844460) returned 1 [0197.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0197.645] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12a4bd1c*=0x812e, lpOverlapped=0x0) returned 1 [0197.652] GetFileType (hFile=0x3c4) returned 0x1 [0197.652] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.652] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d66000*, nNumberOfBytesToWrite=0x812e, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12d66000*, lpNumberOfBytesWritten=0x12a4bd00*=0x812e, lpOverlapped=0x12a4bd0c) returned 1 [0197.652] GetFileType (hFile=0x3c4) returned 0x1 [0197.652] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x812e, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0197.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0197.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0197.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0197.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810508 | out: pbBuffer=0x12810508) returned 1 [0197.653] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\15a1ed83-2e0d-4739-b941-ad1703a61a1c"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.653] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0197.653] WriteFile (in: hFile=0x1a0, lpBuffer=0x128f6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128f6500*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0197.654] CloseHandle (hObject=0x1a0) returned 1 [0197.656] CloseHandle (hObject=0x3c4) returned 1 [0197.659] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810520 | out: pbBuffer=0x12810520) returned 1 [0197.659] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\15a1ed83-2e0d-4739-b941-ad1703a61a1c"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[33E68887F5FA7A80]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[33e68887f5fa7a80]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.793] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0197.913] SetEvent (hEvent=0x1d0) returned 1 [0197.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1e1d102b-3e38-42d5-97cf-f307c2e53fa9"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0197.913] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.913] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1e1d102b-3e38-42d5-97cf-f307c2e53fa9"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f20e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f20e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f20e3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80bb)) returned 1 [0197.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ed80 | out: pbBuffer=0x1280ed80) returned 1 [0197.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496f0 | out: pbBuffer=0x128496f0) returned 1 [0197.913] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12a73d1c*=0x80bb, lpOverlapped=0x0) returned 1 [0197.918] GetFileType (hFile=0x3c4) returned 0x1 [0197.918] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.918] WriteFile (in: hFile=0x3c4, lpBuffer=0x12cc4000*, nNumberOfBytesToWrite=0x80bb, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12cc4000*, lpNumberOfBytesWritten=0x12a73d00*=0x80bb, lpOverlapped=0x12a73d0c) returned 1 [0197.919] GetFileType (hFile=0x3c4) returned 0x1 [0197.919] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x80bb, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0197.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835581 | out: pbBuffer=0x12835581) returned 1 [0197.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835681 | out: pbBuffer=0x12835681) returned 1 [0197.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835781 | out: pbBuffer=0x12835781) returned 1 [0197.930] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497c8 | out: pbBuffer=0x128497c8) returned 1 [0197.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1e1d102b-3e38-42d5-97cf-f307c2e53fa9"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0197.930] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0197.930] WriteFile (in: hFile=0x1a0, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0197.931] CloseHandle (hObject=0x1a0) returned 1 [0197.934] CloseHandle (hObject=0x3c4) returned 1 [0197.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849800 | out: pbBuffer=0x12849800) returned 1 [0197.939] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\1e1d102b-3e38-42d5-97cf-f307c2e53fa9"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[D36192AB781C5742]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[d36192ab781c5742]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.113] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0198.123] SetEvent (hEvent=0x19c) returned 1 [0198.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\292eb0b0-cefd-4710-b2bc-b6debb11376b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.123] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.123] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\292eb0b0-cefd-4710-b2bc-b6debb11376b"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a897d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a897d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a8ab48, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1fdd)) returned 1 [0198.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0198.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0198.124] ReadFile (in: hFile=0x438, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a73d1c*=0x1fdd, lpOverlapped=0x0) returned 1 [0198.130] GetFileType (hFile=0x438) returned 0x1 [0198.130] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.130] WriteFile (in: hFile=0x438, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x1fdd, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12a73d00*=0x1fdd, lpOverlapped=0x12a73d0c) returned 1 [0198.131] GetFileType (hFile=0x438) returned 0x1 [0198.131] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1fdd, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0198.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0198.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0198.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0198.132] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\292eb0b0-cefd-4710-b2bc-b6debb11376b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.132] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.132] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0198.133] CloseHandle (hObject=0x1a0) returned 1 [0198.137] CloseHandle (hObject=0x438) returned 1 [0198.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0198.140] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\292eb0b0-cefd-4710-b2bc-b6debb11376b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[11E1B6B582099597]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[11e1b6b582099597]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.323] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0198.342] SetEvent (hEvent=0x19c) returned 1 [0198.342] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2ec88447-26ff-4e32-8d81-5abc75ae65db"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0198.343] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.343] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2ec88447-26ff-4e32-8d81-5abc75ae65db"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a80f08, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a80f08, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a883fc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507)) returned 1 [0198.343] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0198.343] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109c8 | out: pbBuffer=0x128109c8) returned 1 [0198.343] ReadFile (in: hFile=0x15c, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x12a73d1c*=0x507, lpOverlapped=0x0) returned 1 [0198.345] GetFileType (hFile=0x15c) returned 0x1 [0198.345] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.345] WriteFile (in: hFile=0x15c, lpBuffer=0x129ee000*, nNumberOfBytesToWrite=0x507, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x129ee000*, lpNumberOfBytesWritten=0x12a73d00*=0x507, lpOverlapped=0x12a73d0c) returned 1 [0198.356] GetFileType (hFile=0x15c) returned 0x1 [0198.356] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x507, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0198.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0198.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0198.357] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810a80 | out: pbBuffer=0x12810a80) returned 1 [0198.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2ec88447-26ff-4e32-8d81-5abc75ae65db"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.358] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.358] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b14500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b14500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0198.401] CloseHandle (hObject=0x1a0) returned 1 [0198.408] CloseHandle (hObject=0x15c) returned 1 [0198.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a98 | out: pbBuffer=0x12810a98) returned 1 [0198.412] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2ec88447-26ff-4e32-8d81-5abc75ae65db"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[308BCE05AE4EDB6C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[308bce05ae4edb6c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.624] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0198.711] SetEvent (hEvent=0x1d0) returned 1 [0198.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ba4462f-9de4-49de-b3b4-c55de0bc2436"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.711] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.712] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ba4462f-9de4-49de-b3b4-c55de0bc2436"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829648ac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829648ac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829648ac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x63f1)) returned 1 [0198.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0198.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a048 | out: pbBuffer=0x12a9a048) returned 1 [0198.712] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a73d1c*=0x63f1, lpOverlapped=0x0) returned 1 [0198.763] GetFileType (hFile=0x1a0) returned 0x1 [0198.763] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.763] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a18000*, nNumberOfBytesToWrite=0x63f1, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a18000*, lpNumberOfBytesWritten=0x12a73d00*=0x63f1, lpOverlapped=0x12a73d0c) returned 1 [0198.763] GetFileType (hFile=0x1a0) returned 0x1 [0198.764] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x63f1, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0198.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0198.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0198.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0198.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0198.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ba4462f-9de4-49de-b3b4-c55de0bc2436"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.765] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0198.765] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0198.765] CloseHandle (hObject=0x3c4) returned 1 [0198.771] CloseHandle (hObject=0x1a0) returned 1 [0198.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0198.781] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ba4462f-9de4-49de-b3b4-c55de0bc2436"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[92C94528F47F544B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[92c94528f47f544b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.907] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0198.914] SetEvent (hEvent=0x3f4) returned 1 [0198.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ffae199-5c90-4a06-aa16-96546e1fdfd1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.915] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ffae199-5c90-4a06-aa16-96546e1fdfd1"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d79e71, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d79e71, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d7b256, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2aee)) returned 1 [0198.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0198.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a6f0 | out: pbBuffer=0x12a9a6f0) returned 1 [0198.915] ReadFile (in: hFile=0x1a0, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a6dd1c*=0x2aee, lpOverlapped=0x0) returned 1 [0198.920] GetFileType (hFile=0x1a0) returned 0x1 [0198.920] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.920] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d82000*, nNumberOfBytesToWrite=0x2aee, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12d82000*, lpNumberOfBytesWritten=0x12a6dd00*=0x2aee, lpOverlapped=0x12a6dd0c) returned 1 [0198.921] GetFileType (hFile=0x1a0) returned 0x1 [0198.921] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2aee, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0198.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0198.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0198.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a7a8 | out: pbBuffer=0x12a9a7a8) returned 1 [0198.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ffae199-5c90-4a06-aa16-96546e1fdfd1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.922] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.922] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.922] CloseHandle (hObject=0x438) returned 1 [0198.923] CloseHandle (hObject=0x1a0) returned 1 [0198.927] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7c0 | out: pbBuffer=0x12a9a7c0) returned 1 [0198.927] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3ffae199-5c90-4a06-aa16-96546e1fdfd1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0707417B4CDAE800]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0707417b4cdae800]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.027] SetEvent (hEvent=0x110) returned 1 [0199.027] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0199.029] SetEvent (hEvent=0x3f4) returned 1 [0199.029] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4bcc7fd4-613c-4b15-9dbe-908105e4ed54"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0199.030] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.030] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4bcc7fd4-613c-4b15-9dbe-908105e4ed54"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc847f2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc847f2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc847f2b8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcec)) returned 1 [0199.030] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e780 | out: pbBuffer=0x1280e780) returned 1 [0199.030] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128107f0 | out: pbBuffer=0x128107f0) returned 1 [0199.030] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a6fd1c*=0xcec, lpOverlapped=0x0) returned 1 [0199.040] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0199.041] SetEvent (hEvent=0x3f4) returned 1 [0199.041] GetFileType (hFile=0x1a0) returned 0x1 [0199.041] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.041] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0xcec, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a6fd00*=0xcec, lpOverlapped=0x12a6fd0c) returned 1 [0199.041] GetFileType (hFile=0x1a0) returned 0x1 [0199.041] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcec, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0199.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0199.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0199.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128108a8 | out: pbBuffer=0x128108a8) returned 1 [0199.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4bcc7fd4-613c-4b15-9dbe-908105e4ed54"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.043] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.043] WriteFile (in: hFile=0x438, lpBuffer=0x12a90a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.044] CloseHandle (hObject=0x438) returned 1 [0199.047] CloseHandle (hObject=0x1a0) returned 1 [0199.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0199.050] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4bcc7fd4-613c-4b15-9dbe-908105e4ed54"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[EFBBD9B56A94A444]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[efbbd9b56a94a444]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.180] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0199.182] SetEvent (hEvent=0x1d0) returned 1 [0199.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f9f0aef-1d87-4f0c-910c-0adc7e172289"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0199.183] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0199.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f9f0aef-1d87-4f0c-910c-0adc7e172289"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84da778, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84da778, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84db9c3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x438)) returned 1 [0199.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0199.183] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0199.183] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a4bd1c*=0x438, lpOverlapped=0x0) returned 1 [0199.186] GetFileType (hFile=0x1a0) returned 0x1 [0199.186] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0199.186] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4e480*, nNumberOfBytesToWrite=0x438, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a4e480*, lpNumberOfBytesWritten=0x12a4bd00*=0x438, lpOverlapped=0x12a4bd0c) returned 1 [0199.186] GetFileType (hFile=0x1a0) returned 0x1 [0199.187] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x438, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0199.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0199.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0199.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0199.187] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0199.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f9f0aef-1d87-4f0c-910c-0adc7e172289"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.187] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0199.187] WriteFile (in: hFile=0x438, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.188] CloseHandle (hObject=0x438) returned 1 [0199.189] CloseHandle (hObject=0x1a0) returned 1 [0199.248] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0199.249] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f9f0aef-1d87-4f0c-910c-0adc7e172289"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FCBB187FD5FF9067]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[fcbb187fd5ff9067]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.330] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0199.334] SetEvent (hEvent=0x1d0) returned 1 [0199.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b268694-c256-497f-b57f-0b2d793cba10"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0199.335] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.335] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b268694-c256-497f-b57f-0b2d793cba10"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b14252, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b14252, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b14252, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23c3)) returned 1 [0199.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0199.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848fa8 | out: pbBuffer=0x12848fa8) returned 1 [0199.335] ReadFile (in: hFile=0x1a0, lpBuffer=0x129c8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x129c8000*, lpNumberOfBytesRead=0x12a73d1c*=0x23c3, lpOverlapped=0x0) returned 1 [0199.339] GetFileType (hFile=0x1a0) returned 0x1 [0199.339] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.339] WriteFile (in: hFile=0x1a0, lpBuffer=0x129e8000*, nNumberOfBytesToWrite=0x23c3, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x129e8000*, lpNumberOfBytesWritten=0x12a73d00*=0x23c3, lpOverlapped=0x12a73d0c) returned 1 [0199.340] GetFileType (hFile=0x1a0) returned 0x1 [0199.341] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x23c3, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0199.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0199.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0199.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849080 | out: pbBuffer=0x12849080) returned 1 [0199.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b268694-c256-497f-b57f-0b2d793cba10"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.342] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.342] WriteFile (in: hFile=0x438, lpBuffer=0x128b2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0199.342] CloseHandle (hObject=0x438) returned 1 [0199.343] CloseHandle (hObject=0x1a0) returned 1 [0199.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849098 | out: pbBuffer=0x12849098) returned 1 [0199.346] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5b268694-c256-497f-b57f-0b2d793cba10"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[88E0A56B06EEBDE4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[88e0a56b06eebde4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.663] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0199.669] SetEvent (hEvent=0x1d0) returned 1 [0199.669] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6b8de11f-3d5a-48c6-81aa-977da661e2c5"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0199.669] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6b8de11f-3d5a-48c6-81aa-977da661e2c5"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbd098a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbd098a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbd1d40, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x242b)) returned 1 [0199.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98660 | out: pbBuffer=0x12a98660) returned 1 [0199.670] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f30 | out: pbBuffer=0x12810f30) returned 1 [0199.670] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bb8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x242b, lpOverlapped=0x0) returned 1 [0199.675] GetFileType (hFile=0x1a0) returned 0x1 [0199.675] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.675] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a18000*, nNumberOfBytesToWrite=0x242b, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a18000*, lpNumberOfBytesWritten=0x12a6dd00*=0x242b, lpOverlapped=0x12a6dd0c) returned 1 [0199.675] GetFileType (hFile=0x1a0) returned 0x1 [0199.675] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x242b, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0199.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0199.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0199.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810fe8 | out: pbBuffer=0x12810fe8) returned 1 [0199.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6b8de11f-3d5a-48c6-81aa-977da661e2c5"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.678] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.678] WriteFile (in: hFile=0x438, lpBuffer=0x12a91400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a91400*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.678] CloseHandle (hObject=0x438) returned 1 [0199.688] CloseHandle (hObject=0x1a0) returned 1 [0199.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811000 | out: pbBuffer=0x12811000) returned 1 [0199.693] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6b8de11f-3d5a-48c6-81aa-977da661e2c5"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[2B1C847F76FDF360]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[2b1c847f76fdf360]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.822] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0199.825] SetEvent (hEvent=0x3f4) returned 1 [0199.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e87ffa6-570d-4f3c-832c-0f0ed39d0de2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0199.826] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e87ffa6-570d-4f3c-832c-0f0ed39d0de2"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b980a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b980a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b99326, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x401d)) returned 1 [0199.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0199.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848068 | out: pbBuffer=0x12848068) returned 1 [0199.826] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6fd1c*=0x401d, lpOverlapped=0x0) returned 1 [0199.830] GetFileType (hFile=0x1a0) returned 0x1 [0199.830] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.830] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x401d, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a6fd00*=0x401d, lpOverlapped=0x12a6fd0c) returned 1 [0199.830] GetFileType (hFile=0x1a0) returned 0x1 [0199.830] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x401d, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0199.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0199.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0199.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0199.832] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e87ffa6-570d-4f3c-832c-0f0ed39d0de2"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.832] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.832] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.832] CloseHandle (hObject=0x438) returned 1 [0199.833] CloseHandle (hObject=0x1a0) returned 1 [0199.838] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0199.839] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e87ffa6-570d-4f3c-832c-0f0ed39d0de2"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[31C0330D3DD1AB17]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[31c0330d3dd1ab17]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.007] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.009] SetEvent (hEvent=0xfc) returned 1 [0200.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7600eed5-3234-4650-8d9a-67c39e956d87"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.010] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.010] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7600eed5-3234-4650-8d9a-67c39e956d87"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc882d53e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc882d53e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc882e8bd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x722)) returned 1 [0200.010] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0200.010] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0200.010] ReadFile (in: hFile=0x1a0, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12829d1c*=0x722, lpOverlapped=0x0) returned 1 [0200.015] GetFileType (hFile=0x1a0) returned 0x1 [0200.015] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.015] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a60800*, nNumberOfBytesToWrite=0x722, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a60800*, lpNumberOfBytesWritten=0x12829d00*=0x722, lpOverlapped=0x12829d0c) returned 1 [0200.015] GetFileType (hFile=0x1a0) returned 0x1 [0200.015] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x722, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0200.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0200.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0200.017] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0200.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7600eed5-3234-4650-8d9a-67c39e956d87"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.017] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.017] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a24000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a24000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.017] CloseHandle (hObject=0x3c4) returned 1 [0200.021] CloseHandle (hObject=0x1a0) returned 1 [0200.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0200.023] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7600eed5-3234-4650-8d9a-67c39e956d87"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[E33509BC558CB714]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[e33509bc558cb714]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.253] SetEvent (hEvent=0x110) returned 1 [0200.253] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.259] SetEvent (hEvent=0xfc) returned 1 [0200.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\806760d6-0d46-4f0d-9a2a-5619d868318c"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.260] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.260] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\806760d6-0d46-4f0d-9a2a-5619d868318c"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a05a2f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a05a2f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a06e54, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc11)) returned 1 [0200.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98640 | out: pbBuffer=0x12a98640) returned 1 [0200.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128113c0 | out: pbBuffer=0x128113c0) returned 1 [0200.261] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a73d1c*=0xc11, lpOverlapped=0x0) returned 1 [0200.266] GetFileType (hFile=0x1a0) returned 0x1 [0200.266] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.266] WriteFile (in: hFile=0x1a0, lpBuffer=0x129dc000*, nNumberOfBytesToWrite=0xc11, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x129dc000*, lpNumberOfBytesWritten=0x12a73d00*=0xc11, lpOverlapped=0x12a73d0c) returned 1 [0200.266] GetFileType (hFile=0x1a0) returned 0x1 [0200.266] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xc11, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0200.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0200.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0200.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811478 | out: pbBuffer=0x12811478) returned 1 [0200.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\806760d6-0d46-4f0d-9a2a-5619d868318c"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.268] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.268] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b3400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b3400*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.269] CloseHandle (hObject=0x3c4) returned 1 [0200.272] CloseHandle (hObject=0x1a0) returned 1 [0200.276] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811490 | out: pbBuffer=0x12811490) returned 1 [0200.276] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\806760d6-0d46-4f0d-9a2a-5619d868318c"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FAF68C9C49B2CEF6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[faf68c9c49b2cef6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.397] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.412] SetEvent (hEvent=0x19c) returned 1 [0200.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8618dfc3-ef76-4235-aa5d-06beabd6e242"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.413] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.413] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8618dfc3-ef76-4235-aa5d-06beabd6e242"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba093e4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba093e4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba093e4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507d)) returned 1 [0200.413] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0200.413] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0200.413] ReadFile (in: hFile=0x1a0, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x507d, lpOverlapped=0x0) returned 1 [0200.644] SetEvent (hEvent=0x110) returned 1 [0200.644] GetFileType (hFile=0x1a0) returned 0x1 [0200.644] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.644] WriteFile (in: hFile=0x1a0, lpBuffer=0x1289d500*, nNumberOfBytesToWrite=0x507d, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x1289d500*, lpNumberOfBytesWritten=0x12a6dd00*=0x507d, lpOverlapped=0x12a6dd0c) returned 1 [0200.645] GetFileType (hFile=0x1a0) returned 0x1 [0200.645] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x507d, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0200.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0200.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0200.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848dd0 | out: pbBuffer=0x12848dd0) returned 1 [0200.646] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8618dfc3-ef76-4235-aa5d-06beabd6e242"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.646] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.646] WriteFile (in: hFile=0x448, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.646] CloseHandle (hObject=0x448) returned 1 [0200.647] CloseHandle (hObject=0x1a0) returned 1 [0200.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848de8 | out: pbBuffer=0x12848de8) returned 1 [0200.647] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\8618dfc3-ef76-4235-aa5d-06beabd6e242"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[74E397224ED14205]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[74e397224ed14205]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.648] SetEvent (hEvent=0x1d0) returned 1 [0200.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\92d09c47-effb-4e54-b85d-797f67b0527c"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.648] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\92d09c47-effb-4e54-b85d-797f67b0527c"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49b7e91, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49b7e91, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49b7e91, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b8)) returned 1 [0200.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844e40 | out: pbBuffer=0x12844e40) returned 1 [0200.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e80 | out: pbBuffer=0x12848e80) returned 1 [0200.649] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6dd1c*=0x12b8, lpOverlapped=0x0) returned 1 [0200.706] GetFileType (hFile=0x1a0) returned 0x1 [0200.706] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.707] WriteFile (in: hFile=0x1a0, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x12b8, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12a6dd00*=0x12b8, lpOverlapped=0x12a6dd0c) returned 1 [0200.707] GetFileType (hFile=0x1a0) returned 0x1 [0200.707] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x12b8, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0200.708] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0200.708] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0200.708] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810968 | out: pbBuffer=0x12810968) returned 1 [0200.708] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\92d09c47-effb-4e54-b85d-797f67b0527c"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.708] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.708] WriteFile (in: hFile=0x448, lpBuffer=0x12851900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12851900*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.709] CloseHandle (hObject=0x448) returned 1 [0200.709] CloseHandle (hObject=0x1a0) returned 1 [0200.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810980 | out: pbBuffer=0x12810980) returned 1 [0200.709] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\92d09c47-effb-4e54-b85d-797f67b0527c"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[5E378E9A45FF529F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[5e378e9a45ff529f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.710] SetEvent (hEvent=0x1d0) returned 1 [0200.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9cfc7195-9421-404f-a40a-eebd8f033365"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.711] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9cfc7195-9421-404f-a40a-eebd8f033365"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a15964, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a15964, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a16c5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x451)) returned 1 [0200.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845f20 | out: pbBuffer=0x12845f20) returned 1 [0200.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109c8 | out: pbBuffer=0x128109c8) returned 1 [0200.713] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0200.719] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.719] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0200.720] SetEvent (hEvent=0x110) returned 1 [0200.720] SetEvent (hEvent=0x1d0) returned 1 [0200.721] ReadFile (in: hFile=0x1a0, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12a6dd1c*=0x451, lpOverlapped=0x0) returned 1 [0200.729] GetFileType (hFile=0x1a0) returned 0x1 [0200.729] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.729] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a4f200*, nNumberOfBytesToWrite=0x451, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a4f200*, lpNumberOfBytesWritten=0x12a6dd00*=0x451, lpOverlapped=0x12a6dd0c) returned 1 [0200.730] GetFileType (hFile=0x1a0) returned 0x1 [0200.730] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x451, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0200.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0200.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0200.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810a80 | out: pbBuffer=0x12810a80) returned 1 [0200.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9cfc7195-9421-404f-a40a-eebd8f033365"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.731] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.731] WriteFile (in: hFile=0x448, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.731] CloseHandle (hObject=0x448) returned 1 [0200.732] CloseHandle (hObject=0x1a0) returned 1 [0200.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a98 | out: pbBuffer=0x12810a98) returned 1 [0200.732] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9cfc7195-9421-404f-a40a-eebd8f033365"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[AC720602DDACCCC3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[ac720602ddacccc3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.734] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0200.747] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.747] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0200.775] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0200.782] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0200.783] SetEvent (hEvent=0x110) returned 1 [0200.783] SetEvent (hEvent=0x3f8) returned 1 [0200.783] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0200.801] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a1e234bd-b121-49a0-9b4b-bbf6a832161b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.802] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a1e234bd-b121-49a0-9b4b-bbf6a832161b"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae01a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae01a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae01a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x108a)) returned 1 [0200.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0200.802] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0200.803] ReadFile (in: hFile=0x3c4, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12829d1c*=0x108a, lpOverlapped=0x0) returned 1 [0200.824] GetFileType (hFile=0x3c4) returned 0x1 [0200.824] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.824] WriteFile (in: hFile=0x3c4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x108a, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12829d00*=0x108a, lpOverlapped=0x12829d0c) returned 1 [0200.824] GetFileType (hFile=0x3c4) returned 0x1 [0200.824] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x108a, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0200.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0200.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0200.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0200.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a1e234bd-b121-49a0-9b4b-bbf6a832161b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.825] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.825] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.826] CloseHandle (hObject=0x448) returned 1 [0200.826] CloseHandle (hObject=0x3c4) returned 1 [0200.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0200.826] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a1e234bd-b121-49a0-9b4b-bbf6a832161b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[E96C77DCD197C457]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[e96c77dcd197c457]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\aa8b315f-d191-411a-80e8-bbccce176da7"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49c69cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49c69cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49c69cc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x75b)) returned 1 [0200.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\abf009f6-7021-47ec-8025-be55ad5ebb57"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabac2fca, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabac2fca, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabac3f0e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14c5)) returned 1 [0200.828] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\aa8b315f-d191-411a-80e8-bbccce176da7"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.829] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\aa8b315f-d191-411a-80e8-bbccce176da7"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49c69cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49c69cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49c69cc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x75b)) returned 1 [0200.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0200.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b20 | out: pbBuffer=0x12848b20) returned 1 [0200.829] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x75b, lpOverlapped=0x0) returned 1 [0200.852] GetFileType (hFile=0x3c4) returned 0x1 [0200.852] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.852] WriteFile (in: hFile=0x3c4, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x75b, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12829d00*=0x75b, lpOverlapped=0x12829d0c) returned 1 [0200.852] GetFileType (hFile=0x3c4) returned 0x1 [0200.853] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x75b, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0200.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0200.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0200.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848bd8 | out: pbBuffer=0x12848bd8) returned 1 [0200.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\aa8b315f-d191-411a-80e8-bbccce176da7"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.854] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0200.854] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.854] CloseHandle (hObject=0x1a0) returned 1 [0200.854] CloseHandle (hObject=0x3c4) returned 1 [0200.854] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848bf0 | out: pbBuffer=0x12848bf0) returned 1 [0200.854] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\aa8b315f-d191-411a-80e8-bbccce176da7"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[FACCDDE23FEAE93B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[faccdde23feae93b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.869] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.897] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0200.911] SetEvent (hEvent=0x3f8) returned 1 [0200.911] GetFileType (hFile=0x1a0) returned 0x1 [0200.911] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.912] WriteFile (in: hFile=0x1a0, lpBuffer=0x129f8000*, nNumberOfBytesToWrite=0x367e, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x129f8000*, lpNumberOfBytesWritten=0x12a6dd00*=0x367e, lpOverlapped=0x12a6dd0c) returned 1 [0200.912] GetFileType (hFile=0x1a0) returned 0x1 [0200.912] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x367e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0200.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0200.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0200.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0200.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\af769060-9c3b-4f97-8fb8-1eb72198ba39"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.913] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.913] WriteFile (in: hFile=0x3c4, lpBuffer=0x129b4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.914] CloseHandle (hObject=0x3c4) returned 1 [0200.914] CloseHandle (hObject=0x1a0) returned 1 [0200.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0200.914] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\af769060-9c3b-4f97-8fb8-1eb72198ba39"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[CC248DDC9CD4CA04]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[cc248ddc9cd4ca04]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bb41f806-1043-41b2-9372-8f6e7066247a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.916] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.916] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bb41f806-1043-41b2-9372-8f6e7066247a"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f482a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f482a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f482a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3888)) returned 1 [0200.916] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0200.916] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0200.916] ReadFile (in: hFile=0x1a0, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x3888, lpOverlapped=0x0) returned 1 [0200.942] GetFileType (hFile=0x1a0) returned 0x1 [0200.943] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.943] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a68000*, nNumberOfBytesToWrite=0x3888, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a68000*, lpNumberOfBytesWritten=0x12a6dd00*=0x3888, lpOverlapped=0x12a6dd0c) returned 1 [0200.943] GetFileType (hFile=0x1a0) returned 0x1 [0200.943] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3888, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0200.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0200.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0200.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0200.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bb41f806-1043-41b2-9372-8f6e7066247a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.944] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.944] WriteFile (in: hFile=0x448, lpBuffer=0x129b4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4a00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.945] CloseHandle (hObject=0x448) returned 1 [0200.945] CloseHandle (hObject=0x1a0) returned 1 [0200.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484f0 | out: pbBuffer=0x128484f0) returned 1 [0200.945] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\bb41f806-1043-41b2-9372-8f6e7066247a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[4116B9AAC83E4926]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[4116b9aac83e4926]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c3dc5bd1-4ab1-4bdd-acb0-fcca65ee3d2a"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb474db8b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb474db8b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb474ef1c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ffd)) returned 1 [0200.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c4181e33-213a-4456-87ba-15fd83064187"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9cfd00, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9cfd00, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d23da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7e)) returned 1 [0200.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c3dc5bd1-4ab1-4bdd-acb0-fcca65ee3d2a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0200.947] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c3dc5bd1-4ab1-4bdd-acb0-fcca65ee3d2a"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb474db8b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb474db8b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb474ef1c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ffd)) returned 1 [0200.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128448e0 | out: pbBuffer=0x128448e0) returned 1 [0200.948] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c70 | out: pbBuffer=0x12848c70) returned 1 [0200.948] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a6dd1c*=0x1ffd, lpOverlapped=0x0) returned 1 [0200.975] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.035] SetEvent (hEvent=0x420) returned 1 [0201.035] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.058] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.069] SetEvent (hEvent=0x19c) returned 1 [0201.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d1658a87-36b4-4565-b36f-cef71ffc7033"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.070] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.070] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d1658a87-36b4-4565-b36f-cef71ffc7033"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d990d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d990d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9ee668, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c5d)) returned 1 [0201.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e260 | out: pbBuffer=0x1280e260) returned 1 [0201.070] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0201.070] ReadFile (in: hFile=0x15c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12a73d1c*=0x4c5d, lpOverlapped=0x0) returned 1 [0201.157] GetFileType (hFile=0x15c) returned 0x1 [0201.157] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.158] WriteFile (in: hFile=0x15c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x4c5d, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a73d00*=0x4c5d, lpOverlapped=0x12a73d0c) returned 1 [0201.158] GetFileType (hFile=0x15c) returned 0x1 [0201.158] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4c5d, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0201.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0201.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0201.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486e0 | out: pbBuffer=0x128486e0) returned 1 [0201.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d1658a87-36b4-4565-b36f-cef71ffc7033"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.159] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.159] WriteFile (in: hFile=0x448, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.159] CloseHandle (hObject=0x448) returned 1 [0201.160] CloseHandle (hObject=0x15c) returned 1 [0201.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486f8 | out: pbBuffer=0x128486f8) returned 1 [0201.160] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d1658a87-36b4-4565-b36f-cef71ffc7033"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[87F92036022E4573]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[87f92036022e4573]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.161] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e36912c5-9c2d-452f-95f8-cfa1fc049148"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e4e325, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e4e325, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e4f6b9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa99)) returned 1 [0201.162] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e457c019-b991-4ccc-8425-ccd48e271dfc"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8850b3e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8850b3e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8850b3e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x38f)) returned 1 [0201.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e36912c5-9c2d-452f-95f8-cfa1fc049148"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.163] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.163] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e36912c5-9c2d-452f-95f8-cfa1fc049148"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e4e325, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e4e325, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e4f6b9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa99)) returned 1 [0201.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0201.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848f00 | out: pbBuffer=0x12848f00) returned 1 [0201.163] ReadFile (in: hFile=0x15c, lpBuffer=0x129b4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b4000*, lpNumberOfBytesRead=0x12a73d1c*=0xa99, lpOverlapped=0x0) returned 1 [0201.245] SwitchToThread () returned 1 [0201.250] SetEvent (hEvent=0x420) returned 1 [0201.250] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.253] SetEvent (hEvent=0x420) returned 1 [0201.253] SetEvent (hEvent=0x3f4) returned 1 [0201.253] GetFileType (hFile=0x15c) returned 0x1 [0201.253] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.254] WriteFile (in: hFile=0x15c, lpBuffer=0x129d4000*, nNumberOfBytesToWrite=0xa99, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x129d4000*, lpNumberOfBytesWritten=0x12a73d00*=0xa99, lpOverlapped=0x12a73d0c) returned 1 [0201.254] GetFileType (hFile=0x15c) returned 0x1 [0201.254] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xa99, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0201.254] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0201.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0201.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0201.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e36912c5-9c2d-452f-95f8-cfa1fc049148"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.255] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.255] WriteFile (in: hFile=0x3c4, lpBuffer=0x12924000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12924000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.256] CloseHandle (hObject=0x3c4) returned 1 [0201.256] CloseHandle (hObject=0x15c) returned 1 [0201.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0201.256] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e36912c5-9c2d-452f-95f8-cfa1fc049148"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[F6BE32E26BC76288]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[f6be32e26bc76288]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.257] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f0a28b79-40ac-459c-968d-4f68e9798715"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8424f42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8424f42, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8427531, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x153e)) returned 1 [0201.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f192a1e6-5284-47ff-83da-d65dcb35fc9f"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829bd95b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829bd95b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829bef86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7629)) returned 1 [0201.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f31f431a-df78-48bc-9a30-e15e83a7df3b"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba00b7d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba00b7d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba00b7d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x18bd)) returned 1 [0201.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f192a1e6-5284-47ff-83da-d65dcb35fc9f"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.259] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f192a1e6-5284-47ff-83da-d65dcb35fc9f"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829bd95b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829bd95b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829bef86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7629)) returned 1 [0201.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0201.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848f20 | out: pbBuffer=0x12848f20) returned 1 [0201.259] ReadFile (in: hFile=0x15c, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x12a73d1c*=0x7629, lpOverlapped=0x0) returned 1 [0201.405] GetFileType (hFile=0x15c) returned 0x1 [0201.405] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.405] WriteFile (in: hFile=0x15c, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x7629, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12a73d00*=0x7629, lpOverlapped=0x12a73d0c) returned 1 [0201.405] GetFileType (hFile=0x15c) returned 0x1 [0201.405] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x7629, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.405] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0201.405] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0201.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0201.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0b0 | out: pbBuffer=0x12a9a0b0) returned 1 [0201.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f192a1e6-5284-47ff-83da-d65dcb35fc9f"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.406] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.406] WriteFile (in: hFile=0x448, lpBuffer=0x12958000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12958000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.406] CloseHandle (hObject=0x448) returned 1 [0201.406] CloseHandle (hObject=0x15c) returned 1 [0201.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0d8 | out: pbBuffer=0x12a9a0d8) returned 1 [0201.407] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f192a1e6-5284-47ff-83da-d65dcb35fc9f"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[3BB4FC1FE11C52C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[3bb4fc1fe11c52c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.408] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.430] SetEvent (hEvent=0x3f4) returned 1 [0201.430] SetEvent (hEvent=0xfc) returned 1 [0201.430] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.442] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.586] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.629] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0201.640] SetEvent (hEvent=0x420) returned 1 [0201.640] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.641] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfcf021, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cfcf021, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cfcf021, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0201.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a993c0 | out: pbBuffer=0x12a993c0) returned 1 [0201.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109f0 | out: pbBuffer=0x128109f0) returned 1 [0201.641] ReadFile (in: hFile=0x15c, lpBuffer=0x129a6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a6000*, lpNumberOfBytesRead=0x12a73d1c*=0x4050, lpOverlapped=0x0) returned 1 [0201.718] SetEvent (hEvent=0x110) returned 1 [0201.718] GetFileType (hFile=0x15c) returned 0x1 [0201.718] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.718] WriteFile (in: hFile=0x15c, lpBuffer=0x12a5e800*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a5e800*, lpNumberOfBytesWritten=0x12a73d00*=0x4050, lpOverlapped=0x12a73d0c) returned 1 [0201.719] GetFileType (hFile=0x15c) returned 0x1 [0201.719] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x4050, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0201.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0201.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0201.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d70 | out: pbBuffer=0x12810d70) returned 1 [0201.720] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.720] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.720] WriteFile (in: hFile=0x448, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.720] CloseHandle (hObject=0x448) returned 1 [0201.724] CloseHandle (hObject=0x15c) returned 1 [0201.729] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d88 | out: pbBuffer=0x12810d88) returned 1 [0201.729] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[525DDBCBE88C8037]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[525ddbcbe88c8037]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0202.438] SwitchToThread () returned 1 [0202.594] SwitchToThread () returned 1 [0202.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x5781bc17, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x9d540b29, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x4d2aa)) returned 1 [0203.011] SetEvent (hEvent=0x1d0) returned 1 [0203.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18417d03, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x18417d03, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1841a3b9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0203.012] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa7c66, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82fa7c66, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82fa7c66, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x197d6)) returned 1 [0203.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0203.022] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0203.022] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18417d03, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x18417d03, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1841a3b9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050)) returned 1 [0203.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12981140 | out: pbBuffer=0x12981140) returned 1 [0203.023] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d40 | out: pbBuffer=0x12848d40) returned 1 [0203.089] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0203.090] SetEvent (hEvent=0x1d0) returned 1 [0203.090] ReadFile (in: hFile=0x3c4, lpBuffer=0x12cb2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb2000*, lpNumberOfBytesRead=0x12a73d1c*=0x4050, lpOverlapped=0x0) returned 1 [0203.149] GetFileType (hFile=0x3c4) returned 0x1 [0203.149] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.149] WriteFile (in: hFile=0x3c4, lpBuffer=0x129e6000*, nNumberOfBytesToWrite=0x4050, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x129e6000*, lpNumberOfBytesWritten=0x12a73d00*=0x4050, lpOverlapped=0x12a73d0c) returned 1 [0203.149] GetFileType (hFile=0x3c4) returned 0x1 [0203.150] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x4050, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.453] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0203.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0203.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0203.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0203.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34030 | out: pbBuffer=0x12c34030) returned 1 [0203.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0203.876] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0203.877] WriteFile (in: hFile=0x15c, lpBuffer=0x12b44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0203.878] CloseHandle (hObject=0x15c) returned 1 [0203.878] CloseHandle (hObject=0x1a0) returned 1 [0203.879] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34048 | out: pbBuffer=0x12c34048) returned 1 [0203.879] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[C14A3250018214A0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[c14a3250018214a0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0203.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xa3052704, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0203.880] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0203.880] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7c65b, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7c65b, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7c65b, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x0, dwReserved1=0x0, cFileName="{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat", cAlternateFileName="{38EA3~2.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec716b8, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec716b8, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7b2ff, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0x0, dwReserved1=0x0, cFileName="{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{38EA3~1.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec815d6, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec815d6, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec82851, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x0, dwReserved1=0x0, cFileName="{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat", cAlternateFileName="{38EA3~4.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7ed61, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7ed61, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec80102, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x1e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{38EA3~3.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3048af2, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3048af2, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3049e34, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat", cAlternateFileName="{8C5C4~2.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3041919, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3041919, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3041919, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{8C5C4~1.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3052704, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3052704, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat", cAlternateFileName="{8C5C4~4.DAT")) returned 1 [0203.908] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa304b1cc, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa304c575, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x20b, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{8C5C4~3.DAT")) returned 1 [0203.909] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366f796f, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x366f796f, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x366f8d2c, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0xb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat", cAlternateFileName="{A0314~1.DAT")) returned 1 [0203.909] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0203.909] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0203.910] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0203.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0203.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0203.912] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0203.912] WriteFile (in: hFile=0x1a0, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0203.914] CloseHandle (hObject=0x1a0) returned 1 [0203.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7c65b, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7c65b, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7c65b, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117)) returned 1 [0203.915] SetEvent (hEvent=0x3f8) returned 1 [0203.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec716b8, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec716b8, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7b2ff, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345)) returned 1 [0204.112] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec815d6, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec815d6, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec82851, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c)) returned 1 [0204.113] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0204.113] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.113] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec716b8, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec716b8, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec7b2ff, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345)) returned 1 [0204.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928200 | out: pbBuffer=0x12928200) returned 1 [0204.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34940 | out: pbBuffer=0x12c34940) returned 1 [0204.126] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a73d1c*=0x345, lpOverlapped=0x0) returned 1 [0204.137] GetFileType (hFile=0x1a0) returned 0x1 [0204.137] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.137] WriteFile (in: hFile=0x1a0, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x345, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12a73d00*=0x345, lpOverlapped=0x12a73d0c) returned 1 [0204.137] GetFileType (hFile=0x1a0) returned 0x1 [0204.137] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x345, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0204.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0204.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0204.138] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c349f8 | out: pbBuffer=0x12c349f8) returned 1 [0204.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.139] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0204.139] WriteFile (in: hFile=0x448, lpBuffer=0x12b44500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.139] CloseHandle (hObject=0x448) returned 1 [0204.139] CloseHandle (hObject=0x1a0) returned 1 [0204.139] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34a10 | out: pbBuffer=0x12c34a10) returned 1 [0204.165] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (0) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (0) - 896 - excel.exe - otelemediumcost.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[D29FEE535957BBAB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[d29fee535957bbab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{38EA38E1-6380-4563-8569-FC2DFF19B999} (1) - 896 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{38ea38e1-6380-4563-8569-fc2dff19b999} (1) - 896 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec7ed61, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x9ec7ed61, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x9ec80102, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x1e3)) returned 1 [0204.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3048af2, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3048af2, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3049e34, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x117)) returned 1 [0204.332] SetEvent (hEvent=0x110) returned 1 [0204.332] SetEvent (hEvent=0x19c) returned 1 [0204.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3041919, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3041919, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3041919, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345)) returned 1 [0204.367] SetEvent (hEvent=0x19c) returned 1 [0204.368] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3052704, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3052704, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3052704, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x12c)) returned 1 [0204.410] SetEvent (hEvent=0x110) returned 1 [0204.410] SetEvent (hEvent=0x3f8) returned 1 [0204.410] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (1) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (1) - 2988 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa304b1cc, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa304b1cc, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa304c575, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x20b)) returned 1 [0204.492] SetEvent (hEvent=0xfc) returned 1 [0204.493] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{A031426B-8B99-4A54-857D-B4412BDF67CD} (0) - 3412 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{a031426b-8b99-4a54-857d-b4412bdf67cd} (0) - 3412 - excel.exe - otele.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366f796f, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0x366f796f, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x366f8d2c, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0xb8)) returned 1 [0204.638] SetEvent (hEvent=0x1d0) returned 1 [0204.639] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0204.639] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0204.639] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.5892.0626", cAlternateFileName="173589~1.062")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.5892.0626_1", cAlternateFileName="173589~2.062")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.5892.0626_2", cAlternateFileName="173589~3.062")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.5892.0626_3", cAlternateFileName="173589~4.062")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.5892.0626_4", cAlternateFileName="177A54~1.062")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e2ad9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12862516, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1 [0204.640] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0204.640] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0204.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.642] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0204.642] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0204.644] CloseHandle (hObject=0x438) returned 1 [0204.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0204.644] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0204.645] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0204.657] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0204.657] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd17d55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8cd17d55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8dfb8492, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0204.657] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f743688, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8f743688, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91beba26, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0204.657] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x922c670c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x922c670c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92ed8427, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92ed8427, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93350a85, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x0, dwReserved1=0x0, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93ea3eb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93ea3eb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94689b47, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94689b47, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9489fc30, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94bc0dc5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94bc0dc5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94ebbc59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x959c295b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x959c295b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8bbcedb7, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="is", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8fca0d59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90f6733c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92954bae, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ka", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x944bfdaf, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x95c97643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="km-kh", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x967520dd, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kn", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x973d65a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kok", cAlternateFileName="")) returned 1 [0204.658] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0204.659] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0204.660] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0204.661] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0204.662] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.663] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0204.663] WriteFile (in: hFile=0x438, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0204.664] CloseHandle (hObject=0x438) returned 1 [0204.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd17d55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8cd17d55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8dfb8492, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0204.665] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.688] SetEvent (hEvent=0x3f8) returned 1 [0204.689] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x922c670c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x922c670c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0204.689] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.722] SetEvent (hEvent=0x3f8) returned 1 [0204.722] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93ea3eb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93ea3eb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0204.738] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.745] SetEvent (hEvent=0x3f8) returned 1 [0204.745] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94689b47, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94689b47, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9489fc30, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0204.745] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.767] SetEvent (hEvent=0x19c) returned 1 [0204.767] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.773] SetEvent (hEvent=0x3f8) returned 1 [0204.773] SetEvent (hEvent=0x3f4) returned 1 [0204.773] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0204.790] SetEvent (hEvent=0xfc) returned 1 [0204.790] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0206.358] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0206.403] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0206.615] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0206.633] SetEvent (hEvent=0x19c) returned 1 [0206.633] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.633] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0206.634] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b91b09f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bf10fb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0206.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0206.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101b8 | out: pbBuffer=0x128101b8) returned 1 [0206.634] ReadFile (in: hFile=0x15c, lpBuffer=0x12a0e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a0e000*, lpNumberOfBytesRead=0x129a9d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0206.645] GetFileType (hFile=0x15c) returned 0x1 [0206.645] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.646] WriteFile (in: hFile=0x15c, lpBuffer=0x12b80000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12b80000*, lpNumberOfBytesWritten=0x129a9d00*=0x174c0, lpOverlapped=0x129a9d0c) returned 1 [0206.646] GetFileType (hFile=0x15c) returned 0x1 [0206.646] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0206.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0206.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0206.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0206.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.648] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0206.648] WriteFile (in: hFile=0x3c4, lpBuffer=0x12918000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12918000*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.648] CloseHandle (hObject=0x3c4) returned 1 [0206.648] CloseHandle (hObject=0x15c) returned 1 [0206.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0206.649] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\#_THIS_FILE_IS_ENCRYPTED_[EF191BEFDA63D4AF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\#_this_file_is_encrypted_[ef191befda63d4af]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.652] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.652] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0206.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5eb9fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1df1a8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0206.652] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0206.653] ReadFile (in: hFile=0x15c, lpBuffer=0x129ae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ae000*, lpNumberOfBytesRead=0x129a9d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0206.698] GetFileType (hFile=0x15c) returned 0x1 [0206.699] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.699] WriteFile (in: hFile=0x15c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x129a9d00*=0x160c0, lpOverlapped=0x129a9d0c) returned 1 [0206.699] GetFileType (hFile=0x15c) returned 0x1 [0206.699] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0206.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0206.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0206.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104f8 | out: pbBuffer=0x128104f8) returned 1 [0206.700] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.701] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0206.701] WriteFile (in: hFile=0x1a0, lpBuffer=0x12918500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12918500*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.701] CloseHandle (hObject=0x1a0) returned 1 [0206.701] CloseHandle (hObject=0x15c) returned 1 [0206.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810510 | out: pbBuffer=0x12810510) returned 1 [0206.702] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\#_THIS_FILE_IS_ENCRYPTED_[439805F064DDC5C9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\#_this_file_is_encrypted_[439805f064ddc5c9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.703] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0206.866] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0207.033] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0207.033] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0207.033] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5dd86f0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd5dd86f0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd5e70f71, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0207.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0207.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810558 | out: pbBuffer=0x12810558) returned 1 [0207.034] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0207.052] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0207.052] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0207.053] SetEvent (hEvent=0x110) returned 1 [0207.053] SetEvent (hEvent=0x10c) returned 1 [0207.053] SetEvent (hEvent=0x1d0) returned 1 [0207.053] ReadFile (in: hFile=0x1a0, lpBuffer=0x12cf4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf4000*, lpNumberOfBytesRead=0x129a9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0207.061] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0207.140] SetEvent (hEvent=0x10c) returned 1 [0207.140] GetFileType (hFile=0x1a0) returned 0x1 [0207.140] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.140] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bb8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12bb8000*, lpNumberOfBytesWritten=0x129a9d00*=0x20000, lpOverlapped=0x129a9d0c) returned 1 [0207.141] GetFileType (hFile=0x1a0) returned 0x1 [0207.141] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0207.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0207.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0207.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34690 | out: pbBuffer=0x12c34690) returned 1 [0207.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0207.142] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0207.142] WriteFile (in: hFile=0x448, lpBuffer=0x128aea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aea00*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0207.186] CloseHandle (hObject=0x448) returned 1 [0207.186] CloseHandle (hObject=0x1a0) returned 1 [0207.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c346a8 | out: pbBuffer=0x12c346a8) returned 1 [0207.187] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[1E1698839937ADD8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[1e1698839937add8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0207.188] SetEvent (hEvent=0x19c) returned 1 [0207.188] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0207.188] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0207.188] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd4e444, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcd4e444, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdd66554a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0207.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928820 | out: pbBuffer=0x12928820) returned 1 [0207.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c347d0 | out: pbBuffer=0x12c347d0) returned 1 [0207.189] ReadFile (in: hFile=0x1a0, lpBuffer=0x12d34000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d34000*, lpNumberOfBytesRead=0x129a9d1c*=0x72c0, lpOverlapped=0x0) returned 1 [0207.261] GetFileType (hFile=0x1a0) returned 0x1 [0207.261] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.261] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d74000*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12d74000*, lpNumberOfBytesWritten=0x129a9d00*=0x72c0, lpOverlapped=0x129a9d0c) returned 1 [0207.261] GetFileType (hFile=0x1a0) returned 0x1 [0207.262] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x72c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0207.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0207.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0207.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0207.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0207.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0207.263] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0207.263] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0207.263] CloseHandle (hObject=0x448) returned 1 [0207.263] CloseHandle (hObject=0x1a0) returned 1 [0207.263] SwitchToThread () returned 1 [0207.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0207.397] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[B5E6346A02860B95]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[b5e6346a02860b95]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0208.711] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0208.744] SetEvent (hEvent=0x3f8) returned 1 [0208.744] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0208.744] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0208.744] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb1bd98b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeb1bd98b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeb3ad73a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0208.745] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928900 | out: pbBuffer=0x12928900) returned 1 [0208.745] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342c0 | out: pbBuffer=0x12c342c0) returned 1 [0208.745] ReadFile (in: hFile=0x1a0, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x129a9d1c*=0x140c0, lpOverlapped=0x0) returned 1 [0208.753] GetFileType (hFile=0x1a0) returned 0x1 [0208.753] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0208.753] WriteFile (in: hFile=0x1a0, lpBuffer=0x12974000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12974000*, lpNumberOfBytesWritten=0x129a9d00*=0x140c0, lpOverlapped=0x129a9d0c) returned 1 [0208.754] GetFileType (hFile=0x1a0) returned 0x1 [0208.754] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0208.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0208.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0208.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0208.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34378 | out: pbBuffer=0x12c34378) returned 1 [0208.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0208.755] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0208.755] WriteFile (in: hFile=0x438, lpBuffer=0x12b40000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b40000*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0208.755] CloseHandle (hObject=0x438) returned 1 [0208.769] CloseHandle (hObject=0x1a0) returned 1 [0208.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34390 | out: pbBuffer=0x12c34390) returned 1 [0208.773] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[D51BF2FD016292C0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[d51bf2fd016292c0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0209.102] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0209.726] SetEvent (hEvent=0x1d0) returned 1 [0209.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncconfig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0209.727] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0209.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcbbde9d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcbbde9d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd2fec9b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0209.740] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0209.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0209.741] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x129a9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0209.818] GetFileType (hFile=0x1a0) returned 0x1 [0209.821] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0209.821] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x129a9d00*=0x20000, lpOverlapped=0x129a9d0c) returned 1 [0209.823] GetFileType (hFile=0x1a0) returned 0x1 [0209.823] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0209.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0209.823] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0209.824] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0209.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0209.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncconfig.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0209.838] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0209.838] WriteFile (in: hFile=0x15c, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0209.838] CloseHandle (hObject=0x15c) returned 1 [0209.856] CloseHandle (hObject=0x1a0) returned 1 [0209.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0209.932] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncconfig.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[D0AE68FDF4DAE39C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[d0ae68fdf4dae39c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.233] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0210.242] SetEvent (hEvent=0x1d0) returned 1 [0210.242] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\onedrive.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0210.243] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0210.243] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f40d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe50f40d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xefa8864, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0210.243] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929060 | out: pbBuffer=0x12929060) returned 1 [0210.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c347c8 | out: pbBuffer=0x12c347c8) returned 1 [0210.244] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x129a9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0210.257] GetFileType (hFile=0x3c4) returned 0x1 [0210.258] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.258] WriteFile (in: hFile=0x3c4, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x129a9d00*=0x20000, lpOverlapped=0x129a9d0c) returned 1 [0210.259] GetFileType (hFile=0x3c4) returned 0x1 [0210.259] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0210.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0210.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0210.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0210.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34880 | out: pbBuffer=0x12c34880) returned 1 [0210.260] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\onedrive.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0210.260] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0210.260] WriteFile (in: hFile=0x1a0, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0210.275] CloseHandle (hObject=0x1a0) returned 1 [0210.287] CloseHandle (hObject=0x3c4) returned 1 [0210.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ef8 | out: pbBuffer=0x12c34ef8) returned 1 [0210.304] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\onedrive.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[48BDEA0EF35E1D40]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[48bdea0ef35e1d40]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.888] SetEvent (hEvent=0xf4) returned 1 [0211.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17410332, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17410332, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x130000)) returned 1 [0211.818] SetEvent (hEvent=0x10c) returned 1 [0211.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd779fe38, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0211.882] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0211.882] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd779fe38, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0211.894] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd779fe38, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0211.894] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd779fe38, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda79b1fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0211.894] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0211.895] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0212.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0212.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0212.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0212.117] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0212.117] WriteFile (in: hFile=0x448, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0212.119] CloseHandle (hObject=0x448) returned 1 [0212.119] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd779fe38, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda79b1fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0212.200] SetEvent (hEvent=0x420) returned 1 [0212.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbda8c94, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0212.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0212.201] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbda8c94, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0212.201] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbda8c94, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0212.201] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbda8c94, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdce33339, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0212.201] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0212.201] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0212.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0212.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0212.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0212.202] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0212.203] WriteFile (in: hFile=0x448, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0212.204] CloseHandle (hObject=0x448) returned 1 [0212.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbda8c94, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdce33339, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0212.491] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0212.492] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0212.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbda8c94, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdce33339, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0212.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0212.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35260 | out: pbBuffer=0x12c35260) returned 1 [0212.494] ReadFile (in: hFile=0x15c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x129a7d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0212.713] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0212.870] GetFileType (hFile=0x15c) returned 0x1 [0212.870] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0212.870] WriteFile (in: hFile=0x15c, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x129a7d00*=0x160c0, lpOverlapped=0x129a7d0c) returned 1 [0212.871] GetFileType (hFile=0x15c) returned 0x1 [0212.871] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0212.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0212.871] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0212.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0212.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128487e0 | out: pbBuffer=0x128487e0) returned 1 [0212.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0212.946] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0212.946] WriteFile (in: hFile=0x1a0, lpBuffer=0x12be6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be6000*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0212.946] CloseHandle (hObject=0x1a0) returned 1 [0212.947] CloseHandle (hObject=0x15c) returned 1 [0212.947] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487f8 | out: pbBuffer=0x128487f8) returned 1 [0212.947] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\#_THIS_FILE_IS_ENCRYPTED_[B70A7B5DBAD0E1B8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\#_this_file_is_encrypted_[b70a7b5dbad0e1b8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0212.988] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.010] SetEvent (hEvent=0xf4) returned 1 [0213.010] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.010] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.011] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede4b9d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee29dc95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0213.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844780 | out: pbBuffer=0x12844780) returned 1 [0213.011] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848850 | out: pbBuffer=0x12848850) returned 1 [0213.025] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0213.042] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.116] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0213.117] SetEvent (hEvent=0x110) returned 1 [0213.118] SetEvent (hEvent=0xf4) returned 1 [0213.118] ReadFile (in: hFile=0x15c, lpBuffer=0x129ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x129ee000*, lpNumberOfBytesRead=0x129abd1c*=0x160c0, lpOverlapped=0x0) returned 1 [0213.158] GetFileType (hFile=0x15c) returned 0x1 [0213.158] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.158] WriteFile (in: hFile=0x15c, lpBuffer=0x12a36000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12a36000*, lpNumberOfBytesWritten=0x129abd00*=0x160c0, lpOverlapped=0x129abd0c) returned 1 [0213.159] GetFileType (hFile=0x15c) returned 0x1 [0213.159] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0213.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0213.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0213.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128489a8 | out: pbBuffer=0x128489a8) returned 1 [0213.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.160] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.160] WriteFile (in: hFile=0x448, lpBuffer=0x12be6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12be6500*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0213.161] CloseHandle (hObject=0x448) returned 1 [0213.161] CloseHandle (hObject=0x15c) returned 1 [0213.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489d0 | out: pbBuffer=0x128489d0) returned 1 [0213.161] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\#_THIS_FILE_IS_ENCRYPTED_[2E2F7CCCAF64B54E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\#_this_file_is_encrypted_[2e2f7cccaf64b54e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.162] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.477] SetEvent (hEvent=0x3f8) returned 1 [0213.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.478] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0213.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b19f9c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5d3009a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.478] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844280 | out: pbBuffer=0x12844280) returned 1 [0213.478] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a028 | out: pbBuffer=0x12a9a028) returned 1 [0213.478] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x129a7d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0213.595] GetFileType (hFile=0x1a0) returned 0x1 [0213.595] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.595] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c70000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12c70000*, lpNumberOfBytesWritten=0x129a7d00*=0x15cc0, lpOverlapped=0x129a7d0c) returned 1 [0213.595] GetFileType (hFile=0x1a0) returned 0x1 [0213.596] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0213.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0213.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0213.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a5d0 | out: pbBuffer=0x12a9a5d0) returned 1 [0213.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.597] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0213.597] WriteFile (in: hFile=0x15c, lpBuffer=0x12a2ea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a2ea00*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.597] CloseHandle (hObject=0x15c) returned 1 [0213.597] CloseHandle (hObject=0x1a0) returned 1 [0213.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5e8 | out: pbBuffer=0x12a9a5e8) returned 1 [0213.598] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\#_THIS_FILE_IS_ENCRYPTED_[D2EBAFF03FA74EAE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\#_this_file_is_encrypted_[d2ebaff03fa74eae]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.623] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.631] SetEvent (hEvent=0xf4) returned 1 [0213.631] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0213.631] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0213.631] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90f72a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9608373, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0213.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0213.632] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810428 | out: pbBuffer=0x12810428) returned 1 [0213.632] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0213.693] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.693] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0213.693] SetEvent (hEvent=0x110) returned 1 [0213.693] SetEvent (hEvent=0xf4) returned 1 [0213.694] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c9a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9a000*, lpNumberOfBytesRead=0x129add1c*=0x174c0, lpOverlapped=0x0) returned 1 [0213.702] GetFileType (hFile=0x1a0) returned 0x1 [0213.702] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0213.702] WriteFile (in: hFile=0x1a0, lpBuffer=0x12ce2000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12ce2000*, lpNumberOfBytesWritten=0x129add00*=0x174c0, lpOverlapped=0x129add0c) returned 1 [0213.703] GetFileType (hFile=0x1a0) returned 0x1 [0213.703] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0213.703] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0213.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0213.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0213.704] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128104e0 | out: pbBuffer=0x128104e0) returned 1 [0213.704] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.705] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0213.705] WriteFile (in: hFile=0x448, lpBuffer=0x1297a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x1297a500*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0213.705] CloseHandle (hObject=0x448) returned 1 [0213.705] CloseHandle (hObject=0x1a0) returned 1 [0213.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104f8 | out: pbBuffer=0x128104f8) returned 1 [0213.705] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\#_THIS_FILE_IS_ENCRYPTED_[52498BF0B5DE955C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\#_this_file_is_encrypted_[52498bf0b5de955c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.708] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0213.724] SetEvent (hEvent=0xf4) returned 1 [0213.724] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0213.731] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.731] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0213.731] SetEvent (hEvent=0xfc) returned 1 [0213.731] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0213.740] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0213.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.741] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0213.741] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbfd20c1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0213.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0213.742] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0213.742] ReadFile (in: hFile=0x448, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12be7d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0213.854] SetEvent (hEvent=0x110) returned 1 [0213.854] GetFileType (hFile=0x448) returned 0x1 [0213.854] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.855] WriteFile (in: hFile=0x448, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12be7d00*=0x156c0, lpOverlapped=0x12be7d0c) returned 1 [0213.855] GetFileType (hFile=0x448) returned 0x1 [0213.855] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.855] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0213.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0213.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0213.856] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810120 | out: pbBuffer=0x12810120) returned 1 [0213.856] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.857] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0213.857] WriteFile (in: hFile=0x3c4, lpBuffer=0x1297a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x1297a000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.857] CloseHandle (hObject=0x3c4) returned 1 [0213.857] CloseHandle (hObject=0x448) returned 1 [0213.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810138 | out: pbBuffer=0x12810138) returned 1 [0213.857] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\#_THIS_FILE_IS_ENCRYPTED_[9A420033929E1630]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\#_this_file_is_encrypted_[9a420033929e1630]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.859] SetEvent (hEvent=0x420) returned 1 [0213.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0213.859] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0213.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe14cdcb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe388ff2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0213.859] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98260 | out: pbBuffer=0x12a98260) returned 1 [0213.859] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810180 | out: pbBuffer=0x12810180) returned 1 [0213.859] ReadFile (in: hFile=0x448, lpBuffer=0x12c5a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c5a000*, lpNumberOfBytesRead=0x12be7d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0213.890] GetFileType (hFile=0x448) returned 0x1 [0213.890] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.890] WriteFile (in: hFile=0x448, lpBuffer=0x12c7a000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12c7a000*, lpNumberOfBytesWritten=0x12be7d00*=0x15ac0, lpOverlapped=0x12be7d0c) returned 1 [0213.891] GetFileType (hFile=0x448) returned 0x1 [0213.891] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0213.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0213.892] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0213.893] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810750 | out: pbBuffer=0x12810750) returned 1 [0213.893] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.893] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0213.893] WriteFile (in: hFile=0x3c4, lpBuffer=0x1297af00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x1297af00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.893] CloseHandle (hObject=0x3c4) returned 1 [0213.894] CloseHandle (hObject=0x448) returned 1 [0213.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810768 | out: pbBuffer=0x12810768) returned 1 [0213.894] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\#_THIS_FILE_IS_ENCRYPTED_[3504E854B0ED3E95]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\#_this_file_is_encrypted_[3504e854b0ed3e95]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.945] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.025] SetEvent (hEvent=0xfc) returned 1 [0214.025] SetEvent (hEvent=0x10c) returned 1 [0214.025] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.102] SetEvent (hEvent=0xfc) returned 1 [0214.102] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.121] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.132] SetEvent (hEvent=0xfc) returned 1 [0214.132] SetEvent (hEvent=0x3f8) returned 1 [0214.132] SetEvent (hEvent=0xf4) returned 1 [0214.132] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.148] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12cbbd0c | out: lpMode=0x12cbbd0c) returned 0 [0214.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12cbbad0 | out: lpFileInformation=0x12cbbad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d4510a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3bb95f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.148] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0214.149] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848038 | out: pbBuffer=0x12848038) returned 1 [0214.149] ReadFile (in: hFile=0x448, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12cbbd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12cbbd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0214.164] GetFileType (hFile=0x448) returned 0x1 [0214.164] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12cbbce4 | out: lpNewFilePointer=0x0) returned 1 [0214.164] WriteFile (in: hFile=0x448, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12cbbd00, lpOverlapped=0x12cbbd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12cbbd00*=0x15ec0, lpOverlapped=0x12cbbd0c) returned 1 [0214.165] GetFileType (hFile=0x448) returned 0x1 [0214.165] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12cbbce4 | out: lpNewFilePointer=0x0) returned 1 [0214.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0214.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0214.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0214.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484f8 | out: pbBuffer=0x128484f8) returned 1 [0214.166] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0214.166] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12cbbd0c | out: lpMode=0x12cbbd0c) returned 0 [0214.166] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12cbbd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12cbbd0c*=0x276, lpOverlapped=0x0) returned 1 [0214.167] CloseHandle (hObject=0x3c4) returned 1 [0214.167] CloseHandle (hObject=0x448) returned 1 [0214.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848510 | out: pbBuffer=0x12848510) returned 1 [0214.167] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\#_THIS_FILE_IS_ENCRYPTED_[3C97EDE02CFD0D1D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\#_this_file_is_encrypted_[3c97ede02cfd0d1d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xacd2f90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.171] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xacd2f90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0214.171] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xacd2f90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.171] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.171] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.171] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0214.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.172] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.172] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.173] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.173] WriteFile (in: hFile=0x448, lpBuffer=0x12d12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d12000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.174] CloseHandle (hObject=0x448) returned 1 [0214.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0214.178] SetEvent (hEvent=0xf4) returned 1 [0214.178] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbd5d4c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.179] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbd5d4c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0214.179] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbd5d4c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.179] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5d4c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2484cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.179] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.179] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0214.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.182] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.182] WriteFile (in: hFile=0x448, lpBuffer=0x12d14600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d14600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.184] CloseHandle (hObject=0x448) returned 1 [0214.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5d4c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2484cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0214.184] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.185] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12cbbd0c | out: lpMode=0x12cbbd0c) returned 0 [0214.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12cbbad0 | out: lpFileInformation=0x12cbbad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0214.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e960 | out: pbBuffer=0x1280e960) returned 1 [0214.185] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d60 | out: pbBuffer=0x12848d60) returned 1 [0214.185] ReadFile (in: hFile=0x448, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12cbbd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12cbbd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0214.392] GetFileType (hFile=0x448) returned 0x1 [0214.392] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12cbbce4 | out: lpNewFilePointer=0x0) returned 1 [0214.392] WriteFile (in: hFile=0x448, lpBuffer=0x129c4000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12cbbd00, lpOverlapped=0x12cbbd0c | out: lpBuffer=0x129c4000*, lpNumberOfBytesWritten=0x12cbbd00*=0x164c0, lpOverlapped=0x12cbbd0c) returned 1 [0214.393] GetFileType (hFile=0x448) returned 0x1 [0214.393] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12cbbce4 | out: lpNewFilePointer=0x0) returned 1 [0214.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801e81 | out: pbBuffer=0x12801e81) returned 1 [0214.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0214.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0214.394] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849158 | out: pbBuffer=0x12849158) returned 1 [0214.394] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0214.394] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12cbbd0c | out: lpMode=0x12cbbd0c) returned 0 [0214.394] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d0e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12cbbd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d0e000*, lpNumberOfBytesWritten=0x12cbbd0c*=0x276, lpOverlapped=0x0) returned 1 [0214.395] CloseHandle (hObject=0x3c4) returned 1 [0214.395] CloseHandle (hObject=0x448) returned 1 [0214.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849170 | out: pbBuffer=0x12849170) returned 1 [0214.395] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\#_THIS_FILE_IS_ENCRYPTED_[059AB71D110AAC26]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\#_this_file_is_encrypted_[059ab71d110aac26]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc88a52c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.420] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc88a52c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0214.421] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc88a52c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.421] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc88a52c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd4e8897, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.508] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.508] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0214.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.538] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.538] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d15900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d15900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.540] CloseHandle (hObject=0x1a0) returned 1 [0214.541] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0214.541] SetEvent (hEvent=0x3f8) returned 1 [0214.542] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc88a52c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd4e8897, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0214.603] SetEvent (hEvent=0x3f8) returned 1 [0214.604] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdb049b8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.619] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdb049b8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0214.620] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdb049b8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.620] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.621] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.621] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0214.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.622] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.622] WriteFile (in: hFile=0x438, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.624] CloseHandle (hObject=0x438) returned 1 [0214.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0214.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.634] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0214.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe640666, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.635] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.635] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0214.635] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.637] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.637] WriteFile (in: hFile=0x1a0, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.653] CloseHandle (hObject=0x1a0) returned 1 [0214.653] SwitchToThread () returned 1 [0214.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe640666, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0214.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xedb3e67, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.657] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.657] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xedb3e67, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0214.657] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xedb3e67, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.657] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfb947ac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.658] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.658] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0214.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.658] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.658] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0214.659] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.660] WriteFile (in: hFile=0x1a0, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.662] CloseHandle (hObject=0x1a0) returned 1 [0214.662] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfb947ac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.679] SetEvent (hEvent=0x420) returned 1 [0214.679] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x103c6b62, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.700] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.700] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x103c6b62, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.700] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x103c6b62, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.701] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c6b62, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1083ed90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.701] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.701] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.701] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.702] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.702] WriteFile (in: hFile=0x15c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.704] CloseHandle (hObject=0x15c) returned 1 [0214.705] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c6b62, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1083ed90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.705] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1102b950, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.719] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1102b950, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.719] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1102b950, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.719] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.719] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.720] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.720] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.720] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.720] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.721] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.721] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.723] CloseHandle (hObject=0x42c) returned 1 [0214.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0214.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11e72c7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.774] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11e72c7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.775] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11e72c7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.775] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x12ba82ea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.775] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.775] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.776] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.776] WriteFile (in: hFile=0x438, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.778] CloseHandle (hObject=0x438) returned 1 [0214.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x12ba82ea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0214.799] SetEvent (hEvent=0xf4) returned 1 [0214.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x133517d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.805] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x133517d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x133517d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x135ad91f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.805] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.806] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.806] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.807] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.807] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.808] CloseHandle (hObject=0x42c) returned 1 [0214.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x135ad91f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0214.811] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13967473, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.821] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13967473, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0214.821] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13967473, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.821] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13967473, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e071a6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.821] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.822] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0214.822] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.823] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.823] WriteFile (in: hFile=0x448, lpBuffer=0x12d02000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d02000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.824] CloseHandle (hObject=0x448) returned 1 [0214.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13967473, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e071a6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.829] SetEvent (hEvent=0x3f8) returned 1 [0214.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x141bf6d6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0214.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0214.837] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x141bf6d6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0214.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x141bf6d6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0214.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf6d6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1489a4b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0214.837] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0214.838] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0214.838] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0214.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0214.838] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0214.841] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0214.841] WriteFile (in: hFile=0x448, lpBuffer=0x12d03300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12d03300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0214.843] CloseHandle (hObject=0x448) returned 1 [0214.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf6d6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1489a4b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0214.843] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0214.852] SetEvent (hEvent=0x10c) returned 1 [0214.853] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14b24ea6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0215.178] SetEvent (hEvent=0x110) returned 1 [0215.192] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0215.192] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14b24ea6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0215.192] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14b24ea6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0215.192] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14b24ea6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0215.192] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0215.193] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0215.193] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0215.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0215.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0215.441] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0215.441] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0215.495] CloseHandle (hObject=0x44c) returned 1 [0215.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14b24ea6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0215.506] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0215.550] SetEvent (hEvent=0x10c) returned 1 [0215.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x170a2d96, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0215.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0215.555] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x170a2d96, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0215.555] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x170a2d96, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0215.556] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170a2d96, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17292a39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0215.556] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0215.556] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0215.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0215.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0215.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0215.576] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0215.576] WriteFile (in: hFile=0x15c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0215.906] CloseHandle (hObject=0x15c) returned 1 [0216.651] GetFileType (hFile=0x42c) returned 0x1 [0216.729] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0216.729] WriteFile (in: hFile=0x42c, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12be5d00*=0x168c0, lpOverlapped=0x12be5d0c) returned 1 [0216.731] GetFileType (hFile=0x42c) returned 0x1 [0216.731] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0217.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x174cef11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0217.371] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0217.371] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x174cef11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0217.399] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x174cef11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0217.399] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174cef11, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17ac4b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0217.399] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.399] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0217.939] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0217.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0217.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0217.946] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0217.946] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0217.949] CloseHandle (hObject=0x3c4) returned 1 [0217.950] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174cef11, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17ac4b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0218.042] SetEvent (hEvent=0x420) returned 1 [0218.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1954aec9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0218.042] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1954aec9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0218.043] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1954aec9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.043] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1954aec9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0218.043] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.043] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0218.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0218.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0218.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0218.045] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0218.045] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0218.047] CloseHandle (hObject=0x3c4) returned 1 [0218.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1954aec9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0218.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aec60c3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.278] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0218.278] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aec60c3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0218.279] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aec60c3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.279] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aec60c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bb96a1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0218.279] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.279] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0218.279] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0218.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0218.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0218.280] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0218.280] WriteFile (in: hFile=0x438, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0218.283] CloseHandle (hObject=0x438) returned 1 [0218.283] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aec60c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bb96a1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0218.405] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0218.504] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0218.504] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1954aec9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0218.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928740 | out: pbBuffer=0x12928740) returned 1 [0218.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b0d0 | out: pbBuffer=0x12a9b0d0) returned 1 [0218.506] ReadFile (in: hFile=0x438, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12be3d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0218.757] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0218.981] SetEvent (hEvent=0x3f8) returned 1 [0218.981] GetFileType (hFile=0x438) returned 0x1 [0218.981] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0218.982] WriteFile (in: hFile=0x438, lpBuffer=0x1296c000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x1296c000*, lpNumberOfBytesWritten=0x12be3d00*=0x156c0, lpOverlapped=0x12be3d0c) returned 1 [0218.982] GetFileType (hFile=0x438) returned 0x1 [0218.983] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0218.983] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0218.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0218.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0218.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34250 | out: pbBuffer=0x12c34250) returned 1 [0218.994] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0218.995] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0218.995] WriteFile (in: hFile=0x42c, lpBuffer=0x1285aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285aa00*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0218.995] CloseHandle (hObject=0x42c) returned 1 [0218.995] CloseHandle (hObject=0x438) returned 1 [0218.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34268 | out: pbBuffer=0x12c34268) returned 1 [0218.996] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\#_THIS_FILE_IS_ENCRYPTED_[E29D3F742E29219F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\#_this_file_is_encrypted_[e29d3f742e29219f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0219.159] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0223.791] SetEvent (hEvent=0x1b8) returned 1 [0223.791] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0224.107] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0224.618] SetEvent (hEvent=0x3f8) returned 1 [0224.618] SetEvent (hEvent=0x1b8) returned 1 [0224.618] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0224.637] SetEvent (hEvent=0x3f8) returned 1 [0224.637] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0224.656] SetEvent (hEvent=0x3f8) returned 1 [0224.656] SetEvent (hEvent=0x19c) returned 1 [0224.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505f317e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x505f317e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5082f572, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0224.685] SetEvent (hEvent=0x19c) returned 1 [0224.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50855780, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50855780, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50914269, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0224.723] SetEvent (hEvent=0x3cc) returned 1 [0224.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5096097b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5096097b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0224.759] SetEvent (hEvent=0x1b8) returned 1 [0224.759] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ade11a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50ade11a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50fc8d11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0)) returned 1 [0224.896] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0224.946] SetEvent (hEvent=0x420) returned 1 [0224.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5103b5e0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5103b5e0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x511def4c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0224.981] SetEvent (hEvent=0x19c) returned 1 [0224.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5125164f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5125164f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x512e9fc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0)) returned 1 [0225.084] SetEvent (hEvent=0x3f4) returned 1 [0225.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\onedrive.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518475c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518475c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519eadfe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0)) returned 1 [0225.165] SetEvent (hEvent=0x1b8) returned 1 [0225.165] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aa9ab3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51aa9ab3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5456dd0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0)) returned 1 [0225.181] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0225.514] SetEvent (hEvent=0x3cc) returned 1 [0225.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55880b0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55880b0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55b558b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0225.533] SetEvent (hEvent=0x19c) returned 1 [0225.533] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ee912c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55ee912c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56931178, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0225.549] SetEvent (hEvent=0x19c) returned 1 [0225.549] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57ef2857, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0225.561] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0225.566] SetEvent (hEvent=0x3cc) returned 1 [0225.566] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a649506, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a649506, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x624f252c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0)) returned 1 [0225.568] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0225.745] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0225.759] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0225.760] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x641685fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x641685fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x494c0)) returned 1 [0225.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928660 | out: pbBuffer=0x12928660) returned 1 [0225.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa80 | out: pbBuffer=0x12a9aa80) returned 1 [0225.760] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0225.761] SetEvent (hEvent=0x3cc) returned 1 [0225.761] ReadFile (in: hFile=0x44c, lpBuffer=0x1295a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0225.771] GetFileType (hFile=0x44c) returned 0x1 [0225.771] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.772] WriteFile (in: hFile=0x44c, lpBuffer=0x1299a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x1299a000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0225.772] GetFileType (hFile=0x44c) returned 0x1 [0225.772] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0225.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0225.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0225.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ab38 | out: pbBuffer=0x12a9ab38) returned 1 [0225.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x454 [0225.773] GetConsoleMode (in: hConsoleHandle=0x454, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0225.773] WriteFile (in: hFile=0x454, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.780] CloseHandle (hObject=0x454) returned 1 [0225.828] CloseHandle (hObject=0x44c) returned 1 [0225.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848060 | out: pbBuffer=0x12848060) returned 1 [0225.835] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[ABE44097EC4CF883]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[abe44097ec4cf883]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0226.754] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0227.078] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0228.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0228.170] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0228.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x693e3c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6969295c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0228.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0228.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0228.171] ReadFile (in: hFile=0x44c, lpBuffer=0x129ba000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ba000*, lpNumberOfBytesRead=0x12be9d1c*=0x158c0, lpOverlapped=0x0) returned 1 [0228.587] GetFileType (hFile=0x44c) returned 0x1 [0228.587] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.587] WriteFile (in: hFile=0x44c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x158c0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be9d00*=0x158c0, lpOverlapped=0x12be9d0c) returned 1 [0228.588] GetFileType (hFile=0x44c) returned 0x1 [0228.588] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x158c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0228.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0228.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0228.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0228.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0228.851] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0228.851] WriteFile (in: hFile=0x460, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0228.851] CloseHandle (hObject=0x460) returned 1 [0228.851] CloseHandle (hObject=0x44c) returned 1 [0228.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0228.861] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\#_THIS_FILE_IS_ENCRYPTED_[E7743083AB2D8007]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\#_this_file_is_encrypted_[e7743083ab2d8007]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0228.862] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0228.863] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0228.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae5336a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0228.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0228.863] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0228.864] ReadFile (in: hFile=0x44c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0229.001] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0229.127] SwitchToThread () returned 1 [0229.174] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0229.437] SetEvent (hEvent=0x3f4) returned 1 [0229.437] SetEvent (hEvent=0x3cc) returned 1 [0229.437] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0229.589] SetEvent (hEvent=0x3f4) returned 1 [0229.590] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0229.594] SetEvent (hEvent=0x3f4) returned 1 [0229.594] SetEvent (hEvent=0x1d0) returned 1 [0229.594] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51631498, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.595] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51631498, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0229.595] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51631498, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.595] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51631498, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x516f0240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.595] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.595] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0229.596] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.597] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.597] WriteFile (in: hFile=0x438, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.599] CloseHandle (hObject=0x438) returned 1 [0229.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51631498, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x516f0240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0229.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x518dffc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.600] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x518dffc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0229.601] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x518dffc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.601] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518dffc5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.601] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.601] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0229.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.601] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.601] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.612] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.612] WriteFile (in: hFile=0x438, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.617] CloseHandle (hObject=0x438) returned 1 [0229.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518dffc5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0229.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52079625, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.618] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52079625, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.618] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52079625, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.618] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52079625, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x526e1a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.619] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.619] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.620] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.620] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.621] CloseHandle (hObject=0x438) returned 1 [0229.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52079625, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x526e1a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0229.659] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.659] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.659] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518dffc5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0229.659] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0229.659] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9abc0 | out: pbBuffer=0x12a9abc0) returned 1 [0229.659] ReadFile (in: hFile=0x438, lpBuffer=0x1295a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesRead=0x12be5d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0229.705] GetFileType (hFile=0x438) returned 0x1 [0229.705] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.705] WriteFile (in: hFile=0x438, lpBuffer=0x12cac000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12cac000*, lpNumberOfBytesWritten=0x12be5d00*=0x174c0, lpOverlapped=0x12be5d0c) returned 1 [0229.705] GetFileType (hFile=0x438) returned 0x1 [0229.705] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0229.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0229.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0229.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ac78 | out: pbBuffer=0x12a9ac78) returned 1 [0229.706] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.706] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0229.706] WriteFile (in: hFile=0x44c, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.706] CloseHandle (hObject=0x44c) returned 1 [0229.706] CloseHandle (hObject=0x438) returned 1 [0229.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ac90 | out: pbBuffer=0x12a9ac90) returned 1 [0229.706] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\#_THIS_FILE_IS_ENCRYPTED_[1CA9F66086D7CFF3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\#_this_file_is_encrypted_[1ca9f66086d7cff3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.808] SetEvent (hEvent=0x110) returned 1 [0229.808] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0229.831] SetEvent (hEvent=0x1d0) returned 1 [0229.831] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0229.832] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0229.832] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a96ece, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55d1f366, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.832] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0229.832] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9acd8 | out: pbBuffer=0x12a9acd8) returned 1 [0229.832] ReadFile (in: hFile=0x438, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12be3d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0229.899] GetFileType (hFile=0x438) returned 0x1 [0229.900] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.900] WriteFile (in: hFile=0x438, lpBuffer=0x12cfc000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12cfc000*, lpNumberOfBytesWritten=0x12be3d00*=0x156c0, lpOverlapped=0x12be3d0c) returned 1 [0229.900] GetFileType (hFile=0x438) returned 0x1 [0229.900] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0229.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0229.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0229.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8658 | out: pbBuffer=0x128e8658) returned 1 [0229.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0229.902] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0229.902] WriteFile (in: hFile=0x44c, lpBuffer=0x129fcf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fcf00*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.902] CloseHandle (hObject=0x44c) returned 1 [0229.902] CloseHandle (hObject=0x438) returned 1 [0229.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8670 | out: pbBuffer=0x128e8670) returned 1 [0229.903] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\#_THIS_FILE_IS_ENCRYPTED_[116E748BBE9D7940]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\#_this_file_is_encrypted_[116e748bbe9d7940]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.025] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.045] SetEvent (hEvent=0x3f4) returned 1 [0230.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.045] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.046] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57438001, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5783de52, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0230.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0230.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0230.046] ReadFile (in: hFile=0x438, lpBuffer=0x129fe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x129fe000*, lpNumberOfBytesRead=0x12be9d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0230.059] GetFileType (hFile=0x438) returned 0x1 [0230.059] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.059] WriteFile (in: hFile=0x438, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12be9d00*=0x15ac0, lpOverlapped=0x12be9d0c) returned 1 [0230.060] GetFileType (hFile=0x438) returned 0x1 [0230.060] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0230.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0230.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0230.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0230.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.062] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.062] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.062] CloseHandle (hObject=0x42c) returned 1 [0230.062] CloseHandle (hObject=0x438) returned 1 [0230.062] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0230.062] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\#_THIS_FILE_IS_ENCRYPTED_[FE4FA637E2A1833D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\#_this_file_is_encrypted_[fe4fa637e2a1833d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.082] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.089] SetEvent (hEvent=0x1d0) returned 1 [0230.090] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.090] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.090] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a9209a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5acd7b5a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0230.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0230.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101a8 | out: pbBuffer=0x128101a8) returned 1 [0230.091] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12be3d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0230.112] GetFileType (hFile=0x438) returned 0x1 [0230.112] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.112] WriteFile (in: hFile=0x438, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12be3d00*=0x15cc0, lpOverlapped=0x12be3d0c) returned 1 [0230.113] GetFileType (hFile=0x438) returned 0x1 [0230.113] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.113] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0230.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0230.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0230.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810270 | out: pbBuffer=0x12810270) returned 1 [0230.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0230.114] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.114] WriteFile (in: hFile=0x458, lpBuffer=0x129fc500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fc500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.115] CloseHandle (hObject=0x458) returned 1 [0230.115] CloseHandle (hObject=0x438) returned 1 [0230.115] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810288 | out: pbBuffer=0x12810288) returned 1 [0230.115] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\#_THIS_FILE_IS_ENCRYPTED_[C65211C8AE4B622A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\#_this_file_is_encrypted_[c65211c8ae4b622a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.117] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.117] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d349bc1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d51389a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ac0 | out: pbBuffer=0x12844ac0) returned 1 [0230.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0230.117] ReadFile (in: hFile=0x438, lpBuffer=0x12d2a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d2a000*, lpNumberOfBytesRead=0x12be3d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0230.200] GetFileType (hFile=0x438) returned 0x1 [0230.200] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.200] WriteFile (in: hFile=0x438, lpBuffer=0x1299a000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x1299a000*, lpNumberOfBytesWritten=0x12be3d00*=0x15ec0, lpOverlapped=0x12be3d0c) returned 1 [0230.201] GetFileType (hFile=0x438) returned 0x1 [0230.201] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0230.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0230.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0230.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8dc0 | out: pbBuffer=0x128e8dc0) returned 1 [0230.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0230.202] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.202] WriteFile (in: hFile=0x45c, lpBuffer=0x12c30500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c30500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.203] CloseHandle (hObject=0x45c) returned 1 [0230.203] CloseHandle (hObject=0x438) returned 1 [0230.203] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8dd8 | out: pbBuffer=0x128e8dd8) returned 1 [0230.203] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\#_THIS_FILE_IS_ENCRYPTED_[B8AB3B1B6A702B79]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\#_this_file_is_encrypted_[b8ab3b1b6a702b79]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.317] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.339] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.344] SetEvent (hEvent=0x1b8) returned 1 [0230.345] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.345] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d80e6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0230.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0230.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0230.358] ReadFile (in: hFile=0x44c, lpBuffer=0x1295a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x1295a000*, lpNumberOfBytesRead=0x12be5d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0230.481] SetEvent (hEvent=0x110) returned 1 [0230.482] GetFileType (hFile=0x44c) returned 0x1 [0230.482] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.482] WriteFile (in: hFile=0x44c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be5d00*=0x14cc0, lpOverlapped=0x12be5d0c) returned 1 [0230.530] SetEvent (hEvent=0x110) returned 1 [0230.530] GetFileType (hFile=0x44c) returned 0x1 [0230.530] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0230.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0230.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0230.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0230.530] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.531] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.531] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c30000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c30000*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.539] CloseHandle (hObject=0x3e4) returned 1 [0230.623] CloseHandle (hObject=0x44c) returned 1 [0230.624] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0230.624] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\#_THIS_FILE_IS_ENCRYPTED_[5BD3F0CED5EA4142]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\#_this_file_is_encrypted_[5bd3f0ced5ea4142]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.660] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.671] SetEvent (hEvent=0x1b8) returned 1 [0230.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.672] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.672] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dfa7ed7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e197eee, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0230.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0230.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8048 | out: pbBuffer=0x128e8048) returned 1 [0230.673] ReadFile (in: hFile=0x44c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12be3d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0230.732] GetFileType (hFile=0x44c) returned 0x1 [0230.732] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.732] WriteFile (in: hFile=0x44c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12be3d00*=0x164c0, lpOverlapped=0x12be3d0c) returned 1 [0230.733] GetFileType (hFile=0x44c) returned 0x1 [0230.733] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0230.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0230.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0230.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8100 | out: pbBuffer=0x128e8100) returned 1 [0230.733] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0230.734] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0230.734] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b3a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b3a500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.734] CloseHandle (hObject=0x3e4) returned 1 [0230.734] CloseHandle (hObject=0x44c) returned 1 [0230.734] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8118 | out: pbBuffer=0x128e8118) returned 1 [0230.734] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\#_THIS_FILE_IS_ENCRYPTED_[478CCD2CC765097E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\#_this_file_is_encrypted_[478ccd2cc765097e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.760] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.762] SetEvent (hEvent=0x3f4) returned 1 [0230.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0230.763] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e492cdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e7da121, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0230.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928620 | out: pbBuffer=0x12928620) returned 1 [0230.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810480 | out: pbBuffer=0x12810480) returned 1 [0230.763] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12be5d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0230.782] GetFileType (hFile=0x44c) returned 0x1 [0230.783] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.783] WriteFile (in: hFile=0x44c, lpBuffer=0x12bc6000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12bc6000*, lpNumberOfBytesWritten=0x12be5d00*=0x164c0, lpOverlapped=0x12be5d0c) returned 1 [0230.783] GetFileType (hFile=0x44c) returned 0x1 [0230.783] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0230.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0230.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0230.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0230.784] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810538 | out: pbBuffer=0x12810538) returned 1 [0230.784] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0230.784] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0230.785] WriteFile (in: hFile=0x438, lpBuffer=0x12c30a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c30a00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0230.785] CloseHandle (hObject=0x438) returned 1 [0230.785] CloseHandle (hObject=0x44c) returned 1 [0230.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810550 | out: pbBuffer=0x12810550) returned 1 [0230.785] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\#_THIS_FILE_IS_ENCRYPTED_[B820B38997F4CF27]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\#_this_file_is_encrypted_[b820b38997f4cf27]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0230.787] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.855] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.966] SetEvent (hEvent=0x1b8) returned 1 [0230.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0230.967] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0230.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637def0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6435835e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0230.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844500 | out: pbBuffer=0x12844500) returned 1 [0230.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a818 | out: pbBuffer=0x12a9a818) returned 1 [0230.968] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0230.972] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0230.972] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0230.972] SetEvent (hEvent=0x110) returned 1 [0230.972] SetEvent (hEvent=0x1b8) returned 1 [0230.972] ReadFile (in: hFile=0x42c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12be9d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0231.032] GetFileType (hFile=0x42c) returned 0x1 [0231.032] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.032] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12be9d00*=0x15ec0, lpOverlapped=0x12be9d0c) returned 1 [0231.033] GetFileType (hFile=0x42c) returned 0x1 [0231.033] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0231.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0231.033] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0231.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80b0 | out: pbBuffer=0x128e80b0) returned 1 [0231.034] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.034] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0231.034] WriteFile (in: hFile=0x458, lpBuffer=0x12af8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af8000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.035] CloseHandle (hObject=0x458) returned 1 [0231.035] CloseHandle (hObject=0x42c) returned 1 [0231.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80c8 | out: pbBuffer=0x128e80c8) returned 1 [0231.035] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\#_THIS_FILE_IS_ENCRYPTED_[0FDE2A84AD259E15]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\#_this_file_is_encrypted_[0fde2a84ad259e15]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.036] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65834c57, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.083] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65834c57, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65834c57, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65834c57, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65b2fd08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.084] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.084] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0231.085] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.085] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.086] CloseHandle (hObject=0x42c) returned 1 [0231.086] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65834c57, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65b2fd08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.086] SetEvent (hEvent=0x1b8) returned 1 [0231.087] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66f401b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.093] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.093] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66f401b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.093] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66f401b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.093] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f401b4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6758246d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.093] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.093] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.094] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.094] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.094] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.096] CloseHandle (hObject=0x458) returned 1 [0231.096] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f401b4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6758246d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0231.096] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.270] SetEvent (hEvent=0x454) returned 1 [0231.270] SetEvent (hEvent=0xfc) returned 1 [0231.270] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a811240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0231.313] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0231.313] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a811240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0231.313] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a811240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0231.313] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a811240, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6acfbf1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0231.313] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0231.313] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0231.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0231.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0231.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0231.315] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0231.316] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0231.318] CloseHandle (hObject=0x458) returned 1 [0231.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a811240, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6acfbf1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0231.319] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.521] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.676] SetEvent (hEvent=0x3cc) returned 1 [0231.676] SetEvent (hEvent=0x1b8) returned 1 [0231.676] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.685] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.748] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.762] SetEvent (hEvent=0x3cc) returned 1 [0231.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0231.762] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0231.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f6c523, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3f6c523, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40775fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0231.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6c0 | out: pbBuffer=0x1280e6c0) returned 1 [0231.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848898 | out: pbBuffer=0x12848898) returned 1 [0231.763] ReadFile (in: hFile=0x44c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12be7d1c*=0x27f2, lpOverlapped=0x0) returned 1 [0231.768] GetFileType (hFile=0x44c) returned 0x1 [0231.768] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.768] WriteFile (in: hFile=0x44c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x27f2, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be7d00*=0x27f2, lpOverlapped=0x12be7d0c) returned 1 [0231.768] GetFileType (hFile=0x44c) returned 0x1 [0231.768] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x27f2, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0231.768] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0231.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0231.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0231.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128489d0 | out: pbBuffer=0x128489d0) returned 1 [0231.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0231.770] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0231.770] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0231.770] CloseHandle (hObject=0x438) returned 1 [0231.773] CloseHandle (hObject=0x44c) returned 1 [0231.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489e8 | out: pbBuffer=0x128489e8) returned 1 [0231.777] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[376E66F94C22C3D2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[376e66f94c22c3d2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0231.978] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0231.999] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0232.083] SetEvent (hEvent=0x3f4) returned 1 [0232.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0232.084] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0232.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdde1efd1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdde1efd1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2f9dc06, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0232.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98380 | out: pbBuffer=0x12a98380) returned 1 [0232.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128112c0 | out: pbBuffer=0x128112c0) returned 1 [0232.086] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12be5d1c*=0x20000, lpOverlapped=0x0) returned 1 [0232.108] GetFileType (hFile=0x3e4) returned 0x1 [0232.108] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0232.108] WriteFile (in: hFile=0x3e4, lpBuffer=0x129e8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x129e8000*, lpNumberOfBytesWritten=0x12be5d00*=0x20000, lpOverlapped=0x12be5d0c) returned 1 [0232.483] GetFileType (hFile=0x3e4) returned 0x1 [0232.483] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0233.473] SetEvent (hEvent=0x1b8) returned 1 [0233.473] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0233.638] SetEvent (hEvent=0x3f4) returned 1 [0233.843] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0233.920] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0233.920] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0234.007] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0234.035] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0234.063] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0234.063] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0234.063] SetEvent (hEvent=0x110) returned 1 [0234.063] SetEvent (hEvent=0x3f4) returned 1 [0234.100] SetEvent (hEvent=0x1d0) returned 1 [0234.101] SetEvent (hEvent=0x3cc) returned 1 [0234.101] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0234.152] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0234.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0234.154] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0234.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe73272cc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe73272cc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed477d8a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0)) returned 1 [0234.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0234.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0234.156] ReadFile (in: hFile=0x438, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0234.334] GetFileType (hFile=0x438) returned 0x1 [0234.334] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0234.334] WriteFile (in: hFile=0x438, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0234.376] GetFileType (hFile=0x438) returned 0x1 [0234.376] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0234.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0234.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0234.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0234.538] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810450 | out: pbBuffer=0x12810450) returned 1 [0234.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0234.553] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0234.553] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0234.759] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0234.924] CloseHandle (hObject=0x42c) returned 1 [0234.924] CloseHandle (hObject=0x438) returned 1 [0234.924] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0234.925] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[6217F47A618B90D0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[6217f47a618b90d0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0235.278] SetEvent (hEvent=0xf4) returned 1 [0235.278] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\onedrivesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0235.278] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0235.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\onedrivesetup.exe"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849bc788, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849bc788, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3150e345, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7718c0)) returned 1 [0235.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0235.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104c0 | out: pbBuffer=0x128104c0) returned 1 [0235.280] ReadFile (in: hFile=0x438, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0235.492] GetFileType (hFile=0x438) returned 0x1 [0235.492] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.493] WriteFile (in: hFile=0x438, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0235.494] GetFileType (hFile=0x438) returned 0x1 [0235.494] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0235.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0235.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0235.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0235.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9afc0 | out: pbBuffer=0x12a9afc0) returned 1 [0235.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\onedrivesetup.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0235.495] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0235.495] WriteFile (in: hFile=0x45c, lpBuffer=0x12b02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b02500*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0235.668] CloseHandle (hObject=0x45c) returned 1 [0235.726] CloseHandle (hObject=0x438) returned 1 [0235.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b0d8 | out: pbBuffer=0x12a9b0d8) returned 1 [0235.869] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\onedrivesetup.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[5D530B057FD5327D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[5d530b057fd5327d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.218] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.425] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.475] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.564] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.589] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.787] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.958] SetEvent (hEvent=0x1d0) returned 1 [0236.958] SetEvent (hEvent=0xfc) returned 1 [0236.958] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0236.992] SetEvent (hEvent=0x1d0) returned 1 [0236.992] SetEvent (hEvent=0xfc) returned 1 [0236.992] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0237.097] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.098] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.098] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1a1361, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d7e32a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.098] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a6b380 | out: pbBuffer=0x12a6b380) returned 1 [0237.098] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9a10 | out: pbBuffer=0x128e9a10) returned 1 [0237.099] ReadFile (in: hFile=0x450, lpBuffer=0x129b4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b4000*, lpNumberOfBytesRead=0x12a67d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0237.104] GetFileType (hFile=0x450) returned 0x1 [0237.104] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.105] WriteFile (in: hFile=0x450, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a67d00*=0x160c0, lpOverlapped=0x12a67d0c) returned 1 [0237.105] GetFileType (hFile=0x450) returned 0x1 [0237.105] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0237.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0237.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0237.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9b00 | out: pbBuffer=0x128e9b00) returned 1 [0237.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.106] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.106] WriteFile (in: hFile=0x44c, lpBuffer=0x12b80000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b80000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.107] CloseHandle (hObject=0x44c) returned 1 [0237.107] CloseHandle (hObject=0x450) returned 1 [0237.107] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9b18 | out: pbBuffer=0x128e9b18) returned 1 [0237.107] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\#_THIS_FILE_IS_ENCRYPTED_[6B62C228CD0EB9EC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\#_this_file_is_encrypted_[6b62c228cd0eb9ec]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.131] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c7855a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66788e59, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0237.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a6b580 | out: pbBuffer=0x12a6b580) returned 1 [0237.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9e10 | out: pbBuffer=0x128e9e10) returned 1 [0237.132] ReadFile (in: hFile=0x450, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a65d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0237.139] GetFileType (hFile=0x450) returned 0x1 [0237.139] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.139] WriteFile (in: hFile=0x450, lpBuffer=0x12d70000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12d70000*, lpNumberOfBytesWritten=0x12a65d00*=0x15ac0, lpOverlapped=0x12a65d0c) returned 1 [0237.140] GetFileType (hFile=0x450) returned 0x1 [0237.140] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0237.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0237.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0237.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9ec8 | out: pbBuffer=0x128e9ec8) returned 1 [0237.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.141] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.141] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b80500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b80500*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.141] CloseHandle (hObject=0x3e4) returned 1 [0237.141] CloseHandle (hObject=0x450) returned 1 [0237.141] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9ee0 | out: pbBuffer=0x128e9ee0) returned 1 [0237.141] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\#_THIS_FILE_IS_ENCRYPTED_[21520776F9E62808]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\#_this_file_is_encrypted_[21520776f9e62808]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.173] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0237.179] SetEvent (hEvent=0x420) returned 1 [0237.179] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.180] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x676496c0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6836654c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0237.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88400 | out: pbBuffer=0x12b88400) returned 1 [0237.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34268 | out: pbBuffer=0x12c34268) returned 1 [0237.181] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0237.183] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0237.183] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0237.183] SetEvent (hEvent=0x110) returned 1 [0237.183] SetEvent (hEvent=0x420) returned 1 [0237.184] ReadFile (in: hFile=0x450, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a67d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0237.189] GetFileType (hFile=0x450) returned 0x1 [0237.189] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.189] WriteFile (in: hFile=0x450, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12a67d00*=0x154c0, lpOverlapped=0x12a67d0c) returned 1 [0237.190] GetFileType (hFile=0x450) returned 0x1 [0237.190] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0237.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0237.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0237.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34320 | out: pbBuffer=0x12c34320) returned 1 [0237.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.191] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.191] WriteFile (in: hFile=0x44c, lpBuffer=0x12d6cf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6cf00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.192] CloseHandle (hObject=0x44c) returned 1 [0237.192] CloseHandle (hObject=0x450) returned 1 [0237.192] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34338 | out: pbBuffer=0x12c34338) returned 1 [0237.192] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\#_THIS_FILE_IS_ENCRYPTED_[1BC11EC2B006C601]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\#_this_file_is_encrypted_[1bc11ec2b006c601]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.348] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bae6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e062107, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0237.361] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0237.361] ReadFile (in: hFile=0x450, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282fd1c*=0x160c0, lpOverlapped=0x0) returned 1 [0237.389] GetFileType (hFile=0x450) returned 0x1 [0237.389] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.389] WriteFile (in: hFile=0x450, lpBuffer=0x12d6e000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12d6e000*, lpNumberOfBytesWritten=0x1282fd00*=0x160c0, lpOverlapped=0x1282fd0c) returned 1 [0237.390] GetFileType (hFile=0x450) returned 0x1 [0237.390] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.390] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0237.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0237.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0237.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485d8 | out: pbBuffer=0x128485d8) returned 1 [0237.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.396] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.396] WriteFile (in: hFile=0x44c, lpBuffer=0x12d6c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6c000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0237.397] CloseHandle (hObject=0x44c) returned 1 [0237.397] CloseHandle (hObject=0x450) returned 1 [0237.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848600 | out: pbBuffer=0x12848600) returned 1 [0237.397] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\#_THIS_FILE_IS_ENCRYPTED_[1658C1884C8F1D36]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\#_this_file_is_encrypted_[1658c1884c8f1d36]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.399] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0237.401] SetEvent (hEvent=0x420) returned 1 [0237.402] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.402] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.402] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec4dc4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6f91e779, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0237.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0237.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848678 | out: pbBuffer=0x12848678) returned 1 [0237.404] ReadFile (in: hFile=0x450, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a65d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0237.414] GetFileType (hFile=0x450) returned 0x1 [0237.414] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.414] WriteFile (in: hFile=0x450, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a65d00*=0x15ec0, lpOverlapped=0x12a65d0c) returned 1 [0237.415] GetFileType (hFile=0x450) returned 0x1 [0237.415] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0237.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0237.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0237.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848990 | out: pbBuffer=0x12848990) returned 1 [0237.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.416] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.416] WriteFile (in: hFile=0x44c, lpBuffer=0x12d6c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6c500*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.417] CloseHandle (hObject=0x44c) returned 1 [0237.417] CloseHandle (hObject=0x450) returned 1 [0237.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489a8 | out: pbBuffer=0x128489a8) returned 1 [0237.417] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\#_THIS_FILE_IS_ENCRYPTED_[49E054F72A7DE0A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\#_this_file_is_encrypted_[49e054f72a7de0a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.419] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0237.442] SetEvent (hEvent=0x420) returned 1 [0237.442] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.443] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.443] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c9f0fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0237.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0237.443] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848a20 | out: pbBuffer=0x12848a20) returned 1 [0237.444] ReadFile (in: hFile=0x450, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12a67d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0237.473] GetFileType (hFile=0x450) returned 0x1 [0237.473] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.473] WriteFile (in: hFile=0x450, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a67d00*=0x162c0, lpOverlapped=0x12a67d0c) returned 1 [0237.474] GetFileType (hFile=0x450) returned 0x1 [0237.474] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.474] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0237.474] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0237.474] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0237.474] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848ae8 | out: pbBuffer=0x12848ae8) returned 1 [0237.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.475] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0237.475] WriteFile (in: hFile=0x42c, lpBuffer=0x12d6ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6ca00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.475] CloseHandle (hObject=0x42c) returned 1 [0237.475] CloseHandle (hObject=0x450) returned 1 [0237.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b10 | out: pbBuffer=0x12848b10) returned 1 [0237.475] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\#_THIS_FILE_IS_ENCRYPTED_[6726A2A5242B600F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\#_this_file_is_encrypted_[6726a2a5242b600f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.537] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x757bdd52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.584] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x757bdd52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0237.585] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x757bdd52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.585] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757bdd52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75856614, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.585] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.585] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0237.585] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.631] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.631] WriteFile (in: hFile=0x3e4, lpBuffer=0x1296e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1296e000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.633] CloseHandle (hObject=0x3e4) returned 1 [0237.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757bdd52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75856614, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0237.711] SetEvent (hEvent=0x1b8) returned 1 [0237.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75cf4da3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.722] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75cf4da3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75cf4da3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75cf4da3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76015f2a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.722] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.722] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.723] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.724] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.724] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.725] CloseHandle (hObject=0x44c) returned 1 [0237.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75cf4da3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76015f2a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0237.726] SetEvent (hEvent=0x1b8) returned 1 [0237.726] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7641c0ca, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.727] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7641c0ca, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0237.727] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7641c0ca, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.727] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641c0ca, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76a5e2f9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.727] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.727] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0237.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.727] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.728] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.728] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.730] CloseHandle (hObject=0x44c) returned 1 [0237.730] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641c0ca, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76a5e2f9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0237.731] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x773c1775, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.779] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x773c1775, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0237.779] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x773c1775, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.779] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773c1775, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x778ac20d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.779] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.779] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0237.780] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.834] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.834] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.837] CloseHandle (hObject=0x44c) returned 1 [0237.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773c1775, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x778ac20d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0)) returned 1 [0237.854] SetEvent (hEvent=0x110) returned 1 [0237.854] SetEvent (hEvent=0x420) returned 1 [0237.854] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.854] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0237.855] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.855] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78176e22, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7820f937, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.855] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.855] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0237.855] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.857] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.857] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.859] CloseHandle (hObject=0x3e4) returned 1 [0237.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78176e22, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7820f937, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0237.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78b265bb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0237.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0237.871] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78b265bb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0237.871] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78b265bb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0237.871] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b265bb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0237.871] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0237.871] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0237.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0237.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0237.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.873] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0237.873] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0237.875] CloseHandle (hObject=0x44c) returned 1 [0237.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b265bb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0)) returned 1 [0237.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78d62a39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.008] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78d62a39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0238.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78d62a39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d62a39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794d5ee8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.008] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0238.008] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.043] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.043] WriteFile (in: hFile=0x44c, lpBuffer=0x1296f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1296f300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.044] CloseHandle (hObject=0x44c) returned 1 [0238.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d62a39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794d5ee8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0238.050] SetEvent (hEvent=0xfc) returned 1 [0238.050] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79c23223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.056] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79c23223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0238.056] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79c23223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.056] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c23223, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79cbbda6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.056] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.056] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0238.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.057] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.058] WriteFile (in: hFile=0x44c, lpBuffer=0x12970600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12970600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.059] CloseHandle (hObject=0x44c) returned 1 [0238.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c23223, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79cbbda6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0)) returned 1 [0238.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b33be0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.060] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b33be0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0238.060] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b33be0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.060] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b33be0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b420d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.060] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.060] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0238.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.062] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.062] WriteFile (in: hFile=0x44c, lpBuffer=0x12971900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12971900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.064] CloseHandle (hObject=0x44c) returned 1 [0238.064] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b33be0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b420d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0238.071] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0238.111] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0238.114] SetEvent (hEvent=0x1b8) returned 1 [0238.114] SetEvent (hEvent=0x420) returned 1 [0238.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b90bbb9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.114] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b90bbb9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0238.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b90bbb9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b90bbb9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bad5697, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.115] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.115] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0238.115] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.116] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.116] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.118] CloseHandle (hObject=0x42c) returned 1 [0238.118] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b90bbb9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bad5697, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.118] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c2950a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.127] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.127] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c2950a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c2950a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2950a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c32dc26, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.127] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.128] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.128] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.128] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.129] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.129] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.130] CloseHandle (hObject=0x3e4) returned 1 [0238.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2950a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c32dc26, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0238.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c995f72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.131] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c995f72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.131] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c995f72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.131] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c995f72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca2ec66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.131] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.131] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.132] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.132] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.134] CloseHandle (hObject=0x3e4) returned 1 [0238.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c995f72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca2ec66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0238.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ec4e3f5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.147] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ec4e3f5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.148] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ec4e3f5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.148] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ec4e3f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8031affd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x176c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.148] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.148] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.149] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.149] WriteFile (in: hFile=0x44c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.150] CloseHandle (hObject=0x44c) returned 1 [0238.150] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ec4e3f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8031affd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x176c0)) returned 1 [0238.163] SetEvent (hEvent=0x1b8) returned 1 [0238.163] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8049848e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.163] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.163] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8049848e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0238.164] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8049848e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.164] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8049848e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.164] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.164] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0238.164] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.165] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.165] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.166] CloseHandle (hObject=0x42c) returned 1 [0238.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8049848e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ac0)) returned 1 [0238.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x806d483e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.195] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x806d483e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0238.195] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x806d483e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.195] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806d483e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80a1bf57, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.195] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.195] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0238.195] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.202] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.202] WriteFile (in: hFile=0x44c, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.203] CloseHandle (hObject=0x44c) returned 1 [0238.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806d483e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80a1bf57, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0)) returned 1 [0238.208] SetEvent (hEvent=0xfc) returned 1 [0238.208] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80e21b0f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.222] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0238.238] SetEvent (hEvent=0x1b8) returned 1 [0238.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.238] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80e21b0f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0238.239] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80e21b0f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.239] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e21b0f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.239] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.239] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0238.239] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.241] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.241] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.242] CloseHandle (hObject=0x42c) returned 1 [0238.243] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e21b0f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0)) returned 1 [0238.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81a0d6f7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.247] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81a0d6f7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81a0d6f7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81a0d6f7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.248] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.248] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.248] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.248] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.257] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.257] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.259] CloseHandle (hObject=0x42c) returned 1 [0238.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81a0d6f7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81ef8607, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.270] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.270] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81ef8607, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.270] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81ef8607, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.270] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ef8607, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.271] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.271] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.271] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.272] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.272] WriteFile (in: hFile=0x44c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.288] CloseHandle (hObject=0x44c) returned 1 [0238.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ef8607, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0238.288] SetEvent (hEvent=0x1b8) returned 1 [0238.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x82cd3f98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.289] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x82cd3f98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.289] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x82cd3f98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.289] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd3f98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83126441, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.289] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.289] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.289] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.290] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.290] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.290] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.291] CloseHandle (hObject=0x44c) returned 1 [0238.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd3f98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83126441, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0238.296] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x834939f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.300] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x834939f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0238.300] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x834939f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.300] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834939f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x126c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.300] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.301] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0238.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.301] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.301] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.301] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.301] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.303] CloseHandle (hObject=0x42c) returned 1 [0238.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834939f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x126c0)) returned 1 [0238.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x836f6330, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.304] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x836f6330, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0238.304] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x836f6330, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.304] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836f6330, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x837b4d08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.304] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.304] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0238.304] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.305] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.305] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.307] CloseHandle (hObject=0x42c) returned 1 [0238.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836f6330, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x837b4d08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.321] SetEvent (hEvent=0xfc) returned 1 [0238.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83a17039, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.321] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.321] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83a17039, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0238.322] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83a17039, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.323] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a17039, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.323] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.323] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0238.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.324] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.342] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.342] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.344] CloseHandle (hObject=0x42c) returned 1 [0238.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a17039, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0238.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83eb5896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.434] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.434] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83eb5896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.434] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83eb5896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.434] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb5896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83f4e3ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.434] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.434] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.435] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.435] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.449] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.449] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ada000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12ada000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.451] CloseHandle (hObject=0x3e4) returned 1 [0238.451] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb5896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83f4e3ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0238.519] SetEvent (hEvent=0x110) returned 1 [0238.519] SetEvent (hEvent=0xfc) returned 1 [0238.519] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8418a6bc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.534] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0238.547] SetEvent (hEvent=0x420) returned 1 [0238.547] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.548] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8418a6bc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0238.548] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8418a6bc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.548] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8418a6bc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84223144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.548] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.548] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0238.548] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.549] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.549] WriteFile (in: hFile=0x450, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.551] CloseHandle (hObject=0x450) returned 1 [0238.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8418a6bc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84223144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0)) returned 1 [0238.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84675212, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.557] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84675212, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0238.557] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84675212, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.557] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84675212, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.557] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.557] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0238.558] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.558] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.558] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.559] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.559] WriteFile (in: hFile=0x450, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.561] CloseHandle (hObject=0x450) returned 1 [0238.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84675212, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0238.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x848b1595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.561] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x848b1595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0238.562] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x848b1595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.562] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848b1595, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8494a1db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.562] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.562] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0238.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.562] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.563] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.563] WriteFile (in: hFile=0x450, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.565] CloseHandle (hObject=0x450) returned 1 [0238.565] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848b1595, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8494a1db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0)) returned 1 [0238.565] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3229861, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.566] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3229861, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0238.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3229861, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3229861, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd348bddc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.566] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.566] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0238.566] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.567] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.567] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.567] WriteFile (in: hFile=0x450, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.569] CloseHandle (hObject=0x450) returned 1 [0238.569] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3229861, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd348bddc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0238.569] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd381f2ce, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.570] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd381f2ce, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0238.570] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd381f2ce, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.570] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd381f2ce, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3bd92cf, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.570] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.570] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0238.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.572] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.572] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.573] CloseHandle (hObject=0x450) returned 1 [0238.574] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd381f2ce, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3bd92cf, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.574] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.575] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3229861, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd348bddc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0238.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0238.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9400 | out: pbBuffer=0x128e9400) returned 1 [0238.575] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x152c0, lpOverlapped=0x0) returned 1 [0238.594] GetFileType (hFile=0x450) returned 0x1 [0238.594] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.594] WriteFile (in: hFile=0x450, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12829d00*=0x152c0, lpOverlapped=0x12829d0c) returned 1 [0238.595] GetFileType (hFile=0x450) returned 0x1 [0238.595] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0238.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0238.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0238.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e94b8 | out: pbBuffer=0x128e94b8) returned 1 [0238.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.596] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.596] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.596] CloseHandle (hObject=0x458) returned 1 [0238.597] CloseHandle (hObject=0x450) returned 1 [0238.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e94d0 | out: pbBuffer=0x128e94d0) returned 1 [0238.597] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\#_THIS_FILE_IS_ENCRYPTED_[4CA66676C83D8D2F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\#_this_file_is_encrypted_[4ca66676c83d8d2f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.598] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.599] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd381f2ce, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3bd92cf, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0238.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0238.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9518 | out: pbBuffer=0x128e9518) returned 1 [0238.599] ReadFile (in: hFile=0x450, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0238.661] GetFileType (hFile=0x450) returned 0x1 [0238.661] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.661] WriteFile (in: hFile=0x450, lpBuffer=0x129c0000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129c0000*, lpNumberOfBytesWritten=0x12829d00*=0x160c0, lpOverlapped=0x12829d0c) returned 1 [0238.728] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0238.784] GetFileType (hFile=0x450) returned 0x1 [0238.784] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.785] GetFileType (hFile=0x3e4) returned 0x1 [0238.785] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128d8ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.785] WriteFile (in: hFile=0x3e4, lpBuffer=0x129f8000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x128d8d00, lpOverlapped=0x128d8d0c | out: lpBuffer=0x129f8000*, lpNumberOfBytesWritten=0x128d8d00*=0x164c0, lpOverlapped=0x128d8d0c) returned 1 [0238.786] GetFileType (hFile=0x3e4) returned 0x1 [0238.786] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x128d8ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.786] SetEvent (hEvent=0xfc) returned 1 [0238.786] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0243.086] SetEvent (hEvent=0x1b8) returned 1 [0243.086] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0245.810] SetEvent (hEvent=0xfc) returned 1 [0245.810] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0245.817] SetEvent (hEvent=0xfc) returned 1 [0245.817] SetEvent (hEvent=0x1d0) returned 1 [0245.817] SwitchToThread () returned 1 [0245.830] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0245.944] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0246.042] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0246.851] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0247.362] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0248.717] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0251.067] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0251.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0251.564] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0251.564] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7eb68271, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0251.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88320 | out: pbBuffer=0x12b88320) returned 1 [0251.565] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34748 | out: pbBuffer=0x12c34748) returned 1 [0251.652] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0251.652] SetEvent (hEvent=0x110) returned 1 [0251.653] SetEvent (hEvent=0x1d0) returned 1 [0251.694] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d96d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12d96d1c*=0x1, lpOverlapped=0x0) returned 1 [0251.695] GetFileType (hFile=0x3e4) returned 0x1 [0251.695] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d96ce4 | out: lpNewFilePointer=0x0) returned 1 [0251.695] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c34750*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x12d96d00, lpOverlapped=0x12d96d0c | out: lpBuffer=0x12c34750*, lpNumberOfBytesWritten=0x12d96d00*=0x1, lpOverlapped=0x12d96d0c) returned 1 [0251.696] GetFileType (hFile=0x3e4) returned 0x1 [0251.696] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x1, lpNewFilePointer=0x0, dwMoveMethod=0x12d96ce4 | out: lpNewFilePointer=0x0) returned 1 [0251.771] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0251.771] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0251.771] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0251.772] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0251.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0251.949] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0251.950] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c347f0 | out: pbBuffer=0x12c347f0) returned 1 [0251.950] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0251.950] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0251.950] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0251.950] CloseHandle (hObject=0x44c) returned 1 [0251.951] CloseHandle (hObject=0x3e4) returned 1 [0251.951] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34808 | out: pbBuffer=0x12c34808) returned 1 [0252.027] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0252.073] SetEvent (hEvent=0xf4) returned 1 [0252.073] SetEvent (hEvent=0x3f8) returned 1 [0252.073] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0252.561] SetEvent (hEvent=0x420) returned 1 [0252.561] SetEvent (hEvent=0x19c) returned 1 [0252.561] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0254.253] SetEvent (hEvent=0x19c) returned 1 [0254.253] SetEvent (hEvent=0xf4) returned 1 [0254.253] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0255.768] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0256.152] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0256.507] SetEvent (hEvent=0x420) returned 1 [0256.507] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0256.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.517] SetEvent (hEvent=0x3f4) returned 1 [0256.517] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0256.529] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0256.529] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0256.530] SetEvent (hEvent=0xf4) returned 1 [0256.530] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0256.650] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0256.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.651] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0256.651] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0256.651] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0256.651] ReadFile (in: hFile=0x3e4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0256.652] CloseHandle (hObject=0x3e4) returned 1 [0256.652] GetFileType (hFile=0x42c) returned 0x1 [0256.652] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.652] WriteFile (in: hFile=0x42c, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0256.652] GetFileType (hFile=0x42c) returned 0x1 [0256.652] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0256.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0256.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0256.653] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0256.653] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.654] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.654] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ac6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac6000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0256.654] CloseHandle (hObject=0x3e4) returned 1 [0256.654] CloseHandle (hObject=0x42c) returned 1 [0256.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0256.655] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[BF2AF338C6F61D28]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[bf2af338c6f61d28]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.656] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0257.422] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0257.845] SetEvent (hEvent=0x420) returned 1 [0258.075] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\messagingbackgroundtasklog.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0258.076] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0258.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\messagingbackgroundtasklog.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3abf05c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0258.076] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0258.077] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0258.077] ReadFile (in: hFile=0x44c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x1282bd1c*=0x1000, lpOverlapped=0x0) returned 1 [0258.099] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0258.275] SetEvent (hEvent=0x420) returned 1 [0258.275] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0258.400] SetEvent (hEvent=0x19c) returned 1 [0258.401] SwitchToThread () returned 1 [0258.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0258.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0258.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0258.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a058 | out: pbBuffer=0x12a9a058) returned 1 [0258.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\privatetransportid.setting"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.488] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0258.488] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0258.611] CloseHandle (hObject=0x42c) returned 1 [0258.611] CloseHandle (hObject=0x3e4) returned 1 [0258.612] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a090 | out: pbBuffer=0x12a9a090) returned 1 [0258.612] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\privatetransportid.setting"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\#_THIS_FILE_IS_ENCRYPTED_[75D02DD2D98F6004]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\#_this_file_is_encrypted_[75d02dd2d98f6004]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.613] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0258.614] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x261a25ce, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x4b)) returned 1 [0258.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98180 | out: pbBuffer=0x12a98180) returned 1 [0258.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0258.615] ReadFile (in: hFile=0x3e4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282fd1c*=0x4b, lpOverlapped=0x0) returned 1 [0258.616] GetFileType (hFile=0x3e4) returned 0x1 [0258.616] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0258.616] WriteFile (in: hFile=0x3e4, lpBuffer=0x12894000*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12894000*, lpNumberOfBytesWritten=0x1282fd00*=0x4b, lpOverlapped=0x1282fd0c) returned 1 [0258.616] GetFileType (hFile=0x3e4) returned 0x1 [0258.616] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4b, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0258.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0258.616] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0258.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0258.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1b0 | out: pbBuffer=0x12a9a1b0) returned 1 [0258.617] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.617] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0258.617] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0258.647] CloseHandle (hObject=0x42c) returned 1 [0258.647] CloseHandle (hObject=0x3e4) returned 1 [0258.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1c8 | out: pbBuffer=0x12a9a1c8) returned 1 [0258.648] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\#_THIS_FILE_IS_ENCRYPTED_[08622D3598DA1862]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\#_this_file_is_encrypted_[08622d3598da1862]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.696] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.697] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0258.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.697] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.697] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0258.697] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.697] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.698] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0258.698] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.699] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.699] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.700] CloseHandle (hObject=0x3e4) returned 1 [0258.700] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.701] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.701] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.701] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DbTemp", cAlternateFileName="")) returned 1 [0258.701] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.701] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.701] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.701] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.702] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.702] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.704] CloseHandle (hObject=0x3e4) returned 1 [0258.704] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.704] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.705] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0258.705] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.705] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.705] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0258.705] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.705] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.705] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.706] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0258.706] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0258.707] CloseHandle (hObject=0x3e4) returned 1 [0258.708] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0258.708] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.708] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0258.708] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_N")) returned 1 [0258.709] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0258.709] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0258.709] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0258.709] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0258.709] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.709] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.709] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.709] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.710] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.711] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0258.711] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ada000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12ada000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0258.712] CloseHandle (hObject=0x3e4) returned 1 [0258.743] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0258.748] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.112] SetEvent (hEvent=0x3f4) returned 1 [0259.122] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.124] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.124] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0259.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0259.124] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0259.124] CloseHandle (hObject=0x42c) returned 1 [0259.125] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.125] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.125] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.126] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0259.126] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0259.126] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0259.126] CloseHandle (hObject=0x42c) returned 1 [0259.126] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.152] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.224] SetEvent (hEvent=0x3f4) returned 1 [0259.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.225] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928040 | out: pbBuffer=0x12928040) returned 1 [0259.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810058 | out: pbBuffer=0x12810058) returned 1 [0259.226] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c4a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c4a000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0259.232] GetFileType (hFile=0x3e4) returned 0x1 [0259.233] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0259.233] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c8a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c8a000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0259.233] GetFileType (hFile=0x3e4) returned 0x1 [0259.233] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0259.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0259.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0259.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0259.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810140 | out: pbBuffer=0x12810140) returned 1 [0259.328] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00001.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.329] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.329] WriteFile (in: hFile=0x458, lpBuffer=0x12944000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12944000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.335] CloseHandle (hObject=0x458) returned 1 [0259.335] CloseHandle (hObject=0x3e4) returned 1 [0259.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810158 | out: pbBuffer=0x12810158) returned 1 [0259.335] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\#_THIS_FILE_IS_ENCRYPTED_[0E65BA3769935467]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\#_this_file_is_encrypted_[0e65ba3769935467]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.339] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0259.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101a0 | out: pbBuffer=0x128101a0) returned 1 [0259.340] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d6a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d6a000*, lpNumberOfBytesRead=0x12855d1c*=0x20000, lpOverlapped=0x0) returned 1 [0259.396] SetEvent (hEvent=0x1d0) returned 1 [0259.396] SetEvent (hEvent=0x3f8) returned 1 [0259.396] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0259.412] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.412] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0259.418] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0259.461] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0259.461] SetEvent (hEvent=0x420) returned 1 [0259.461] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0259.503] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.504] GetFileType (hFile=0x3e4) returned 0x1 [0259.504] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.504] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12851d00*=0x20000, lpOverlapped=0x12851d0c) returned 1 [0259.505] GetFileType (hFile=0x3e4) returned 0x1 [0259.505] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e401 | out: pbBuffer=0x12c0e401) returned 1 [0259.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e501 | out: pbBuffer=0x12c0e501) returned 1 [0259.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12c0e601 | out: pbBuffer=0x12c0e601) returned 1 [0259.506] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8420 | out: pbBuffer=0x128e8420) returned 1 [0259.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.506] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.506] WriteFile (in: hFile=0x458, lpBuffer=0x12c22500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.508] CloseHandle (hObject=0x458) returned 1 [0259.508] CloseHandle (hObject=0x3e4) returned 1 [0259.508] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8438 | out: pbBuffer=0x128e8438) returned 1 [0259.508] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\#_THIS_FILE_IS_ENCRYPTED_[8C5F32EAFB136C04]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\#_this_file_is_encrypted_[8c5f32eafb136c04]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.586] SetEvent (hEvent=0x110) returned 1 [0259.586] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.631] SetEvent (hEvent=0x3f4) returned 1 [0259.631] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.634] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.634] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xf000)) returned 1 [0259.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0259.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848398 | out: pbBuffer=0x12848398) returned 1 [0259.634] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x1282fd1c*=0xf000, lpOverlapped=0x0) returned 1 [0259.660] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0259.669] SetEvent (hEvent=0x19c) returned 1 [0259.670] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.481] SetEvent (hEvent=0x3f8) returned 1 [0260.481] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.489] SetEvent (hEvent=0x3f8) returned 1 [0260.489] SetEvent (hEvent=0x3f4) returned 1 [0260.489] SetEvent (hEvent=0x19c) returned 1 [0260.489] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.512] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.655] SetEvent (hEvent=0x3f8) returned 1 [0260.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.657] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ebddfa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0260.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0260.657] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0260.679] GetFileType (hFile=0x42c) returned 0x1 [0260.679] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.679] WriteFile (in: hFile=0x42c, lpBuffer=0x12b14000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b14000*, lpNumberOfBytesWritten=0x1282fd00*=0x2000, lpOverlapped=0x1282fd0c) returned 1 [0260.680] GetFileType (hFile=0x42c) returned 0x1 [0260.680] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0260.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0260.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0260.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0260.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0260.681] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.681] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.681] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0260.681] CloseHandle (hObject=0x3e4) returned 1 [0260.681] CloseHandle (hObject=0x42c) returned 1 [0260.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0260.681] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[2FDA2D71D1EA35D5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[2fda2d71d1ea35d5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.683] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.683] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0260.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0260.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0260.684] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.684] CloseHandle (hObject=0x42c) returned 1 [0260.684] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.958] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0260.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928160 | out: pbBuffer=0x12928160) returned 1 [0260.958] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810fa8 | out: pbBuffer=0x12810fa8) returned 1 [0260.958] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0260.960] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0260.960] SetEvent (hEvent=0x110) returned 1 [0260.960] SetEvent (hEvent=0x420) returned 1 [0260.960] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0260.960] CloseHandle (hObject=0x3e4) returned 1 [0260.961] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0260.969] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.969] SetEvent (hEvent=0x420) returned 1 [0260.969] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0260.981] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.981] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0260.982] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.982] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0260.983] SetEvent (hEvent=0x110) returned 1 [0260.983] SetEvent (hEvent=0x3f8) returned 1 [0260.983] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0260.985] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0260.985] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.087] SetEvent (hEvent=0x3f8) returned 1 [0261.087] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.087] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.087] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0261.088] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0261.088] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0261.099] GetFileType (hFile=0x458) returned 0x1 [0261.099] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.099] WriteFile (in: hFile=0x458, lpBuffer=0x128b2000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x128b2000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0261.099] GetFileType (hFile=0x458) returned 0x1 [0261.099] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0261.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0261.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0261.100] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a120 | out: pbBuffer=0x12a9a120) returned 1 [0261.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.100] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.100] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0261.101] CloseHandle (hObject=0x42c) returned 1 [0261.101] CloseHandle (hObject=0x458) returned 1 [0261.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a138 | out: pbBuffer=0x12a9a138) returned 1 [0261.101] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[127874AC3F870354]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[127874ac3f870354]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.109] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.218] SetEvent (hEvent=0x3f8) returned 1 [0261.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.220] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0261.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x658cda37, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x658cda37, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0261.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0261.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a180 | out: pbBuffer=0x12a9a180) returned 1 [0261.220] ReadFile (in: hFile=0x458, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0261.596] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0261.606] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.606] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0261.606] SetEvent (hEvent=0x110) returned 1 [0261.607] SetEvent (hEvent=0x420) returned 1 [0261.608] GetFileType (hFile=0x458) returned 0x1 [0261.608] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.608] WriteFile (in: hFile=0x458, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0261.609] GetFileType (hFile=0x458) returned 0x1 [0261.610] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0261.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0261.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0261.611] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a258 | out: pbBuffer=0x12a9a258) returned 1 [0261.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0261.611] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0261.611] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0261.613] CloseHandle (hObject=0x44c) returned 1 [0261.613] CloseHandle (hObject=0x458) returned 1 [0261.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a270 | out: pbBuffer=0x12a9a270) returned 1 [0261.614] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[97307880813CE074]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[97307880813ce074]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.616] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0261.626] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.626] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0261.638] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0261.638] SetEvent (hEvent=0x3f8) returned 1 [0261.639] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0261.655] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.655] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0261.846] SetEvent (hEvent=0x420) returned 1 [0261.846] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.847] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0261.847] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0261.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0261.848] ReadFile (in: hFile=0x458, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0261.848] CloseHandle (hObject=0x458) returned 1 [0261.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.848] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.849] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.849] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.849] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.849] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.849] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.850] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.850] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.851] WriteFile (in: hFile=0x458, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.852] CloseHandle (hObject=0x458) returned 1 [0261.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.853] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.853] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.853] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.853] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.853] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.853] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.855] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.855] WriteFile (in: hFile=0x458, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.856] CloseHandle (hObject=0x458) returned 1 [0261.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.857] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.881] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.881] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0261.881] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0261.882] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.882] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.883] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.917] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0261.917] WriteFile (in: hFile=0x458, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0261.920] CloseHandle (hObject=0x458) returned 1 [0261.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd456e8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.928] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0261.932] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.932] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.933] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.945] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.946] WriteFile (in: hFile=0x458, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.950] CloseHandle (hObject=0x458) returned 1 [0261.950] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.954] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.954] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0261.954] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.954] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.954] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0261.954] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.954] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.956] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.956] WriteFile (in: hFile=0x458, lpBuffer=0x1285cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1285cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.958] CloseHandle (hObject=0x458) returned 1 [0261.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.959] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0261.959] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.959] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.959] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0261.959] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.960] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.961] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.961] WriteFile (in: hFile=0x458, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.962] CloseHandle (hObject=0x458) returned 1 [0261.963] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.963] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.963] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.963] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.963] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.963] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.964] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.964] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.964] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.965] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.965] WriteFile (in: hFile=0x458, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.967] CloseHandle (hObject=0x458) returned 1 [0261.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.967] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0261.968] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.968] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.968] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0261.968] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.969] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.969] WriteFile (in: hFile=0x458, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.971] CloseHandle (hObject=0x458) returned 1 [0261.971] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.971] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.971] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.972] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.972] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.972] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.972] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.972] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.972] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.974] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.974] WriteFile (in: hFile=0x458, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.976] CloseHandle (hObject=0x458) returned 1 [0261.976] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.980] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.980] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0261.980] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.980] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.980] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0261.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.982] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.982] WriteFile (in: hFile=0x458, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.984] CloseHandle (hObject=0x458) returned 1 [0261.984] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.984] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.985] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.985] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.988] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.988] WriteFile (in: hFile=0x458, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.993] CloseHandle (hObject=0x458) returned 1 [0261.994] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.996] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0261.997] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.998] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0261.998] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.998] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0261.998] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.000] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.000] WriteFile (in: hFile=0x458, lpBuffer=0x12923300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12923300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.002] CloseHandle (hObject=0x458) returned 1 [0262.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e36194c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e36194c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.002] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e36194c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.008] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e36194c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.008] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e636973, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e636973, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0262.008] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0262.008] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0262.008] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.008] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.010] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.011] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.011] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.013] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.013] WriteFile (in: hFile=0x458, lpBuffer=0x12924600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12924600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.014] CloseHandle (hObject=0x458) returned 1 [0262.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e636973, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e636973, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0262.015] SetEvent (hEvent=0x19c) returned 1 [0262.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0262.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.016] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.016] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.016] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.016] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.016] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.017] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.017] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.018] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.018] WriteFile (in: hFile=0x458, lpBuffer=0x12925900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12925900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.020] CloseHandle (hObject=0x458) returned 1 [0262.020] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.020] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.021] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.021] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0262.021] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0262.021] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.021] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.021] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.023] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.023] WriteFile (in: hFile=0x458, lpBuffer=0x12926c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12926c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.024] CloseHandle (hObject=0x458) returned 1 [0262.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.025] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.026] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.026] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.026] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89480 | out: pbBuffer=0x12b89480) returned 1 [0262.026] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128110e0 | out: pbBuffer=0x128110e0) returned 1 [0262.026] ReadFile (in: hFile=0x458, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0262.026] CloseHandle (hObject=0x458) returned 1 [0262.026] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.027] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b894a0 | out: pbBuffer=0x12b894a0) returned 1 [0262.027] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128110f0 | out: pbBuffer=0x128110f0) returned 1 [0262.027] ReadFile (in: hFile=0x458, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.034] GetFileType (hFile=0x458) returned 0x1 [0262.034] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.034] WriteFile (in: hFile=0x458, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0262.034] GetFileType (hFile=0x458) returned 0x1 [0262.034] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0262.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0262.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0262.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128111a8 | out: pbBuffer=0x128111a8) returned 1 [0262.035] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.035] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.035] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0262.036] CloseHandle (hObject=0x42c) returned 1 [0262.036] CloseHandle (hObject=0x458) returned 1 [0262.036] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128111c0 | out: pbBuffer=0x128111c0) returned 1 [0262.036] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[47ED6C9332500CB4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[47ed6c9332500cb4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.043] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0262.069] SwitchToThread () returned 1 [0262.080] SetEvent (hEvent=0x3f4) returned 1 [0262.080] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0262.088] SetEvent (hEvent=0x3f4) returned 1 [0262.089] SetEvent (hEvent=0x420) returned 1 [0262.089] GetFileType (hFile=0x3e4) returned 0x1 [0262.089] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.089] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a64000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a64000*, lpNumberOfBytesWritten=0x12851d00*=0x6000, lpOverlapped=0x12851d0c) returned 1 [0262.090] GetFileType (hFile=0x3e4) returned 0x1 [0262.090] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0262.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0262.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0262.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0262.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0262.091] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0262.091] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0262.092] CloseHandle (hObject=0x44c) returned 1 [0262.092] CloseHandle (hObject=0x3e4) returned 1 [0262.092] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0262.092] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[554DF9FA66AD3DBF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[554df9fa66ad3dbf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.095] GetFileType (hFile=0x42c) returned 0x1 [0262.095] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.095] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x1282bd00*=0x8000, lpOverlapped=0x1282bd0c) returned 1 [0262.095] GetFileType (hFile=0x42c) returned 0x1 [0262.095] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0262.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0262.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0262.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0262.096] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810208 | out: pbBuffer=0x12810208) returned 1 [0262.096] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.097] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.097] WriteFile (in: hFile=0x3e4, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0262.097] CloseHandle (hObject=0x3e4) returned 1 [0262.097] CloseHandle (hObject=0x42c) returned 1 [0262.097] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0262.097] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[467E4213F9087C97]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[467e4213f9087c97]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.099] SwitchToThread () returned 1 [0262.108] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0262.188] SetEvent (hEvent=0x420) returned 1 [0262.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.189] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.189] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b883c0 | out: pbBuffer=0x12b883c0) returned 1 [0262.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810278 | out: pbBuffer=0x12810278) returned 1 [0262.190] ReadFile (in: hFile=0x42c, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.200] GetFileType (hFile=0x42c) returned 0x1 [0262.200] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.200] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0262.201] GetFileType (hFile=0x42c) returned 0x1 [0262.201] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0262.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0262.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0262.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810330 | out: pbBuffer=0x12810330) returned 1 [0262.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0262.202] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.202] WriteFile (in: hFile=0x44c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0262.202] CloseHandle (hObject=0x44c) returned 1 [0262.202] CloseHandle (hObject=0x42c) returned 1 [0262.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810348 | out: pbBuffer=0x12810348) returned 1 [0262.202] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[65F8F53E0AA7929F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\#_this_file_is_encrypted_[65f8f53e0aa7929f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.205] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.206] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.206] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.206] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.207] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.207] WriteFile (in: hFile=0x42c, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.209] CloseHandle (hObject=0x42c) returned 1 [0262.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.209] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0262.210] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.210] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.210] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0262.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.210] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.210] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.212] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.212] WriteFile (in: hFile=0x42c, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.213] CloseHandle (hObject=0x42c) returned 1 [0262.213] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.214] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.214] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.226] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.226] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.228] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.228] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.230] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0262.230] WriteFile (in: hFile=0x42c, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0262.231] CloseHandle (hObject=0x42c) returned 1 [0262.231] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.234] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0262.237] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.237] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.238] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.241] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.241] WriteFile (in: hFile=0x42c, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.242] CloseHandle (hObject=0x42c) returned 1 [0262.242] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.246] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.247] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0262.247] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.247] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.247] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0262.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.248] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.249] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.249] WriteFile (in: hFile=0x42c, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.250] CloseHandle (hObject=0x42c) returned 1 [0262.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.251] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.251] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.251] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.251] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.253] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.253] WriteFile (in: hFile=0x42c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.254] CloseHandle (hObject=0x42c) returned 1 [0262.254] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.255] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.255] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.255] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.255] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.256] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.257] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.257] WriteFile (in: hFile=0x42c, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.258] CloseHandle (hObject=0x42c) returned 1 [0262.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.258] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.258] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.259] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.259] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.259] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.259] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.260] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.260] WriteFile (in: hFile=0x42c, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.262] CloseHandle (hObject=0x42c) returned 1 [0262.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.264] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0262.264] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.264] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.264] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0262.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.265] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.265] WriteFile (in: hFile=0x42c, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.266] CloseHandle (hObject=0x42c) returned 1 [0262.267] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.267] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0262.267] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.267] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.267] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0262.267] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.268] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.268] WriteFile (in: hFile=0x42c, lpBuffer=0x1285cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.270] CloseHandle (hObject=0x42c) returned 1 [0262.270] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.270] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.270] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0262.270] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.270] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.270] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0262.271] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.276] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.276] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.278] CloseHandle (hObject=0x42c) returned 1 [0262.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.278] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.279] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.279] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.279] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.280] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.280] WriteFile (in: hFile=0x42c, lpBuffer=0x12c0f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c0f300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.282] CloseHandle (hObject=0x42c) returned 1 [0262.282] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.282] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.282] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbe8daed, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0262.287] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.287] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0262.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.291] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.291] WriteFile (in: hFile=0x42c, lpBuffer=0x12c10600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c10600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.292] CloseHandle (hObject=0x42c) returned 1 [0262.292] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.293] SetEvent (hEvent=0x420) returned 1 [0262.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbe8daed, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.293] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.294] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.294] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.294] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.294] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.295] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.296] WriteFile (in: hFile=0x42c, lpBuffer=0x12c11900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c11900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.297] CloseHandle (hObject=0x42c) returned 1 [0262.297] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.298] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.298] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.298] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.298] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.299] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.299] WriteFile (in: hFile=0x42c, lpBuffer=0x12c12c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c12c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.300] CloseHandle (hObject=0x42c) returned 1 [0262.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.305] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.305] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.315] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.326] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.326] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.327] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.328] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.328] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x557f750e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x557f750e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.328] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.329] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.329] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.329] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x1205e7f4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1205e7f4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.330] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.330] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.330] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0262.330] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.330] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e10e7a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xcb208e81, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb208e81, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605908ab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605908ab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7196220b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.52_")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.331] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.331] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0262.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.334] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.345] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.345] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.345] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.346] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x215572b2, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.351] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.352] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.352] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.352] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.352] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cd84bfb, ftLastAccessTime.dwHighDateTime=0x1d7b05a, ftLastWriteTime.dwLowDateTime=0x1cd84bfb, ftLastWriteTime.dwHighDateTime=0x1d7b05a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.352] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.352] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.353] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.354] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.354] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97dcaeaa, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97dcaeaa, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97dcaeaa, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.357] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.358] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.358] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.358] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.358] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.359] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.359] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8505eedb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.360] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.360] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.361] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeca077cc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec83db29, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec83db29, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec83db29, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8b023b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec732afa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.364] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.364] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.365] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.367] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.368] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0262.375] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.375] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.376] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.376] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0262.377] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.377] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.377] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1b0b5e90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aff73be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aff73be, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.381] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.381] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.382] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.391] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0262.395] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.395] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9993618c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9993618c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.395] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.395] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.395] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.396] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.396] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0262.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.397] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.397] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x13db988c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cd4a2e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.401] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.401] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.402] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.404] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x107a63d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1064efd6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1064efd6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.406] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.406] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0262.408] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.409] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.411] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0a47a2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2e0dfa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf73564, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf73564, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.412] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.413] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.413] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.413] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.414] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.414] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0262.554] SetEvent (hEvent=0x110) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.554] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.554] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0262.555] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.556] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.556] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0262.556] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0262.557] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0262.557] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0262.557] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.557] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0262.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.558] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0262.559] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0262.560] CloseHandle (hObject=0x3e4) returned 1 [0262.560] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.563] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.721] SetEvent (hEvent=0x110) returned 1 [0262.721] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.721] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0262.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0262.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0262.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0262.722] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.722] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.725] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.727] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.727] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.728] CloseHandle (hObject=0x3e4) returned 1 [0262.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.730] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.731] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.731] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.731] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.731] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.731] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.735] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.735] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.737] CloseHandle (hObject=0x3e4) returned 1 [0262.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.739] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.739] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0262.739] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.739] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.739] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0262.739] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.935] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.935] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.936] CloseHandle (hObject=0x3e4) returned 1 [0262.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.937] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0262.937] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.938] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.938] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0262.938] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.939] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.939] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.941] CloseHandle (hObject=0x3e4) returned 1 [0262.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.941] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.942] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.942] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.942] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.942] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.943] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0262.943] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0262.945] CloseHandle (hObject=0x3e4) returned 1 [0262.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.945] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.945] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0262.945] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.945] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.945] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0262.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.947] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.947] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.948] CloseHandle (hObject=0x3e4) returned 1 [0262.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.985] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0262.985] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.985] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.985] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0262.985] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.986] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.987] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.988] CloseHandle (hObject=0x3e4) returned 1 [0262.988] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.989] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0262.989] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.989] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.989] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0262.989] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.993] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.993] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c45300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0262.995] CloseHandle (hObject=0x3e4) returned 1 [0262.995] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.996] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0262.996] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0262.996] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.996] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0262.996] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.996] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0262.996] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0262.996] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0262.996] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.998] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0262.998] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c46600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.002] CloseHandle (hObject=0x3e4) returned 1 [0263.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.002] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0263.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1ce836c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x673c6ff, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0263.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0263.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0263.008] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.008] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0263.009] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.010] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.010] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.011] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.011] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c47900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c47900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.013] CloseHandle (hObject=0x3e4) returned 1 [0263.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1ce836c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x673c6ff, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0263.013] SetEvent (hEvent=0x3f4) returned 1 [0263.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xd000)) returned 1 [0263.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.014] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0263.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.014] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.014] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0263.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.017] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.017] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c48c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c48c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.037] CloseHandle (hObject=0x3e4) returned 1 [0263.037] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.037] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.038] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.076] SetEvent (hEvent=0x110) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cef5ca8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1cef5ca8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.077] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.080] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.080] WriteFile (in: hFile=0x3e4, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.082] CloseHandle (hObject=0x3e4) returned 1 [0263.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.083] SetEvent (hEvent=0x19c) returned 1 [0263.083] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cef5ca8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1cef5ca8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.083] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.105] SetEvent (hEvent=0x3f8) returned 1 [0263.105] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.120] SetEvent (hEvent=0x3f8) returned 1 [0263.120] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.121] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.121] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.121] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.123] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.123] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.124] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.125] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.125] WriteFile (in: hFile=0x42c, lpBuffer=0x12aff300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aff300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.127] CloseHandle (hObject=0x42c) returned 1 [0263.127] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.127] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.127] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.127] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.128] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.128] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.128] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.129] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.129] WriteFile (in: hFile=0x42c, lpBuffer=0x12b00600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b00600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.132] CloseHandle (hObject=0x42c) returned 1 [0263.132] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.157] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.166] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.168] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.171] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0263.171] WriteFile (in: hFile=0x42c, lpBuffer=0x12c7c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12c7c000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0263.172] CloseHandle (hObject=0x42c) returned 1 [0263.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be76e20, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be76e20, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.180] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.181] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be76e20, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be76e20, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0263.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.184] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.193] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.193] WriteFile (in: hFile=0x42c, lpBuffer=0x12c7d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c7d300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.195] CloseHandle (hObject=0x42c) returned 1 [0263.195] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.199] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.200] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0263.200] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.200] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.200] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0263.200] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.202] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.202] WriteFile (in: hFile=0x458, lpBuffer=0x12c7e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c7e600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.203] CloseHandle (hObject=0x458) returned 1 [0263.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.204] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.204] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0263.204] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.204] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.205] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0263.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.206] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.206] WriteFile (in: hFile=0x458, lpBuffer=0x12c7f900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c7f900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.208] CloseHandle (hObject=0x458) returned 1 [0263.208] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.208] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.208] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0263.209] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.209] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.209] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0263.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.211] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.211] WriteFile (in: hFile=0x458, lpBuffer=0x12c80c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c80c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.212] CloseHandle (hObject=0x458) returned 1 [0263.213] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.213] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.213] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0263.213] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.213] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.213] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0263.213] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.214] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.214] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.215] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.215] WriteFile (in: hFile=0x458, lpBuffer=0x12b14000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b14000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.218] CloseHandle (hObject=0x458) returned 1 [0263.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.220] SetEvent (hEvent=0x110) returned 1 [0263.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.220] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.221] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.221] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.221] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.223] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.223] WriteFile (in: hFile=0x458, lpBuffer=0x12b15300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b15300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.224] CloseHandle (hObject=0x458) returned 1 [0263.224] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.225] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.226] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.226] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.226] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.226] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.226] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.226] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.226] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.228] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.228] WriteFile (in: hFile=0x458, lpBuffer=0x12b16600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b16600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.229] CloseHandle (hObject=0x458) returned 1 [0263.229] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.230] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.230] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0263.230] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.230] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.230] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0263.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.230] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.231] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.232] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.232] WriteFile (in: hFile=0x458, lpBuffer=0x12b17900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b17900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.233] CloseHandle (hObject=0x458) returned 1 [0263.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.234] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0263.234] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.234] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0263.234] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.234] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0263.234] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.235] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.382] SetEvent (hEvent=0x110) returned 1 [0263.382] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.382] WriteFile (in: hFile=0x458, lpBuffer=0x12b18c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b18c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.383] CloseHandle (hObject=0x458) returned 1 [0263.384] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.384] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.384] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0263.390] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.390] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c551adc, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c551adc, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0263.390] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0263.390] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0263.390] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.390] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0263.391] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.392] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.392] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.394] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.394] WriteFile (in: hFile=0x458, lpBuffer=0x12c10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c10000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.395] CloseHandle (hObject=0x458) returned 1 [0263.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c551adc, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c551adc, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.395] SetEvent (hEvent=0x19c) returned 1 [0263.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.400] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0263.415] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0263.580] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0263.832] SetEvent (hEvent=0x3f4) returned 1 [0263.832] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.833] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0263.833] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0263.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0263.834] ReadFile (in: hFile=0x3e4, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12851d1c*=0x4000, lpOverlapped=0x0) returned 1 [0263.895] SetEvent (hEvent=0x110) returned 1 [0263.895] GetFileType (hFile=0x3e4) returned 0x1 [0263.895] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.895] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12851d00*=0x4000, lpOverlapped=0x12851d0c) returned 1 [0263.896] GetFileType (hFile=0x3e4) returned 0x1 [0263.896] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0263.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0263.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0263.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0263.896] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.897] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0263.897] WriteFile (in: hFile=0x42c, lpBuffer=0x12a3e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a3e500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.897] CloseHandle (hObject=0x42c) returned 1 [0263.897] CloseHandle (hObject=0x3e4) returned 1 [0263.897] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0263.898] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[F2F738E4C7D16AEA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[f2f738e4c7d16aea]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.899] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0263.933] SetEvent (hEvent=0x3f4) returned 1 [0263.933] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.934] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x941c4e32, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x941c4e32, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928480 | out: pbBuffer=0x12928480) returned 1 [0263.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34268 | out: pbBuffer=0x12c34268) returned 1 [0263.934] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d26000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d26000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0264.000] GetFileType (hFile=0x3e4) returned 0x1 [0264.000] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.000] WriteFile (in: hFile=0x3e4, lpBuffer=0x128b2000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x128b2000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0264.083] GetFileType (hFile=0x3e4) returned 0x1 [0264.083] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0264.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0264.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0264.084] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848450 | out: pbBuffer=0x12848450) returned 1 [0264.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.085] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0264.085] WriteFile (in: hFile=0x44c, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0264.091] CloseHandle (hObject=0x44c) returned 1 [0264.091] CloseHandle (hObject=0x3e4) returned 1 [0264.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848478 | out: pbBuffer=0x12848478) returned 1 [0264.101] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[29F0521CA7B1C09A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[29f0521ca7b1c09a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0264.253] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0264.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.845] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0264.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0264.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0264.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0264.846] ReadFile (in: hFile=0x44c, lpBuffer=0x12cac000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cac000*, lpNumberOfBytesRead=0x12855d1c*=0x10000, lpOverlapped=0x0) returned 1 [0264.990] GetFileType (hFile=0x44c) returned 0x1 [0264.990] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.990] WriteFile (in: hFile=0x44c, lpBuffer=0x12d86000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12d86000*, lpNumberOfBytesWritten=0x12855d00*=0x10000, lpOverlapped=0x12855d0c) returned 1 [0264.991] GetFileType (hFile=0x44c) returned 0x1 [0264.991] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0264.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0264.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0264.991] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0264.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0264.992] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0264.992] WriteFile (in: hFile=0x42c, lpBuffer=0x12d24000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0264.993] CloseHandle (hObject=0x42c) returned 1 [0264.993] CloseHandle (hObject=0x44c) returned 1 [0264.993] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0264.993] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[FBD92A9B33F6C5CA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[fbd92a9b33f6c5ca]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0264.995] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0265.034] SetEvent (hEvent=0x3f8) returned 1 [0265.126] SetEvent (hEvent=0x104) returned 1 [0265.184] SetEvent (hEvent=0x104) returned 1 [0265.209] SetEvent (hEvent=0x104) returned 1 [0265.209] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0265.210] SetEvent (hEvent=0x104) returned 1 [0265.210] SetEvent (hEvent=0x3f4) returned 1 [0265.919] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1da, buf=0x1286c5a0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1da, lpOverlapped=0x128e6088) returned 0 [0265.948] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0266.041] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 0 [0266.041] SetEvent (hEvent=0x3f8) returned 1 [0266.041] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0266.042] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0266.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcdd415e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcdd415e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0266.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0266.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0266.052] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12851d1c*=0x10000, lpOverlapped=0x0) returned 1 [0266.156] GetFileType (hFile=0x450) returned 0x1 [0266.156] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.156] WriteFile (in: hFile=0x450, lpBuffer=0x12a62000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a62000*, lpNumberOfBytesWritten=0x12851d00*=0x10000, lpOverlapped=0x12851d0c) returned 1 [0266.156] GetFileType (hFile=0x450) returned 0x1 [0266.156] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0266.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0266.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0266.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0266.244] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0266.244] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0266.244] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0266.244] WriteFile (in: hFile=0x42c, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0266.245] CloseHandle (hObject=0x42c) returned 1 [0266.245] CloseHandle (hObject=0x450) returned 1 [0266.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0266.245] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[452AC2AF1D538E13]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[452ac2af1d538e13]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0266.424] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.136] SetEvent (hEvent=0x1b8) returned 1 [0267.136] SwitchToThread () returned 1 [0267.180] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A32eqEYT3zUx.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a32eqeyt3zux.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40509250, ftCreationTime.dwHighDateTime=0x1d82934, ftLastAccessTime.dwLowDateTime=0xd5da5040, ftLastAccessTime.dwHighDateTime=0x1d82970, ftLastWriteTime.dwLowDateTime=0xd5da5040, ftLastWriteTime.dwHighDateTime=0x1d82970, nFileSizeHigh=0x0, nFileSizeLow=0x1b07)) returned 1 [0267.180] SwitchToThread () returned 1 [0267.183] SetEvent (hEvent=0x3f8) returned 1 [0267.183] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.188] SetEvent (hEvent=0x3f8) returned 1 [0267.188] SetEvent (hEvent=0x1b8) returned 1 [0267.188] ReadFile (in: hFile=0x42c, lpBuffer=0x12d3e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128d4d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d3e000*, lpNumberOfBytesRead=0x128d4d1c*=0x8d97, lpOverlapped=0x0) returned 1 [0267.189] GetFileType (hFile=0x42c) returned 0x1 [0267.189] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128d4ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.190] WriteFile (in: hFile=0x42c, lpBuffer=0x12d8c000*, nNumberOfBytesToWrite=0x8d97, lpNumberOfBytesWritten=0x128d4d00, lpOverlapped=0x128d4d0c | out: lpBuffer=0x12d8c000*, lpNumberOfBytesWritten=0x128d4d00*=0x8d97, lpOverlapped=0x128d4d0c) returned 1 [0267.190] GetFileType (hFile=0x42c) returned 0x1 [0267.190] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x8d97, lpNewFilePointer=0x0, dwMoveMethod=0x128d4ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0267.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0267.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0267.191] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128111d0 | out: pbBuffer=0x128111d0) returned 1 [0267.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7J6Oqdxf.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7j6oqdxf.xls"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.191] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.191] WriteFile (in: hFile=0x450, lpBuffer=0x12db0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0a00*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.209] CloseHandle (hObject=0x450) returned 1 [0267.209] CloseHandle (hObject=0x42c) returned 1 [0267.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128111e8 | out: pbBuffer=0x128111e8) returned 1 [0267.210] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7J6Oqdxf.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7j6oqdxf.xls"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[2CD3C5383C13C447]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[2cd3c5383c13c447]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A32eqEYT3zUx.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a32eqeyt3zux.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.212] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A32eqEYT3zUx.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a32eqeyt3zux.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40509250, ftCreationTime.dwHighDateTime=0x1d82934, ftLastAccessTime.dwLowDateTime=0xd5da5040, ftLastAccessTime.dwHighDateTime=0x1d82970, ftLastWriteTime.dwLowDateTime=0xd5da5040, ftLastWriteTime.dwHighDateTime=0x1d82970, nFileSizeHigh=0x0, nFileSizeLow=0x1b07)) returned 1 [0267.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929960 | out: pbBuffer=0x12929960) returned 1 [0267.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811230 | out: pbBuffer=0x12811230) returned 1 [0267.213] ReadFile (in: hFile=0x42c, lpBuffer=0x1293a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a49d1c, lpOverlapped=0x0 | out: lpBuffer=0x1293a000*, lpNumberOfBytesRead=0x12a49d1c*=0x1b07, lpOverlapped=0x0) returned 1 [0267.214] GetFileType (hFile=0x42c) returned 0x1 [0267.214] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.214] WriteFile (in: hFile=0x42c, lpBuffer=0x1297a000*, nNumberOfBytesToWrite=0x1b07, lpNumberOfBytesWritten=0x12a49d00, lpOverlapped=0x12a49d0c | out: lpBuffer=0x1297a000*, lpNumberOfBytesWritten=0x12a49d00*=0x1b07, lpOverlapped=0x12a49d0c) returned 1 [0267.214] GetFileType (hFile=0x42c) returned 0x1 [0267.214] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1b07, lpNewFilePointer=0x0, dwMoveMethod=0x12a49ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835681 | out: pbBuffer=0x12835681) returned 1 [0267.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835781 | out: pbBuffer=0x12835781) returned 1 [0267.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835881 | out: pbBuffer=0x12835881) returned 1 [0267.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128112e8 | out: pbBuffer=0x128112e8) returned 1 [0267.215] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A32eqEYT3zUx.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a32eqeyt3zux.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.215] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.215] WriteFile (in: hFile=0x450, lpBuffer=0x12db0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0f00*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.215] CloseHandle (hObject=0x450) returned 1 [0267.215] CloseHandle (hObject=0x42c) returned 1 [0267.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811300 | out: pbBuffer=0x12811300) returned 1 [0267.215] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A32eqEYT3zUx.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a32eqeyt3zux.mp4"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[A136BA13FD554F45]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[a136ba13fd554f45]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.217] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4T9378rzN.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4t9378rzn.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4405b970, ftCreationTime.dwHighDateTime=0x1d81caf, ftLastAccessTime.dwLowDateTime=0x19a200, ftLastAccessTime.dwHighDateTime=0x1d81f0f, ftLastWriteTime.dwLowDateTime=0x19a200, ftLastWriteTime.dwHighDateTime=0x1d81f0f, nFileSizeHigh=0x0, nFileSizeLow=0x18905)) returned 1 [0267.217] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4vIO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4vio.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a1ac380, ftCreationTime.dwHighDateTime=0x1d827ec, ftLastAccessTime.dwLowDateTime=0x238a4c70, ftLastAccessTime.dwHighDateTime=0x1d828d9, ftLastWriteTime.dwLowDateTime=0x238a4c70, ftLastWriteTime.dwHighDateTime=0x1d828d9, nFileSizeHigh=0x0, nFileSizeLow=0x1b8e)) returned 1 [0267.217] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4T9378rzN.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4t9378rzn.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.218] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0267.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\A4T9378rzN.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a4t9378rzn.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a49ad0 | out: lpFileInformation=0x12a49ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4405b970, ftCreationTime.dwHighDateTime=0x1d81caf, ftLastAccessTime.dwLowDateTime=0x19a200, ftLastAccessTime.dwHighDateTime=0x1d81f0f, ftLastWriteTime.dwLowDateTime=0x19a200, ftLastWriteTime.dwHighDateTime=0x1d81f0f, nFileSizeHigh=0x0, nFileSizeLow=0x18905)) returned 1 [0267.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929b60 | out: pbBuffer=0x12929b60) returned 1 [0267.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811dd0 | out: pbBuffer=0x12811dd0) returned 1 [0267.218] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\3JeOyHF.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\3jeoyhf.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.219] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.219] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.250] SetEvent (hEvent=0x104) returned 1 [0267.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DMPSVLqM3.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dmpsvlqm3.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x308cb7e0, ftCreationTime.dwHighDateTime=0x1d82713, ftLastAccessTime.dwLowDateTime=0x7da17940, ftLastAccessTime.dwHighDateTime=0x1d82a0f, ftLastWriteTime.dwLowDateTime=0x7da17940, ftLastWriteTime.dwHighDateTime=0x1d82a0f, nFileSizeHigh=0x0, nFileSizeLow=0x14d3c)) returned 1 [0267.358] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.389] SetEvent (hEvent=0x19c) returned 1 [0267.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EPMgLenoE.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\epmglenoe.mp4"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbddd8a60, ftCreationTime.dwHighDateTime=0x1d82796, ftLastAccessTime.dwLowDateTime=0xf1b38d70, ftLastAccessTime.dwHighDateTime=0x1d8285f, ftLastWriteTime.dwLowDateTime=0xf1b38d70, ftLastWriteTime.dwHighDateTime=0x1d8285f, nFileSizeHigh=0x0, nFileSizeLow=0x1273f)) returned 1 [0267.393] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.424] SetEvent (hEvent=0x3f8) returned 1 [0267.424] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.432] SetEvent (hEvent=0x104) returned 1 [0267.433] SwitchToThread () returned 1 [0267.434] SetEvent (hEvent=0x19c) returned 1 [0267.434] SetEvent (hEvent=0x104) returned 1 [0267.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HtBW3C.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\htbw3c.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa0b0060, ftCreationTime.dwHighDateTime=0x1d820a4, ftLastAccessTime.dwLowDateTime=0x9ea60670, ftLastAccessTime.dwHighDateTime=0x1d820e5, ftLastWriteTime.dwLowDateTime=0x9ea60670, ftLastWriteTime.dwHighDateTime=0x1d820e5, nFileSizeHigh=0x0, nFileSizeLow=0xa33c)) returned 1 [0267.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\INIfYxN6if.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\inifyxn6if.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ada6c0, ftCreationTime.dwHighDateTime=0x1d81aa0, ftLastAccessTime.dwLowDateTime=0x8cd36f60, ftLastAccessTime.dwHighDateTime=0x1d81fb8, ftLastWriteTime.dwLowDateTime=0x8cd36f60, ftLastWriteTime.dwHighDateTime=0x1d81fb8, nFileSizeHigh=0x0, nFileSizeLow=0xc02b)) returned 1 [0267.447] SetEvent (hEvent=0x19c) returned 1 [0267.447] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JURtp.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jurtp.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x206b75f0, ftCreationTime.dwHighDateTime=0x1d820e6, ftLastAccessTime.dwLowDateTime=0xc0cbf9d0, ftLastAccessTime.dwHighDateTime=0x1d8292d, ftLastWriteTime.dwLowDateTime=0xc0cbf9d0, ftLastWriteTime.dwHighDateTime=0x1d8292d, nFileSizeHigh=0x0, nFileSizeLow=0xd5e3)) returned 1 [0267.456] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.467] SetEvent (hEvent=0xfc) returned 1 [0267.467] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\JrFhAxKHX5fo_8-.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\jrfhaxkhx5fo_8-.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3315510, ftCreationTime.dwHighDateTime=0x1d82767, ftLastAccessTime.dwLowDateTime=0x1a8b10c0, ftLastAccessTime.dwHighDateTime=0x1d82891, ftLastWriteTime.dwLowDateTime=0x1a8b10c0, ftLastWriteTime.dwHighDateTime=0x1d82891, nFileSizeHigh=0x0, nFileSizeLow=0xcae9)) returned 1 [0267.478] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.509] SetEvent (hEvent=0xfc) returned 1 [0267.509] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KBTERo45xW pin4LQ.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kbtero45xw pin4lq.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c19cfa0, ftCreationTime.dwHighDateTime=0x1d8291d, ftLastAccessTime.dwLowDateTime=0x22986f90, ftLastAccessTime.dwHighDateTime=0x1d8291f, ftLastWriteTime.dwLowDateTime=0x22986f90, ftLastWriteTime.dwHighDateTime=0x1d8291f, nFileSizeHigh=0x0, nFileSizeLow=0x36bd)) returned 1 [0267.518] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.556] SetEvent (hEvent=0xfc) returned 1 [0267.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KnoA7FD.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\knoa7fd.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd1af23, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfdd1af23, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfdd1af23, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.574] SetEvent (hEvent=0x1b8) returned 1 [0267.574] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf58e146b, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf58e146b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58e146b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.582] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf58e146b, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf58e146b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58e146b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0267.582] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf58e146b, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf58e146b, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf58e146b, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.583] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.583] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0267.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.587] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0267.587] WriteFile (in: hFile=0x458, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0267.589] CloseHandle (hObject=0x458) returned 1 [0267.589] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MQ9ouEKAZi19qY.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mq9ouekazi19qy.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2fc5f00, ftCreationTime.dwHighDateTime=0x1d81dc8, ftLastAccessTime.dwLowDateTime=0x5e848820, ftLastAccessTime.dwHighDateTime=0x1d828c2, ftLastWriteTime.dwLowDateTime=0x5e848820, ftLastWriteTime.dwHighDateTime=0x1d828c2, nFileSizeHigh=0x0, nFileSizeLow=0x15ea2)) returned 1 [0267.591] SetEvent (hEvent=0xfc) returned 1 [0267.591] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MUUIz3me61vcXxlVyHi.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\muuiz3me61vcxxlvyhi.pps"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa24d0, ftCreationTime.dwHighDateTime=0x1d820a3, ftLastAccessTime.dwLowDateTime=0xd18d4810, ftLastAccessTime.dwHighDateTime=0x1d8217f, ftLastWriteTime.dwLowDateTime=0xd18d4810, ftLastWriteTime.dwHighDateTime=0x1d8217f, nFileSizeHigh=0x0, nFileSizeLow=0xa6eb)) returned 1 [0267.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Qod0j-KX2DK56BunTz.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\qod0j-kx2dk56buntz.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70afb3b0, ftCreationTime.dwHighDateTime=0x1d82603, ftLastAccessTime.dwLowDateTime=0x98a7ef80, ftLastAccessTime.dwHighDateTime=0x1d82771, ftLastWriteTime.dwLowDateTime=0x98a7ef80, ftLastWriteTime.dwHighDateTime=0x1d82771, nFileSizeHigh=0x0, nFileSizeLow=0xcea)) returned 1 [0267.619] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.625] SetEvent (hEvent=0x3f8) returned 1 [0267.625] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.640] SetEvent (hEvent=0x3f8) returned 1 [0267.640] SetEvent (hEvent=0x19c) returned 1 [0267.640] SetEvent (hEvent=0xfc) returned 1 [0267.640] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.646] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\ckyL13X157_Yjd.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ckyl13x157_yjd.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf47598e0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0xdcc9d390, ftLastAccessTime.dwHighDateTime=0x1d828ac, ftLastWriteTime.dwLowDateTime=0xdcc9d390, ftLastWriteTime.dwHighDateTime=0x1d828ac, nFileSizeHigh=0x0, nFileSizeLow=0x16cca)) returned 1 [0267.727] SetEvent (hEvent=0x104) returned 1 [0267.727] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239e84c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf239fb66, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.740] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239e84c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf239fb66, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0267.741] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239e84c, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf239fb66, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.741] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf239fb66, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.8", cAlternateFileName="")) returned 1 [0267.741] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.741] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0267.741] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.749] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0267.749] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0267.751] CloseHandle (hObject=0x450) returned 1 [0267.751] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fc808, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0267.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0267.751] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fc808, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0267.751] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fc808, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.751] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf23fc808, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fdb96, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x0, dwReserved1=0x0, cFileName="dicts.dat", cAlternateFileName="")) returned 1 [0267.751] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23a2322, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="__init__.py", cAlternateFileName="")) returned 1 [0267.752] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0267.752] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0267.752] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0267.752] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0267.752] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.761] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0267.761] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0267.762] CloseHandle (hObject=0x42c) returned 1 [0267.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23a2322, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xb0)) returned 1 [0267.762] SetEvent (hEvent=0xfc) returned 1 [0267.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf23fc808, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf23fc808, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23fdb96, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xa)) returned 1 [0267.763] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.765] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf239fb66, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf239fb66, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf23a2322, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xb0)) returned 1 [0267.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a989c0 | out: pbBuffer=0x12a989c0) returned 1 [0267.765] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8e00 | out: pbBuffer=0x128e8e00) returned 1 [0267.765] ReadFile (in: hFile=0x42c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x1282bd1c*=0xb0, lpOverlapped=0x0) returned 1 [0267.766] GetFileType (hFile=0x42c) returned 0x1 [0267.766] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.766] WriteFile (in: hFile=0x42c, lpBuffer=0x12aee160*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12aee160*, lpNumberOfBytesWritten=0x1282bd00*=0xb0, lpOverlapped=0x1282bd0c) returned 1 [0267.767] GetFileType (hFile=0x42c) returned 0x1 [0267.767] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xb0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0267.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0267.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0267.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0267.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8eb8 | out: pbBuffer=0x128e8eb8) returned 1 [0267.767] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0267.771] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.771] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0267.771] SetEvent (hEvent=0x110) returned 1 [0267.771] SetEvent (hEvent=0xfc) returned 1 [0267.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0267.772] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0267.772] WriteFile (in: hFile=0x450, lpBuffer=0x129ee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x129ee000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0267.774] CloseHandle (hObject=0x450) returned 1 [0267.774] CloseHandle (hObject=0x42c) returned 1 [0267.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8ed0 | out: pbBuffer=0x128e8ed0) returned 1 [0267.775] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\gen_py\\3.8\\#_THIS_FILE_IS_ENCRYPTED_[42D96600BF302A8E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gen_py\\3.8\\#_this_file_is_encrypted_[42d96600bf302a8e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.845] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0267.871] SetEvent (hEvent=0x3f8) returned 1 [0267.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mE 0BznU4CsLZ8.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\me 0bznu4cslz8.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.872] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mE 0BznU4CsLZ8.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\me 0bznu4cslz8.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4245690, ftCreationTime.dwHighDateTime=0x1d82898, ftLastAccessTime.dwLowDateTime=0xf7b71700, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xf7b71700, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0xa94f)) returned 1 [0267.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128453e0 | out: pbBuffer=0x128453e0) returned 1 [0267.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a510 | out: pbBuffer=0x12a9a510) returned 1 [0267.873] ReadFile (in: hFile=0x44c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12851d1c*=0xa94f, lpOverlapped=0x0) returned 1 [0267.875] GetFileType (hFile=0x44c) returned 0x1 [0267.875] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.875] WriteFile (in: hFile=0x44c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0xa94f, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12851d00*=0xa94f, lpOverlapped=0x12851d0c) returned 1 [0267.876] GetFileType (hFile=0x44c) returned 0x1 [0267.876] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xa94f, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0267.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0267.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0267.876] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a5c8 | out: pbBuffer=0x12a9a5c8) returned 1 [0267.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mE 0BznU4CsLZ8.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\me 0bznu4cslz8.ppt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0267.877] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0267.877] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.877] CloseHandle (hObject=0x42c) returned 1 [0267.878] CloseHandle (hObject=0x44c) returned 1 [0267.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5e0 | out: pbBuffer=0x12a9a5e0) returned 1 [0267.894] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mE 0BznU4CsLZ8.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\me 0bznu4cslz8.ppt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[CAEA4F0C0670B0BA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[caea4f0c0670b0ba]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0268.815] SetEvent (hEvent=0x104) returned 1 [0268.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\txpRRLn2D.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\txprrln2d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0268.816] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0268.816] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\txpRRLn2D.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\txprrln2d.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c775940, ftCreationTime.dwHighDateTime=0x1d82a04, ftLastAccessTime.dwLowDateTime=0x2bcb35c0, ftLastAccessTime.dwHighDateTime=0x1d82a14, ftLastWriteTime.dwLowDateTime=0x2bcb35c0, ftLastWriteTime.dwHighDateTime=0x1d82a14, nFileSizeHigh=0x0, nFileSizeLow=0x10007)) returned 1 [0268.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845840 | out: pbBuffer=0x12845840) returned 1 [0268.817] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9acc0 | out: pbBuffer=0x12a9acc0) returned 1 [0268.817] ReadFile (in: hFile=0x42c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12851d1c*=0x10007, lpOverlapped=0x0) returned 1 [0268.820] GetFileType (hFile=0x42c) returned 0x1 [0268.820] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0268.820] WriteFile (in: hFile=0x42c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x10007, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12851d00*=0x10007, lpOverlapped=0x12851d0c) returned 1 [0268.821] GetFileType (hFile=0x42c) returned 0x1 [0268.821] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x10007, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.293] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd181 | out: pbBuffer=0x12afd181) returned 1 [0269.422] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd281 | out: pbBuffer=0x12afd281) returned 1 [0269.422] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0269.636] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0269.776] SwitchToThread () returned 1 [0269.777] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0269.788] SetEvent (hEvent=0x1b8) returned 1 [0269.788] SetEvent (hEvent=0xf4) returned 1 [0269.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wOMfc5SjGAE a.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\womfc5sjgae a.pps"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d99f20, ftCreationTime.dwHighDateTime=0x1d819e5, ftLastAccessTime.dwLowDateTime=0x143f4a40, ftLastAccessTime.dwHighDateTime=0x1d824f1, ftLastWriteTime.dwLowDateTime=0x143f4a40, ftLastWriteTime.dwHighDateTime=0x1d824f1, nFileSizeHigh=0x0, nFileSizeLow=0x1fbd)) returned 1 [0269.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wz2nYDFysrbRUqT.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wz2nydfysrbruqt.swf"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x796e2fe0, ftCreationTime.dwHighDateTime=0x1d8294b, ftLastAccessTime.dwLowDateTime=0x5f277f60, ftLastAccessTime.dwHighDateTime=0x1d829f5, ftLastWriteTime.dwLowDateTime=0x5f277f60, ftLastWriteTime.dwHighDateTime=0x1d829f5, nFileSizeHigh=0x0, nFileSizeLow=0xdcb1)) returned 1 [0269.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\xImQcXgZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ximqcxgz.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc0cff10, ftCreationTime.dwHighDateTime=0x1d81fed, ftLastAccessTime.dwLowDateTime=0x4077c60, ftLastAccessTime.dwHighDateTime=0x1d821e0, ftLastWriteTime.dwLowDateTime=0x4077c60, ftLastWriteTime.dwHighDateTime=0x1d821e0, nFileSizeHigh=0x0, nFileSizeLow=0xbd85)) returned 1 [0269.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\yb jiQAntYnxzFwzz.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yb jiqantynxzfwzz.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1398df0, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0xdac0e0d0, ftLastAccessTime.dwHighDateTime=0x1d82883, ftLastWriteTime.dwLowDateTime=0xdac0e0d0, ftLastWriteTime.dwHighDateTime=0x1d82883, nFileSizeHigh=0x0, nFileSizeLow=0x1052d)) returned 1 [0269.789] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF3A515BE1EBE96124.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df3a515be1ebe96124.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xf9301951, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf9301951, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf9301951, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0269.790] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\yb jiQAntYnxzFwzz.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yb jiqantynxzfwzz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.791] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.791] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\yb jiQAntYnxzFwzz.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yb jiqantynxzfwzz.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1398df0, ftCreationTime.dwHighDateTime=0x1d82857, ftLastAccessTime.dwLowDateTime=0xdac0e0d0, ftLastAccessTime.dwHighDateTime=0x1d82883, ftLastWriteTime.dwLowDateTime=0xdac0e0d0, ftLastWriteTime.dwHighDateTime=0x1d82883, nFileSizeHigh=0x0, nFileSizeLow=0x1052d)) returned 1 [0269.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129297e0 | out: pbBuffer=0x129297e0) returned 1 [0269.791] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849a00 | out: pbBuffer=0x12849a00) returned 1 [0269.792] ReadFile (in: hFile=0x450, lpBuffer=0x12cf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf2000*, lpNumberOfBytesRead=0x12853d1c*=0x1052d, lpOverlapped=0x0) returned 1 [0269.794] GetFileType (hFile=0x450) returned 0x1 [0269.794] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.794] WriteFile (in: hFile=0x450, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x1052d, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12853d00*=0x1052d, lpOverlapped=0x12853d0c) returned 1 [0269.795] GetFileType (hFile=0x450) returned 0x1 [0269.795] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1052d, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0269.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0269.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0269.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849ab8 | out: pbBuffer=0x12849ab8) returned 1 [0269.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\yb jiQAntYnxzFwzz.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yb jiqantynxzfwzz.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0269.796] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.796] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.796] CloseHandle (hObject=0x42c) returned 1 [0269.796] CloseHandle (hObject=0x450) returned 1 [0269.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ad0 | out: pbBuffer=0x12849ad0) returned 1 [0269.796] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\yb jiQAntYnxzFwzz.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\yb jiqantynxzfwzz.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[5AE480D4DC35CE78]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[5ae480d4dc35ce78]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.798] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF3A515BE1EBE96124.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df3a515be1ebe96124.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.799] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF3A515BE1EBE96124.TMP\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF693F1CB0BE56B709.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df693f1cb0be56b709.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x966cdbcc, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966cdbcc, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966cdbcc, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x200)) returned 1 [0269.799] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF7D668A32F29FF678.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df7d668a32f29ff678.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966b2d4d, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x966b2d4d, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966c3f90, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0269.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF693F1CB0BE56B709.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df693f1cb0be56b709.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.800] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF693F1CB0BE56B709.TMP\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.800] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF7D668A32F29FF678.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~df7d668a32f29ff678.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.800] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF7D668A32F29FF678.TMP\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFA67B34E0D55BF895.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~dfa67b34e0d55bf895.tmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xf65db879, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf65db879, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf65db879, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0269.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temporary internet files"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0269.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temporary internet files"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x450 [0269.801] GetFileInformationByHandle (in: hFile=0x450, lpFileInformation=0x12857a84 | out: lpFileInformation=0x12857a84) returned 1 [0269.801] GetFileInformationByHandleEx (in: hFile=0x450, FileInformationClass=0x9, lpFileInformation=0x12857a7c, dwBufferSize=0x8 | out: lpFileInformation=0x12857a7c) returned 1 [0269.801] CloseHandle (hObject=0x450) returned 1 [0269.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFA67B34E0D55BF895.TMP" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\~dfa67b34e0d55bf895.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.802] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFA67B34E0D55BF895.TMP\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temporary internet files"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.802] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0269.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.802] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0269.813] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.814] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb5f05683, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xb5f05683, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Database", cAlternateFileName="")) returned 1 [0269.814] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0269.814] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0269.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0269.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0269.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.816] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0269.816] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0269.818] CloseHandle (hObject=0x450) returned 1 [0269.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb5f05683, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xb5f05683, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0269.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.818] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb5f05683, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xb5f05683, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0269.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb5f05683, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xb5f05683, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xea651ad2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDB.chk", cAlternateFileName="")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5ea62be, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDB.log", cAlternateFileName="")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a8cb5a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5f47501, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDB00006.log", cAlternateFileName="")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDBres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDBres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8db19be0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x4e008d83, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDBtmp.log", cAlternateFileName="")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b6fbaa, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40b6fbaa, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5f599b7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vedatamodel.edb", cAlternateFileName="VEDATA~1.EDB")) returned 1 [0269.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0269.819] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0269.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0269.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0269.820] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.821] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0269.821] WriteFile (in: hFile=0x450, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0269.823] CloseHandle (hObject=0x450) returned 1 [0269.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.chk"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xea651ad2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0269.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.log"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5ea62be, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.830] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.907] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.907] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.chk"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xea651ad2, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0269.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845d20 | out: pbBuffer=0x12845d20) returned 1 [0269.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b120 | out: pbBuffer=0x12a9b120) returned 1 [0269.908] ReadFile (in: hFile=0x450, lpBuffer=0x12d12000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d12000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0269.909] GetFileType (hFile=0x450) returned 0x1 [0269.910] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.910] WriteFile (in: hFile=0x450, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0269.910] GetFileType (hFile=0x450) returned 0x1 [0269.910] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.910] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e81 | out: pbBuffer=0x12834e81) returned 1 [0269.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0269.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0269.911] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b1d8 | out: pbBuffer=0x12a9b1d8) returned 1 [0269.911] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.chk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0269.911] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0269.911] WriteFile (in: hFile=0x460, lpBuffer=0x12c33400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c33400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.912] CloseHandle (hObject=0x460) returned 1 [0269.912] CloseHandle (hObject=0x450) returned 1 [0269.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b1f0 | out: pbBuffer=0x12a9b1f0) returned 1 [0269.912] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.chk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\#_THIS_FILE_IS_ENCRYPTED_[178FE4DC88A8B333]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\#_this_file_is_encrypted_[178fe4dc88a8b333]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.914] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\xImQcXgZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ximqcxgz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.915] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0269.915] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\xImQcXgZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ximqcxgz.gif"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc0cff10, ftCreationTime.dwHighDateTime=0x1d81fed, ftLastAccessTime.dwLowDateTime=0x4077c60, ftLastAccessTime.dwHighDateTime=0x1d821e0, ftLastWriteTime.dwLowDateTime=0x4077c60, ftLastWriteTime.dwHighDateTime=0x1d821e0, nFileSizeHigh=0x0, nFileSizeLow=0xbd85)) returned 1 [0269.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845f20 | out: pbBuffer=0x12845f20) returned 1 [0269.915] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b238 | out: pbBuffer=0x12a9b238) returned 1 [0269.915] ReadFile (in: hFile=0x450, lpBuffer=0x12d52000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d52000*, lpNumberOfBytesRead=0x12851d1c*=0xbd85, lpOverlapped=0x0) returned 1 [0269.921] GetFileType (hFile=0x450) returned 0x1 [0269.921] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.921] WriteFile (in: hFile=0x450, lpBuffer=0x12daa000*, nNumberOfBytesToWrite=0xbd85, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12daa000*, lpNumberOfBytesWritten=0x12851d00*=0xbd85, lpOverlapped=0x12851d0c) returned 1 [0269.922] GetFileType (hFile=0x450) returned 0x1 [0269.922] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xbd85, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0269.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0269.922] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835301 | out: pbBuffer=0x12835301) returned 1 [0269.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0269.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b320 | out: pbBuffer=0x12a9b320) returned 1 [0269.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\xImQcXgZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ximqcxgz.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0269.923] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0269.923] WriteFile (in: hFile=0x460, lpBuffer=0x12c33900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c33900*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0269.923] CloseHandle (hObject=0x460) returned 1 [0269.924] CloseHandle (hObject=0x450) returned 1 [0269.924] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b338 | out: pbBuffer=0x12a9b338) returned 1 [0269.924] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\xImQcXgZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ximqcxgz.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[DE27A92202696568]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[de27a92202696568]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0269.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbtmp.log"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8db19be0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x4e008d83, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0269.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b6fbaa, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40b6fbaa, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xb5f599b7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0xe0000)) returned 1 [0269.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.927] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log\\*", lpFindFileData=0x12851a44 | out: lpFindFileData=0x12851a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.927] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.927] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb\\*", lpFindFileData=0x12851a44 | out: lpFindFileData=0x12851a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0269.927] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0269.927] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.928] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0269.928] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.928] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0269.928] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0269.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0269.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0269.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.929] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0269.929] WriteFile (in: hFile=0x450, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0269.931] CloseHandle (hObject=0x450) returned 1 [0269.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0269.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.931] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0269.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0269.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0269.940] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0269.941] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0269.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0269.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0269.943] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0269.943] WriteFile (in: hFile=0x450, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0269.944] CloseHandle (hObject=0x450) returned 1 [0269.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xfccc3fee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc3fee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0269.945] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0269.945] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xfccc3fee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc3fee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0269.945] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xfccc3fee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc3fee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.945] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0269.945] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfccc3fee, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xfccc3fee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xfccc3fee, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0269.946] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0269.946] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0269.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0269.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0269.946] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.083] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0270.083] WriteFile (in: hFile=0x450, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0270.084] CloseHandle (hObject=0x450) returned 1 [0270.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.085] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0270.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb7e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0270.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb59b3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0270.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.086] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0270.086] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.087] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0270.087] WriteFile (in: hFile=0x450, lpBuffer=0x12ad0000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12ad0000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0270.089] CloseHandle (hObject=0x450) returned 1 [0270.089] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb7e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.089] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0270.089] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb7e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0270.137] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0270.296] SetEvent (hEvent=0x104) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb7e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x64a9c09, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x12bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65b4c5b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", cAlternateFileName="69B5E9~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb7e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bccb9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", cAlternateFileName="6BADA8~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", cAlternateFileName="7423F8~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2af524cd, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0270.296] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0270.296] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0270.353] SetEvent (hEvent=0x104) returned 1 [0270.353] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0270.517] SetEvent (hEvent=0x104) returned 1 [0270.517] SetEvent (hEvent=0x1b8) returned 1 [0270.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0270.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0270.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.519] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0270.520] WriteFile (in: hFile=0x450, lpBuffer=0x12ad1300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ad1300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0270.521] CloseHandle (hObject=0x450) returned 1 [0270.521] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\57c8edb95df3f0ad4ee2dc2b8cfd4157"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x64a9c09, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x12bb)) returned 1 [0270.522] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\69b5e9a1ca834da32c0a425757544385_035360c022bf84b8eb76a765ec8e8961"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65b4c5b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0270.540] SetEvent (hEvent=0x1b8) returned 1 [0270.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\6bada8974a10c4bd62cc921d13e43b18_1dc6d7385ea816c957ba2b715ac5c442"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb7e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bccb9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5e3)) returned 1 [0270.541] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0270.541] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\77ec63bda74bd0d0e0426dc8f8008506"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0270.542] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0270.542] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0270.543] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xdd75384e, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x1d7)) returned 1 [0270.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98c00 | out: pbBuffer=0x12a98c00) returned 1 [0270.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9300 | out: pbBuffer=0x128e9300) returned 1 [0270.543] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x1d7, lpOverlapped=0x0) returned 1 [0270.544] GetFileType (hFile=0x42c) returned 0x1 [0270.544] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.544] WriteFile (in: hFile=0x42c, lpBuffer=0x1286c1e0*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1286c1e0*, lpNumberOfBytesWritten=0x12829d00*=0x1d7, lpOverlapped=0x12829d0c) returned 1 [0270.545] GetFileType (hFile=0x42c) returned 0x1 [0270.545] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1d7, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0270.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0270.617] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0270.618] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0270.618] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e93b8 | out: pbBuffer=0x128e93b8) returned 1 [0270.618] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0270.618] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0270.618] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0270.664] CloseHandle (hObject=0x45c) returned 1 [0270.696] CloseHandle (hObject=0x42c) returned 1 [0270.730] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9568 | out: pbBuffer=0x128e9568) returned 1 [0270.730] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_aa1e8580d4ebc816148ce81268683776"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\#_THIS_FILE_IS_ENCRYPTED_[9178E59879849C3A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\#_this_file_is_encrypted_[9178e59879849c3a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0270.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jwhu1_gJHqISsw8e KXE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jwhu1_gjhqissw8e kxe.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c61bdc0, ftCreationTime.dwHighDateTime=0x1d8205a, ftLastAccessTime.dwLowDateTime=0x68943180, ftLastAccessTime.dwHighDateTime=0x1d8246c, ftLastWriteTime.dwLowDateTime=0x68943180, ftLastWriteTime.dwHighDateTime=0x1d8246c, nFileSizeHigh=0x0, nFileSizeLow=0xff5f)) returned 1 [0270.981] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LDiB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ldib.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa068a40, ftCreationTime.dwHighDateTime=0x1d8274c, ftLastAccessTime.dwLowDateTime=0x1724d570, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0x1724d570, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x78a0)) returned 1 [0270.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jwhu1_gJHqISsw8e KXE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jwhu1_gjhqissw8e kxe.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.982] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0270.982] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jwhu1_gJHqISsw8e KXE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jwhu1_gjhqissw8e kxe.png"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c61bdc0, ftCreationTime.dwHighDateTime=0x1d8205a, ftLastAccessTime.dwLowDateTime=0x68943180, ftLastAccessTime.dwHighDateTime=0x1d8246c, ftLastWriteTime.dwLowDateTime=0x68943180, ftLastWriteTime.dwHighDateTime=0x1d8246c, nFileSizeHigh=0x0, nFileSizeLow=0xff5f)) returned 1 [0270.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128459e0 | out: pbBuffer=0x128459e0) returned 1 [0270.982] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34be0 | out: pbBuffer=0x12c34be0) returned 1 [0270.982] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0271.215] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0271.215] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0271.215] SetEvent (hEvent=0x110) returned 1 [0271.215] SetEvent (hEvent=0x104) returned 1 [0271.216] ReadFile (in: hFile=0x450, lpBuffer=0x12cfa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cfa000*, lpNumberOfBytesRead=0x12829d1c*=0xff5f, lpOverlapped=0x0) returned 1 [0271.218] GetFileType (hFile=0x450) returned 0x1 [0271.218] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.218] WriteFile (in: hFile=0x450, lpBuffer=0x12d3a000*, nNumberOfBytesToWrite=0xff5f, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d3a000*, lpNumberOfBytesWritten=0x12829d00*=0xff5f, lpOverlapped=0x12829d0c) returned 1 [0271.219] GetFileType (hFile=0x450) returned 0x1 [0271.219] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xff5f, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0271.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0271.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0271.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34c98 | out: pbBuffer=0x12c34c98) returned 1 [0271.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jwhu1_gJHqISsw8e KXE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jwhu1_gjhqissw8e kxe.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0271.220] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0271.220] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0271.221] CloseHandle (hObject=0x42c) returned 1 [0271.240] CloseHandle (hObject=0x450) returned 1 [0271.245] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0271.246] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jwhu1_gJHqISsw8e KXE.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jwhu1_gjhqissw8e kxe.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[F72D8F66BB507BD6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[f72d8f66bb507bd6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.754] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0271.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0271.805] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0271.805] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e)) returned 1 [0271.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0271.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0271.805] ReadFile (in: hFile=0x460, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.202] GetFileType (hFile=0x460) returned 0x1 [0272.202] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.202] WriteFile (in: hFile=0x460, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0272.203] GetFileType (hFile=0x460) returned 0x1 [0272.203] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.203] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0272.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0272.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0272.205] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a890 | out: pbBuffer=0x12a9a890) returned 1 [0272.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.206] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.206] WriteFile (in: hFile=0x45c, lpBuffer=0x12d94000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d94000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.214] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.233] SetEvent (hEvent=0x110) returned 1 [0272.233] CloseHandle (hObject=0x45c) returned 1 [0272.233] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.303] CloseHandle (hObject=0x460) returned 1 [0272.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34010 | out: pbBuffer=0x12c34010) returned 1 [0272.303] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[A209318446EEFC7F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[a209318446eefc7f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.307] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.319] SetEvent (hEvent=0x19c) returned 1 [0272.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.320] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d)) returned 1 [0272.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0272.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34058 | out: pbBuffer=0x12c34058) returned 1 [0272.321] ReadFile (in: hFile=0x460, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.344] GetFileType (hFile=0x460) returned 0x1 [0272.345] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.345] WriteFile (in: hFile=0x460, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0272.345] GetFileType (hFile=0x460) returned 0x1 [0272.346] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0272.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0272.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0272.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34140 | out: pbBuffer=0x12c34140) returned 1 [0272.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0272.347] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.347] WriteFile (in: hFile=0x458, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.472] CloseHandle (hObject=0x458) returned 1 [0272.489] CloseHandle (hObject=0x460) returned 1 [0272.490] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34158 | out: pbBuffer=0x12c34158) returned 1 [0272.490] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[BD485B69066D3105]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[bd485b69066d3105]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.570] SetEvent (hEvent=0x110) returned 1 [0272.570] SetEvent (hEvent=0x104) returned 1 [0272.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0272.572] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.572] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8)) returned 1 [0272.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a984a0 | out: pbBuffer=0x12a984a0) returned 1 [0272.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8448 | out: pbBuffer=0x128e8448) returned 1 [0272.572] ReadFile (in: hFile=0x450, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.583] GetFileType (hFile=0x450) returned 0x1 [0272.583] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.583] WriteFile (in: hFile=0x450, lpBuffer=0x12a16000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a16000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0272.584] GetFileType (hFile=0x450) returned 0x1 [0272.584] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0272.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0272.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0272.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8500 | out: pbBuffer=0x128e8500) returned 1 [0272.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.585] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0272.585] WriteFile (in: hFile=0x460, lpBuffer=0x12c2ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ca00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.585] CloseHandle (hObject=0x460) returned 1 [0272.599] CloseHandle (hObject=0x450) returned 1 [0272.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8518 | out: pbBuffer=0x128e8518) returned 1 [0272.600] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[DE912AD8EB074E38]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[de912ad8eb074e38]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.672] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.698] SetEvent (hEvent=0x1b8) returned 1 [0272.698] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.733] SetEvent (hEvent=0x1b8) returned 1 [0272.733] SetEvent (hEvent=0xfc) returned 1 [0272.733] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\microsoft outlook.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.735] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.735] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\microsoft outlook.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6654de95, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6657eabb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x51b)) returned 1 [0272.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0272.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0272.736] ReadFile (in: hFile=0x42c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12853d1c*=0x51b, lpOverlapped=0x0) returned 1 [0272.753] GetFileType (hFile=0x42c) returned 0x1 [0272.753] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.753] WriteFile (in: hFile=0x42c, lpBuffer=0x1285c000*, nNumberOfBytesToWrite=0x51b, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x1285c000*, lpNumberOfBytesWritten=0x12853d00*=0x51b, lpOverlapped=0x12853d0c) returned 1 [0272.753] GetFileType (hFile=0x42c) returned 0x1 [0272.753] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x51b, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0272.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0272.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0272.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f0 | out: pbBuffer=0x12c340f0) returned 1 [0272.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\microsoft outlook.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.754] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.754] WriteFile (in: hFile=0x44c, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.755] CloseHandle (hObject=0x44c) returned 1 [0272.755] CloseHandle (hObject=0x42c) returned 1 [0272.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0272.755] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\microsoft outlook.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[A42133E003FFD08A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[a42133e003ffd08a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.757] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.833] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.834] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.834] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d02d92b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d02d92b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e)) returned 1 [0272.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0272.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34150 | out: pbBuffer=0x12c34150) returned 1 [0272.834] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x1282bd1c*=0x14e, lpOverlapped=0x0) returned 1 [0272.836] GetFileType (hFile=0x42c) returned 0x1 [0272.836] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.836] WriteFile (in: hFile=0x42c, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x1282bd00*=0x14e, lpOverlapped=0x1282bd0c) returned 1 [0272.836] GetFileType (hFile=0x42c) returned 0x1 [0272.836] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x14e, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0272.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0272.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0272.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0272.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34208 | out: pbBuffer=0x12c34208) returned 1 [0272.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0272.837] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.837] WriteFile (in: hFile=0x450, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0272.872] CloseHandle (hObject=0x450) returned 1 [0272.872] CloseHandle (hObject=0x42c) returned 1 [0272.873] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34220 | out: pbBuffer=0x12c34220) returned 1 [0272.873] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[40C417EE0C812205]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[40c417ee0c812205]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.901] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0272.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0272.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128454e0 | out: pbBuffer=0x128454e0) returned 1 [0272.901] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34268 | out: pbBuffer=0x12c34268) returned 1 [0272.901] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0272.901] SetEvent (hEvent=0xf4) returned 1 [0272.901] ReadFile (in: hFile=0x42c, lpBuffer=0x12ce4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce4000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0272.902] CloseHandle (hObject=0x42c) returned 1 [0272.903] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0272.909] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.909] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0272.912] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.912] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0272.913] SetEvent (hEvent=0xf4) returned 1 [0272.913] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0272.934] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0272.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.985] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0272.985] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80f81d62, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80f81d62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80f83167, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9362)) returned 1 [0272.986] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0272.986] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0272.986] ReadFile (in: hFile=0x45c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282fd1c*=0x9362, lpOverlapped=0x0) returned 1 [0273.011] GetFileType (hFile=0x45c) returned 0x1 [0273.011] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.011] WriteFile (in: hFile=0x45c, lpBuffer=0x12da0000*, nNumberOfBytesToWrite=0x9362, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12da0000*, lpNumberOfBytesWritten=0x1282fd00*=0x9362, lpOverlapped=0x1282fd0c) returned 1 [0273.011] GetFileType (hFile=0x45c) returned 0x1 [0273.012] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x9362, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0273.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0273.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0273.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0273.013] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.013] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0273.013] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac4500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.013] CloseHandle (hObject=0x44c) returned 1 [0273.013] CloseHandle (hObject=0x45c) returned 1 [0273.013] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0273.014] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\#_THIS_FILE_IS_ENCRYPTED_[44F6A6CAA1603790]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\#_this_file_is_encrypted_[44f6a6caa1603790]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877953e5, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x87797b5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x956)) returned 1 [0273.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.067] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0273.067] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0273.067] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0273.067] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa55c36e7, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0273.067] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xde7dde0f, ftLastAccessTime.dwHighDateTime=0x1d7b055, ftLastWriteTime.dwLowDateTime=0xde7dde0f, ftLastWriteTime.dwHighDateTime=0x1d7b055, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0273.067] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa563624b, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0273.067] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0273.067] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0273.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0273.068] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0273.068] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.081] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0273.081] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0273.083] CloseHandle (hObject=0x44c) returned 1 [0273.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\credhist"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xa55c36e7, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x1c8)) returned 1 [0273.084] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.187] SwitchToThread () returned 1 [0273.193] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.361] SetEvent (hEvent=0x19c) returned 1 [0273.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\appcontainerusercertread"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.362] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\appcontainerusercertread"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0273.363] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0273.363] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8388 | out: pbBuffer=0x128e8388) returned 1 [0273.363] ReadFile (in: hFile=0x44c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0273.363] CloseHandle (hObject=0x44c) returned 1 [0273.363] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.459] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.484] SetEvent (hEvent=0xfc) returned 1 [0273.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988e757c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x988e757c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xbdc7df00, ftLastWriteTime.dwHighDateTime=0x1d43fda, nFileSizeHigh=0x0, nFileSizeLow=0x883d3)) returned 1 [0273.485] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.521] SetEvent (hEvent=0xfc) returned 1 [0273.521] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98acf19f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98acf19f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xe42a5200, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x8b615)) returned 1 [0273.522] SetEvent (hEvent=0x1d0) returned 1 [0273.522] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0273.535] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.535] SetEvent (hEvent=0x1d0) returned 1 [0273.535] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0273.540] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.540] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0273.540] SetEvent (hEvent=0x1d0) returned 1 [0273.540] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0273.549] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0273.550] GetFileType (hFile=0x450) returned 0x1 [0273.550] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.550] WriteFile (in: hFile=0x450, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0273.551] GetFileType (hFile=0x450) returned 0x1 [0273.551] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0273.551] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0273.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0273.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0273.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0273.552] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.552] WriteFile (in: hFile=0x42c, lpBuffer=0x12c22500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22500*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.570] CloseHandle (hObject=0x42c) returned 1 [0273.570] CloseHandle (hObject=0x450) returned 1 [0273.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ad8 | out: pbBuffer=0x12848ad8) returned 1 [0273.570] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[0556E57211794BB6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[0556e57211794bb6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.572] SetEvent (hEvent=0xfc) returned 1 [0273.572] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.573] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.573] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x987adf7a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x987adf7a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xea6cfe00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xbddaf)) returned 1 [0273.573] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ba0 | out: pbBuffer=0x12928ba0) returned 1 [0273.573] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848b30 | out: pbBuffer=0x12848b30) returned 1 [0273.573] ReadFile (in: hFile=0x450, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.593] GetFileType (hFile=0x450) returned 0x1 [0273.593] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.594] WriteFile (in: hFile=0x450, lpBuffer=0x12b8a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12b8a000*, lpNumberOfBytesWritten=0x12a5fd00*=0x20000, lpOverlapped=0x12a5fd0c) returned 1 [0273.594] GetFileType (hFile=0x450) returned 0x1 [0273.594] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0273.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0273.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0273.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0273.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848d40 | out: pbBuffer=0x12848d40) returned 1 [0273.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.596] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0273.596] WriteFile (in: hFile=0x44c, lpBuffer=0x12c22f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22f00*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0273.603] CloseHandle (hObject=0x44c) returned 1 [0273.613] CloseHandle (hObject=0x450) returned 1 [0273.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848e18 | out: pbBuffer=0x12848e18) returned 1 [0273.619] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[7C13AAA4F6522099]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[7c13aaa4f6522099]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.137] SetEvent (hEvent=0x110) returned 1 [0274.137] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.157] SetEvent (hEvent=0xf4) returned 1 [0274.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0274.159] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fbbf10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fbbf10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x125f51)) returned 1 [0274.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929b20 | out: pbBuffer=0x12929b20) returned 1 [0274.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128495e0 | out: pbBuffer=0x128495e0) returned 1 [0274.159] ReadFile (in: hFile=0x458, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.172] GetFileType (hFile=0x458) returned 0x1 [0274.172] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.172] WriteFile (in: hFile=0x458, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0274.173] GetFileType (hFile=0x458) returned 0x1 [0274.173] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0274.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0274.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0274.173] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128496a8 | out: pbBuffer=0x128496a8) returned 1 [0274.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.174] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.174] WriteFile (in: hFile=0x45c, lpBuffer=0x12c23400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c23400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.182] CloseHandle (hObject=0x45c) returned 1 [0274.183] CloseHandle (hObject=0x458) returned 1 [0274.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128496c0 | out: pbBuffer=0x128496c0) returned 1 [0274.194] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[0092F6AE274CEE8A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[0092f6ae274cee8a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.366] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.398] SetEvent (hEvent=0x19c) returned 1 [0274.398] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.399] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982f049f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982f049f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5c911300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x21dbbf)) returned 1 [0274.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0274.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0274.399] ReadFile (in: hFile=0x45c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.408] GetFileType (hFile=0x45c) returned 0x1 [0274.408] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.408] WriteFile (in: hFile=0x45c, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0274.408] GetFileType (hFile=0x45c) returned 0x1 [0274.408] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0274.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0274.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0274.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0274.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.409] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.409] WriteFile (in: hFile=0x44c, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.416] CloseHandle (hObject=0x44c) returned 1 [0274.420] CloseHandle (hObject=0x45c) returned 1 [0274.425] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0274.425] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[223180AFDC824031]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[223180afdc824031]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.623] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.640] SetEvent (hEvent=0x19c) returned 1 [0274.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0274.641] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9800b4e9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9800b4e9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4f742400, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x371abc)) returned 1 [0274.642] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e360 | out: pbBuffer=0x1280e360) returned 1 [0274.642] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b0c0 | out: pbBuffer=0x12a9b0c0) returned 1 [0274.642] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0274.645] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.645] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0274.645] SetEvent (hEvent=0x110) returned 1 [0274.645] SetEvent (hEvent=0x19c) returned 1 [0274.645] ReadFile (in: hFile=0x44c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0274.653] GetFileType (hFile=0x44c) returned 0x1 [0274.654] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.654] WriteFile (in: hFile=0x44c, lpBuffer=0x12cc4000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12cc4000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0274.654] GetFileType (hFile=0x44c) returned 0x1 [0274.654] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0274.654] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0274.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0274.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0274.655] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0274.655] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0274.655] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0274.655] WriteFile (in: hFile=0x45c, lpBuffer=0x12a94a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0274.662] CloseHandle (hObject=0x45c) returned 1 [0274.663] CloseHandle (hObject=0x44c) returned 1 [0274.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a010 | out: pbBuffer=0x12a9a010) returned 1 [0274.665] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[EECAAF1CEC2FFAAB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[eecaaf1cec2ffaab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0274.856] SetEvent (hEvent=0x19c) returned 1 [0274.856] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0274.861] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.861] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x0 [0274.863] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb28, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb28, ulNumEntriesRemoved=0x33d6fb0c) returned 0 [0274.864] SetEvent (hEvent=0x104) returned 1 [0274.864] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0274.868] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0274.907] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.310] SetEvent (hEvent=0x19c) returned 1 [0275.310] SetEvent (hEvent=0x1d0) returned 1 [0275.310] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.316] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.389] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.402] SetEvent (hEvent=0x1d0) returned 1 [0275.402] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851219[[fn=gostname]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978514f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978514f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97853bdd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e7cc)) returned 1 [0275.404] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.502] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.508] SetEvent (hEvent=0x1d0) returned 1 [0275.508] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.512] SetEvent (hEvent=0x1d0) returned 1 [0275.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851223[[fn=iso690]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.513] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.513] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851223[[fn=iso690]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98050de7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98050de7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98055ce4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41f76)) returned 1 [0275.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0275.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0275.514] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.525] GetFileType (hFile=0x42c) returned 0x1 [0275.525] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.526] WriteFile (in: hFile=0x42c, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.526] GetFileType (hFile=0x42c) returned 0x1 [0275.526] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0275.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0275.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0275.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0275.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851223[[fn=iso690]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0275.527] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.527] WriteFile (in: hFile=0x460, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.531] CloseHandle (hObject=0x460) returned 1 [0275.533] CloseHandle (hObject=0x42c) returned 1 [0275.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0275.534] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851223[[fn=iso690]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[D073F0F3DFA59E3F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[d073f0f3dfa59e3f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0275.570] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0275.578] SetEvent (hEvent=0x19c) returned 1 [0275.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851227[[fn=sist02]].xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0275.580] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851227[[fn=sist02]].xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9830edbc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9830edbc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98311346, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d467)) returned 1 [0275.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0275.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0275.580] ReadFile (in: hFile=0x45c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0275.594] GetFileType (hFile=0x45c) returned 0x1 [0275.594] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.594] WriteFile (in: hFile=0x45c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0275.595] GetFileType (hFile=0x45c) returned 0x1 [0275.595] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0275.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0275.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0275.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0275.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a308 | out: pbBuffer=0x12a9a308) returned 1 [0275.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851227[[fn=sist02]].xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0275.596] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0275.596] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0275.597] CloseHandle (hObject=0x42c) returned 1 [0275.602] CloseHandle (hObject=0x45c) returned 1 [0275.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0275.671] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\tm02851227[[fn=sist02]].xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\#_THIS_FILE_IS_ENCRYPTED_[3B5C18AACDF4271A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\#_this_file_is_encrypted_[3b5c18aacdf4271a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0276.401] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0276.495] SetEvent (hEvent=0x1d0) returned 1 [0276.495] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0276.496] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0276.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4614163, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4614163, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa46a67ce, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4641)) returned 1 [0276.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928da0 | out: pbBuffer=0x12928da0) returned 1 [0276.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34548 | out: pbBuffer=0x12c34548) returned 1 [0276.497] ReadFile (in: hFile=0x42c, lpBuffer=0x12d58000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d58000*, lpNumberOfBytesRead=0x1282bd1c*=0x4641, lpOverlapped=0x0) returned 1 [0276.754] GetFileType (hFile=0x42c) returned 0x1 [0276.754] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0276.754] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x4641, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x1282bd00*=0x4641, lpOverlapped=0x1282bd0c) returned 1 [0276.754] GetFileType (hFile=0x42c) returned 0x1 [0276.754] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x4641, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0276.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0276.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0276.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0276.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34600 | out: pbBuffer=0x12c34600) returned 1 [0276.755] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0276.755] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0276.755] WriteFile (in: hFile=0x45c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0276.756] CloseHandle (hObject=0x45c) returned 1 [0276.756] CloseHandle (hObject=0x42c) returned 1 [0276.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34618 | out: pbBuffer=0x12c34618) returned 1 [0276.756] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\#_THIS_FILE_IS_ENCRYPTED_[F21518C70D4A0110]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\#_this_file_is_encrypted_[f21518c70d4a0110]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.207] SetEvent (hEvent=0x420) returned 1 [0277.208] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wdfs3 7GvEWFI t1ECJ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wdfs3 7gvewfi t1ecj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.211] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wdfs3 7GvEWFI t1ECJ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wdfs3 7gvewfi t1ecj.avi"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f427400, ftCreationTime.dwHighDateTime=0x1d8235d, ftLastAccessTime.dwLowDateTime=0x12deea20, ftLastAccessTime.dwHighDateTime=0x1d82816, ftLastWriteTime.dwLowDateTime=0x12deea20, ftLastWriteTime.dwHighDateTime=0x1d82816, nFileSizeHigh=0x0, nFileSizeLow=0xac5d)) returned 1 [0277.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280fbe0 | out: pbBuffer=0x1280fbe0) returned 1 [0277.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108a8 | out: pbBuffer=0x128108a8) returned 1 [0277.212] ReadFile (in: hFile=0x42c, lpBuffer=0x12cb4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb4000*, lpNumberOfBytesRead=0x1282bd1c*=0xac5d, lpOverlapped=0x0) returned 1 [0277.213] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x1) returned 0x102 [0277.239] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0277.239] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6fb20, ulCount=0x10, ulNumEntriesRemoved=0x33d6fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6fb20, ulNumEntriesRemoved=0x33d6fb04) returned 0 [0277.239] SetEvent (hEvent=0x110) returned 1 [0277.239] SetEvent (hEvent=0x420) returned 1 [0277.240] GetFileType (hFile=0x42c) returned 0x1 [0277.240] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.240] WriteFile (in: hFile=0x42c, lpBuffer=0x12cd4000*, nNumberOfBytesToWrite=0xac5d, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12cd4000*, lpNumberOfBytesWritten=0x1282bd00*=0xac5d, lpOverlapped=0x1282bd0c) returned 1 [0277.241] GetFileType (hFile=0x42c) returned 0x1 [0277.241] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xac5d, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835c81 | out: pbBuffer=0x12835c81) returned 1 [0277.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835d81 | out: pbBuffer=0x12835d81) returned 1 [0277.242] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835e81 | out: pbBuffer=0x12835e81) returned 1 [0277.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810960 | out: pbBuffer=0x12810960) returned 1 [0277.290] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wdfs3 7GvEWFI t1ECJ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wdfs3 7gvewfi t1ecj.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.291] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.291] WriteFile (in: hFile=0x44c, lpBuffer=0x12a76f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.291] CloseHandle (hObject=0x44c) returned 1 [0277.291] CloseHandle (hObject=0x42c) returned 1 [0277.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810978 | out: pbBuffer=0x12810978) returned 1 [0277.291] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wdfs3 7GvEWFI t1ECJ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\wdfs3 7gvewfi t1ecj.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[4D8E36AD5BF289A0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[4d8e36ad5bf289a0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Xydkzt3iLwEfQ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\xydkzt3ilwefq.avi"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773ec060, ftCreationTime.dwHighDateTime=0x1d82714, ftLastAccessTime.dwLowDateTime=0xb68acd90, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0xb68acd90, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x5703)) returned 1 [0277.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\a_j1jXljhzqhKZ2b.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\a_j1jxljhzqhkz2b.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5dd1ff0, ftCreationTime.dwHighDateTime=0x1d828ba, ftLastAccessTime.dwLowDateTime=0x95ab15f0, ftLastAccessTime.dwHighDateTime=0x1d829b0, ftLastWriteTime.dwLowDateTime=0x95ab15f0, ftLastWriteTime.dwHighDateTime=0x1d829b0, nFileSizeHigh=0x0, nFileSizeLow=0x23e3)) returned 1 [0277.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\bvR3SJZBn0Eg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\bvr3sjzbn0eg.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a9a87a0, ftCreationTime.dwHighDateTime=0x1d81cb1, ftLastAccessTime.dwLowDateTime=0x9c22ae40, ftLastAccessTime.dwHighDateTime=0x1d82738, ftLastWriteTime.dwLowDateTime=0x9c22ae40, ftLastWriteTime.dwHighDateTime=0x1d82738, nFileSizeHigh=0x0, nFileSizeLow=0x5cd3)) returned 1 [0277.294] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\a_j1jXljhzqhKZ2b.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\a_j1jxljhzqhkz2b.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.295] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.295] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\a_j1jXljhzqhKZ2b.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\a_j1jxljhzqhkz2b.mkv"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5dd1ff0, ftCreationTime.dwHighDateTime=0x1d828ba, ftLastAccessTime.dwLowDateTime=0x95ab15f0, ftLastAccessTime.dwHighDateTime=0x1d829b0, ftLastWriteTime.dwLowDateTime=0x95ab15f0, ftLastWriteTime.dwHighDateTime=0x1d829b0, nFileSizeHigh=0x0, nFileSizeLow=0x23e3)) returned 1 [0277.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845400 | out: pbBuffer=0x12845400) returned 1 [0277.296] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128114b0 | out: pbBuffer=0x128114b0) returned 1 [0277.296] ReadFile (in: hFile=0x42c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x1282bd1c*=0x23e3, lpOverlapped=0x0) returned 1 [0277.297] GetFileType (hFile=0x42c) returned 0x1 [0277.297] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.298] WriteFile (in: hFile=0x42c, lpBuffer=0x12aca500*, nNumberOfBytesToWrite=0x23e3, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12aca500*, lpNumberOfBytesWritten=0x1282bd00*=0x23e3, lpOverlapped=0x1282bd0c) returned 1 [0277.298] GetFileType (hFile=0x42c) returned 0x1 [0277.298] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x23e3, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0277.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0277.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0277.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0277.299] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811568 | out: pbBuffer=0x12811568) returned 1 [0277.299] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\a_j1jXljhzqhKZ2b.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\a_j1jxljhzqhkz2b.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.299] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.299] WriteFile (in: hFile=0x44c, lpBuffer=0x12a77400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.299] CloseHandle (hObject=0x44c) returned 1 [0277.299] CloseHandle (hObject=0x42c) returned 1 [0277.300] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811580 | out: pbBuffer=0x12811580) returned 1 [0277.300] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\a_j1jXljhzqhKZ2b.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\a_j1jxljhzqhkz2b.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[64E34BEFA026F128]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[64e34befa026f128]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\bvR3SJZBn0Eg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\bvr3sjzbn0eg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0277.321] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0277.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\bvR3SJZBn0Eg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\bvr3sjzbn0eg.m4a"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a9a87a0, ftCreationTime.dwHighDateTime=0x1d81cb1, ftLastAccessTime.dwLowDateTime=0x9c22ae40, ftLastAccessTime.dwHighDateTime=0x1d82738, ftLastWriteTime.dwLowDateTime=0x9c22ae40, ftLastWriteTime.dwHighDateTime=0x1d82738, nFileSizeHigh=0x0, nFileSizeLow=0x5cd3)) returned 1 [0277.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845640 | out: pbBuffer=0x12845640) returned 1 [0277.321] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128115c8 | out: pbBuffer=0x128115c8) returned 1 [0277.398] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\cLctyo9dRfh 5ZmT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\clctyo9drfh 5zmt.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f32c50, ftCreationTime.dwHighDateTime=0x1d829bf, ftLastAccessTime.dwLowDateTime=0xaa935150, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xaa935150, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0x2827)) returned 1 [0277.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Xydkzt3iLwEfQ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\xydkzt3ilwefq.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.400] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.400] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Xydkzt3iLwEfQ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\xydkzt3ilwefq.avi"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773ec060, ftCreationTime.dwHighDateTime=0x1d82714, ftLastAccessTime.dwLowDateTime=0xb68acd90, ftLastAccessTime.dwHighDateTime=0x1d829bc, ftLastWriteTime.dwLowDateTime=0xb68acd90, ftLastWriteTime.dwHighDateTime=0x1d829bc, nFileSizeHigh=0x0, nFileSizeLow=0x5703)) returned 1 [0277.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845ce0 | out: pbBuffer=0x12845ce0) returned 1 [0277.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811880 | out: pbBuffer=0x12811880) returned 1 [0277.400] ReadFile (in: hFile=0x44c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12a5dd1c*=0x5703, lpOverlapped=0x0) returned 1 [0277.402] GetFileType (hFile=0x44c) returned 0x1 [0277.402] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.402] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x5703, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12a5dd00*=0x5703, lpOverlapped=0x12a5dd0c) returned 1 [0277.402] GetFileType (hFile=0x44c) returned 0x1 [0277.403] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x5703, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0277.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0277.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0277.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811938 | out: pbBuffer=0x12811938) returned 1 [0277.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Xydkzt3iLwEfQ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\xydkzt3ilwefq.avi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.404] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.404] WriteFile (in: hFile=0x45c, lpBuffer=0x12a77900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a77900*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.404] CloseHandle (hObject=0x45c) returned 1 [0277.404] CloseHandle (hObject=0x44c) returned 1 [0277.404] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811950 | out: pbBuffer=0x12811950) returned 1 [0277.404] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Xydkzt3iLwEfQ.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\xydkzt3ilwefq.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[740EA01DA352D1E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[740ea01da352d1e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\cLctyo9dRfh 5ZmT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\clctyo9drfh 5zmt.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.407] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.407] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\cLctyo9dRfh 5ZmT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\clctyo9drfh 5zmt.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f32c50, ftCreationTime.dwHighDateTime=0x1d829bf, ftLastAccessTime.dwLowDateTime=0xaa935150, ftLastAccessTime.dwHighDateTime=0x1d829f4, ftLastWriteTime.dwLowDateTime=0xaa935150, ftLastWriteTime.dwHighDateTime=0x1d829f4, nFileSizeHigh=0x0, nFileSizeLow=0x2827)) returned 1 [0277.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845ee0 | out: pbBuffer=0x12845ee0) returned 1 [0277.407] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811998 | out: pbBuffer=0x12811998) returned 1 [0277.407] ReadFile (in: hFile=0x44c, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12a5dd1c*=0x2827, lpOverlapped=0x0) returned 1 [0277.409] GetFileType (hFile=0x44c) returned 0x1 [0277.409] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.409] WriteFile (in: hFile=0x44c, lpBuffer=0x12c1c000*, nNumberOfBytesToWrite=0x2827, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12c1c000*, lpNumberOfBytesWritten=0x12a5dd00*=0x2827, lpOverlapped=0x12a5dd0c) returned 1 [0277.410] GetFileType (hFile=0x44c) returned 0x1 [0277.410] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x2827, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0277.410] VirtualAlloc (lpAddress=0x12dbc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dbc000 [0277.411] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0277.411] VirtualAlloc (lpAddress=0x12dbe000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dbe000 [0277.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0277.412] VirtualAlloc (lpAddress=0x12dc0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dc0000 [0277.414] VirtualAlloc (lpAddress=0x12dc2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dc2000 [0277.415] VirtualAlloc (lpAddress=0x12dc4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dc4000 [0277.415] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811a50 | out: pbBuffer=0x12811a50) returned 1 [0277.416] VirtualAlloc (lpAddress=0x12dc6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dc6000 [0277.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\cLctyo9dRfh 5ZmT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\clctyo9drfh 5zmt.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.416] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.416] WriteFile (in: hFile=0x45c, lpBuffer=0x12dc6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6000*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.417] CloseHandle (hObject=0x45c) returned 1 [0277.417] CloseHandle (hObject=0x44c) returned 1 [0277.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811a68 | out: pbBuffer=0x12811a68) returned 1 [0277.417] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\cLctyo9dRfh 5ZmT.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\clctyo9drfh 5zmt.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[EB0474089058578F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[eb0474089058578f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\dkhx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dkhx.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67aa8530, ftCreationTime.dwHighDateTime=0x1d81ba2, ftLastAccessTime.dwLowDateTime=0xbe7b9e30, ftLastAccessTime.dwHighDateTime=0x1d81f8a, ftLastWriteTime.dwLowDateTime=0xbe7b9e30, ftLastWriteTime.dwHighDateTime=0x1d81f8a, nFileSizeHigh=0x0, nFileSizeLow=0xf4ad)) returned 1 [0277.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ecMxh0OUCIsrss68.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ecmxh0oucisrss68.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5aebc130, ftCreationTime.dwHighDateTime=0x1d82997, ftLastAccessTime.dwLowDateTime=0x159be520, ftLastAccessTime.dwHighDateTime=0x1d829b4, ftLastWriteTime.dwLowDateTime=0x159be520, ftLastWriteTime.dwHighDateTime=0x1d829b4, nFileSizeHigh=0x0, nFileSizeLow=0x4f16)) returned 1 [0277.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\dkhx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dkhx.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.421] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\dkhx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dkhx.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67aa8530, ftCreationTime.dwHighDateTime=0x1d81ba2, ftLastAccessTime.dwLowDateTime=0xbe7b9e30, ftLastAccessTime.dwHighDateTime=0x1d81f8a, ftLastWriteTime.dwLowDateTime=0xbe7b9e30, ftLastWriteTime.dwHighDateTime=0x1d81f8a, nFileSizeHigh=0x0, nFileSizeLow=0xf4ad)) returned 1 [0277.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12dbc6a0 | out: pbBuffer=0x12dbc6a0) returned 1 [0277.421] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914070 | out: pbBuffer=0x12914070) returned 1 [0277.421] VirtualAlloc (lpAddress=0x12dc8000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12dc8000 [0277.422] VirtualAlloc (lpAddress=0x12de8000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12de8000 [0277.494] ReadFile (in: hFile=0x44c, lpBuffer=0x12dc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12dc8000*, lpNumberOfBytesRead=0x12a5dd1c*=0xf4ad, lpOverlapped=0x0) returned 1 [0277.498] VirtualAlloc (lpAddress=0x12e08000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e08000 [0277.501] GetFileType (hFile=0x44c) returned 0x1 [0277.501] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.502] WriteFile (in: hFile=0x44c, lpBuffer=0x12e08000*, nNumberOfBytesToWrite=0xf4ad, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e08000*, lpNumberOfBytesWritten=0x12a5dd00*=0xf4ad, lpOverlapped=0x12a5dd0c) returned 1 [0277.502] GetFileType (hFile=0x44c) returned 0x1 [0277.502] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xf4ad, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.502] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0277.503] VirtualAlloc (lpAddress=0x12e18000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e18000 [0277.503] VirtualAlloc (lpAddress=0x12e1a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e1a000 [0277.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0277.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801801 | out: pbBuffer=0x12801801) returned 1 [0277.504] VirtualAlloc (lpAddress=0x12e1c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e1c000 [0277.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914568 | out: pbBuffer=0x12914568) returned 1 [0277.505] VirtualAlloc (lpAddress=0x12e1e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e1e000 [0277.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\dkhx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dkhx.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.506] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.506] WriteFile (in: hFile=0x45c, lpBuffer=0x12dc6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6500*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.506] CloseHandle (hObject=0x45c) returned 1 [0277.507] CloseHandle (hObject=0x44c) returned 1 [0277.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914580 | out: pbBuffer=0x12914580) returned 1 [0277.507] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\dkhx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dkhx.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[706AB336E45B6787]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[706ab336e45b6787]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ecMxh0OUCIsrss68.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ecmxh0oucisrss68.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.510] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ecMxh0OUCIsrss68.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ecmxh0oucisrss68.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5aebc130, ftCreationTime.dwHighDateTime=0x1d82997, ftLastAccessTime.dwLowDateTime=0x159be520, ftLastAccessTime.dwHighDateTime=0x1d829b4, ftLastWriteTime.dwLowDateTime=0x159be520, ftLastWriteTime.dwHighDateTime=0x1d829b4, nFileSizeHigh=0x0, nFileSizeLow=0x4f16)) returned 1 [0277.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12dbc8a0 | out: pbBuffer=0x12dbc8a0) returned 1 [0277.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c8 | out: pbBuffer=0x129145c8) returned 1 [0277.511] VirtualAlloc (lpAddress=0x12e20000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e20000 [0277.512] VirtualAlloc (lpAddress=0x12e40000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e40000 [0277.513] ReadFile (in: hFile=0x44c, lpBuffer=0x12e20000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e20000*, lpNumberOfBytesRead=0x12a5dd1c*=0x4f16, lpOverlapped=0x0) returned 1 [0277.517] VirtualAlloc (lpAddress=0x12e60000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e60000 [0277.519] GetFileType (hFile=0x44c) returned 0x1 [0277.519] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.519] WriteFile (in: hFile=0x44c, lpBuffer=0x12e60000*, nNumberOfBytesToWrite=0x4f16, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12e60000*, lpNumberOfBytesWritten=0x12a5dd00*=0x4f16, lpOverlapped=0x12a5dd0c) returned 1 [0277.519] GetFileType (hFile=0x44c) returned 0x1 [0277.519] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x4f16, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a81 | out: pbBuffer=0x12801a81) returned 1 [0277.520] VirtualAlloc (lpAddress=0x12e6a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e6a000 [0277.520] VirtualAlloc (lpAddress=0x12e6c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e6c000 [0277.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0277.521] VirtualAlloc (lpAddress=0x12e6e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e6e000 [0277.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801c81 | out: pbBuffer=0x12801c81) returned 1 [0277.522] VirtualAlloc (lpAddress=0x12e70000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e70000 [0277.522] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914690 | out: pbBuffer=0x12914690) returned 1 [0277.523] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ecMxh0OUCIsrss68.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ecmxh0oucisrss68.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.523] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.523] WriteFile (in: hFile=0x45c, lpBuffer=0x12dc6a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dc6a00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.524] CloseHandle (hObject=0x45c) returned 1 [0277.524] CloseHandle (hObject=0x44c) returned 1 [0277.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a8 | out: pbBuffer=0x129146a8) returned 1 [0277.524] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ecMxh0OUCIsrss68.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ecmxh0oucisrss68.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[C5682258875D1CD0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[c5682258875d1cd0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hGzhgTOVuGok5gYE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hgzhgtovugok5gye.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x994c0400, ftCreationTime.dwHighDateTime=0x1d8258a, ftLastAccessTime.dwLowDateTime=0x678eee90, ftLastAccessTime.dwHighDateTime=0x1d82671, ftLastWriteTime.dwLowDateTime=0x678eee90, ftLastWriteTime.dwHighDateTime=0x1d82671, nFileSizeHigh=0x0, nFileSizeLow=0x8a14)) returned 1 [0277.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mhliFoX1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mhlifox1.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3625990, ftCreationTime.dwHighDateTime=0x1d823cb, ftLastAccessTime.dwLowDateTime=0xbb55f3d0, ftLastAccessTime.dwHighDateTime=0x1d82904, ftLastWriteTime.dwLowDateTime=0xbb55f3d0, ftLastWriteTime.dwHighDateTime=0x1d82904, nFileSizeHigh=0x0, nFileSizeLow=0x90d3)) returned 1 [0277.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hGzhgTOVuGok5gYE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hgzhgtovugok5gye.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0277.529] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.529] VirtualAlloc (lpAddress=0x12e72000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x12e72000 [0277.530] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hGzhgTOVuGok5gYE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hgzhgtovugok5gye.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a5dad0 | out: lpFileInformation=0x12a5dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x994c0400, ftCreationTime.dwHighDateTime=0x1d8258a, ftLastAccessTime.dwLowDateTime=0x678eee90, ftLastAccessTime.dwHighDateTime=0x1d82671, ftLastWriteTime.dwLowDateTime=0x678eee90, ftLastWriteTime.dwHighDateTime=0x1d82671, nFileSizeHigh=0x0, nFileSizeLow=0x8a14)) returned 1 [0277.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12dbd060 | out: pbBuffer=0x12dbd060) returned 1 [0277.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915180 | out: pbBuffer=0x12915180) returned 1 [0277.530] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 0 [0277.530] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 1 [0289.921] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x12c2e088, lpcbTransfer=0x33d6faac, fWait=0, lpdwFlags=0x33d6fabc | out: lpcbTransfer=0x33d6faac, lpdwFlags=0x33d6fabc) returned 1 [0289.921] setsockopt (s=0x1a4, level=65535, optname=28688, optval="¤\x01", optlen=4) returned 0 [0289.922] SetEvent (hEvent=0x104) returned 1 [0289.922] getsockname (in: s=0x1a4, name=0x1282f890, namelen=0x1282f88c | out: name=0x1282f890*(sa_family=2, sin_port=0xc238, sin_addr="192.168.0.15"), namelen=0x1282f88c) returned 0 [0289.922] getpeername (in: s=0x1a4, name=0x1282f890, namelen=0x1282f88c | out: name=0x1282f890*(sa_family=2, sin_port=0x1bb, sin_addr="149.154.167.220"), namelen=0x1282f88c) returned 0 [0289.922] setsockopt (s=0x1a4, level=6, optname=1, optval="\x01", optlen=4) returned 0 [0289.922] setsockopt (s=0x1a4, level=65535, optname=8, optval="\x01", optlen=4) returned 0 [0289.922] WSAIoctl (in: s=0x1a4, dwIoControlCode=0x98000004, lpvInBuffer=0x1282fb80, cbInBuffer=0xc, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x1282fb78, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x1282fb78, lpOverlapped=0x0) returned 0 [0290.036] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928040 | out: pbBuffer=0x12928040) returned 1 [0290.036] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0290.344] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0xee, buf=0x12a3c000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0xee, lpOverlapped=0x12c2e088) returned 0 [0290.358] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x205, buf=0x12b0a000*)), lpNumberOfBytesRecvd=0x12c2e034*=0x0, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0 [0290.358] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0xffffffff) returned 0x0 [0290.447] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 0 [0290.447] SetEvent (hEvent=0xfc) returned 1 [0290.447] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\HDkvkngN2it Nq n.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\hdkvkngn2it nq n.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38605f50, ftCreationTime.dwHighDateTime=0x1d824ff, ftLastAccessTime.dwLowDateTime=0xb1412210, ftLastAccessTime.dwHighDateTime=0x1d8264e, ftLastWriteTime.dwLowDateTime=0xb1412210, ftLastWriteTime.dwHighDateTime=0x1d8264e, nFileSizeHigh=0x0, nFileSizeLow=0x21e3)) returned 1 [0290.447] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 0 [0290.450] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x33d6facc, ulCount=0x10, ulNumEntriesRemoved=0x33d6fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x33d6facc, ulNumEntriesRemoved=0x33d6fab0) returned 1 [0291.986] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x12c2e014, lpcbTransfer=0x33d6faac, fWait=0, lpdwFlags=0x33d6fabc | out: lpcbTransfer=0x33d6faac, lpdwFlags=0x33d6fabc) returned 1 [0291.999] SetEvent (hEvent=0x3f8) returned 1 [0292.032] SetEvent (hEvent=0x420) returned 1 [0292.070] SetEvent (hEvent=0x1b8) returned 1 [0292.070] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x15f6a) returned 0x102 [0302.079] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x13850) returned 0x102 [0312.120] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x11124) Thread: id = 18 os_tid = 0x13d4 Thread: id = 19 os_tid = 0xec4 Thread: id = 22 os_tid = 0x133c [0164.529] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3412ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3412ff30*=0x410) returned 1 [0164.529] VirtualQuery (in: lpAddress=0x3412ff40, lpBuffer=0x3412ff40, dwLength=0x1c | out: lpBuffer=0x3412ff40*(BaseAddress=0x3412f000, AllocationBase=0x34030000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0164.529] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x420 [0164.529] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0166.242] SetEvent (hEvent=0x3f8) returned 1 [0166.252] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0167.328] SetEvent (hEvent=0x40c) returned 1 [0167.328] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0167.526] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0167.612] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.613] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0167.613] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64441c43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6)) returned 1 [0167.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a982e0 | out: pbBuffer=0x12a982e0) returned 1 [0167.613] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145d0 | out: pbBuffer=0x129145d0) returned 1 [0167.614] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c62000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c62000*, lpNumberOfBytesRead=0x1282fd1c*=0x15dd6, lpOverlapped=0x0) returned 1 [0167.622] GetFileType (hFile=0x1a0) returned 0x1 [0167.622] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0167.622] WriteFile (in: hFile=0x1a0, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x15dd6, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x1282fd00*=0x15dd6, lpOverlapped=0x1282fd0c) returned 1 [0167.623] GetFileType (hFile=0x1a0) returned 0x1 [0167.623] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x15dd6, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0167.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0167.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0167.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0167.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914698 | out: pbBuffer=0x12914698) returned 1 [0167.623] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0167.624] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0167.624] WriteFile (in: hFile=0x41c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0167.624] CloseHandle (hObject=0x41c) returned 1 [0167.641] CloseHandle (hObject=0x1a0) returned 1 [0167.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146b0 | out: pbBuffer=0x129146b0) returned 1 [0167.644] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[EBDB6618A8E503D1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[ebdb6618a8e503d1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0167.756] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0167.766] SetEvent (hEvent=0x40c) returned 1 [0167.766] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.766] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0167.766] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d6ced4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d6ced4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64629b0d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x176c8)) returned 1 [0167.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844320 | out: pbBuffer=0x12844320) returned 1 [0167.766] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a930 | out: pbBuffer=0x12a9a930) returned 1 [0167.768] ReadFile (in: hFile=0x1a0, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a67d1c*=0x176c8, lpOverlapped=0x0) returned 1 [0167.774] GetFileType (hFile=0x1a0) returned 0x1 [0167.774] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.775] WriteFile (in: hFile=0x1a0, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x176c8, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x12a67d00*=0x176c8, lpOverlapped=0x12a67d0c) returned 1 [0167.776] GetFileType (hFile=0x1a0) returned 0x1 [0167.776] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x176c8, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0167.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0167.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0167.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0167.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a9e8 | out: pbBuffer=0x12a9a9e8) returned 1 [0167.777] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0167.777] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0167.777] WriteFile (in: hFile=0x424, lpBuffer=0x12b4c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b4c500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0167.777] CloseHandle (hObject=0x424) returned 1 [0167.784] CloseHandle (hObject=0x1a0) returned 1 [0167.787] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa00 | out: pbBuffer=0x12a9aa00) returned 1 [0167.787] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[A05837150218CE05]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[a05837150218ce05]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.023] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0168.023] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.023] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf5a6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82bf5a6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64811bd3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x19170)) returned 1 [0168.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0168.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0168.024] ReadFile (in: hFile=0x19c, lpBuffer=0x12b52000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b52000*, lpNumberOfBytesRead=0x12925d1c*=0x19170, lpOverlapped=0x0) returned 1 [0168.039] GetFileType (hFile=0x19c) returned 0x1 [0168.040] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.040] WriteFile (in: hFile=0x19c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x19170, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12925d00*=0x19170, lpOverlapped=0x12925d0c) returned 1 [0168.040] GetFileType (hFile=0x19c) returned 0x1 [0168.041] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x19170, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.041] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0168.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0168.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0168.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0168.042] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0168.042] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.043] WriteFile (in: hFile=0x424, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.043] CloseHandle (hObject=0x424) returned 1 [0168.169] SetEvent (hEvent=0x110) returned 1 [0168.169] CloseHandle (hObject=0x19c) returned 1 [0168.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0168.176] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[16C7F6CE5AAB7AFD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[16c7f6ce5aab7afd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.309] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0168.316] SetEvent (hEvent=0x1d0) returned 1 [0168.316] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0168.316] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.316] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x646e8b6c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e)) returned 1 [0168.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0168.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129148f8 | out: pbBuffer=0x129148f8) returned 1 [0168.317] ReadFile (in: hFile=0x424, lpBuffer=0x12bb2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb2000*, lpNumberOfBytesRead=0x12925d1c*=0x12d6e, lpOverlapped=0x0) returned 1 [0168.326] GetFileType (hFile=0x424) returned 0x1 [0168.326] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.326] WriteFile (in: hFile=0x424, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x12d6e, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12925d00*=0x12d6e, lpOverlapped=0x12925d0c) returned 1 [0168.327] GetFileType (hFile=0x424) returned 0x1 [0168.327] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x12d6e, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0168.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0168.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0168.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914a50 | out: pbBuffer=0x12914a50) returned 1 [0168.327] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0168.328] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.328] WriteFile (in: hFile=0x19c, lpBuffer=0x12af4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4500*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.328] CloseHandle (hObject=0x19c) returned 1 [0168.347] CloseHandle (hObject=0x424) returned 1 [0168.352] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914a68 | out: pbBuffer=0x12914a68) returned 1 [0168.352] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[58C92EF98AFC50F8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[58c92ef98afc50f8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.626] SetEvent (hEvent=0x3f8) returned 1 [0168.626] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x424 [0168.626] GetConsoleMode (in: hConsoleHandle=0x424, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.626] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83460030, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83460030, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x653fa2bf, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2656)) returned 1 [0168.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845280 | out: pbBuffer=0x12845280) returned 1 [0168.627] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914d50 | out: pbBuffer=0x12914d50) returned 1 [0168.637] ReadFile (in: hFile=0x424, lpBuffer=0x12ca0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca0000*, lpNumberOfBytesRead=0x12925d1c*=0x2656, lpOverlapped=0x0) returned 1 [0168.641] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0168.643] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0168.643] SetEvent (hEvent=0x110) returned 1 [0168.643] SetEvent (hEvent=0x1d0) returned 1 [0168.643] GetFileType (hFile=0x424) returned 0x1 [0168.643] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.643] WriteFile (in: hFile=0x424, lpBuffer=0x12be2000*, nNumberOfBytesToWrite=0x2656, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12be2000*, lpNumberOfBytesWritten=0x12925d00*=0x2656, lpOverlapped=0x12925d0c) returned 1 [0168.644] GetFileType (hFile=0x424) returned 0x1 [0168.644] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x2656, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d81 | out: pbBuffer=0x12801d81) returned 1 [0168.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801e81 | out: pbBuffer=0x12801e81) returned 1 [0168.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0168.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914e68 | out: pbBuffer=0x12914e68) returned 1 [0168.646] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.646] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.646] WriteFile (in: hFile=0x41c, lpBuffer=0x12af5400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af5400*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.647] CloseHandle (hObject=0x41c) returned 1 [0168.662] CloseHandle (hObject=0x424) returned 1 [0168.672] SwitchToThread () returned 1 [0168.801] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0168.801] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[931C9A13B1CC37A5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[931c9a13b1cc37a5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0168.996] SetEvent (hEvent=0x110) returned 1 [0168.996] SetEvent (hEvent=0x3f8) returned 1 [0168.996] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0168.996] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0168.997] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fcc6db, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82fcc6db, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656085a0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x55c2)) returned 1 [0168.997] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6e0 | out: pbBuffer=0x1280e6e0) returned 1 [0168.997] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a268 | out: pbBuffer=0x12a9a268) returned 1 [0168.997] ReadFile (in: hFile=0x41c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12925d1c*=0x55c2, lpOverlapped=0x0) returned 1 [0169.001] GetFileType (hFile=0x41c) returned 0x1 [0169.001] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.002] WriteFile (in: hFile=0x41c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x55c2, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12925d00*=0x55c2, lpOverlapped=0x12925d0c) returned 1 [0169.002] GetFileType (hFile=0x41c) returned 0x1 [0169.002] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x55c2, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0169.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0169.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0169.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a320 | out: pbBuffer=0x12a9a320) returned 1 [0169.003] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.003] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.003] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.003] CloseHandle (hObject=0x42c) returned 1 [0169.007] CloseHandle (hObject=0x41c) returned 1 [0169.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a338 | out: pbBuffer=0x12a9a338) returned 1 [0169.016] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[CEE13F1A882F0861]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[cee13f1a882f0861]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.271] SetEvent (hEvent=0x3f8) returned 1 [0169.271] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0169.271] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.271] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d73041, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d73041, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x657cb5e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eae0 | out: pbBuffer=0x1280eae0) returned 1 [0169.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9f8 | out: pbBuffer=0x12a9a9f8) returned 1 [0169.273] ReadFile (in: hFile=0x408, lpBuffer=0x12d40000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d40000*, lpNumberOfBytesRead=0x12925d1c*=0x7fa, lpOverlapped=0x0) returned 1 [0169.277] GetFileType (hFile=0x408) returned 0x1 [0169.277] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.277] WriteFile (in: hFile=0x408, lpBuffer=0x12d60000*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12d60000*, lpNumberOfBytesWritten=0x12925d00*=0x7fa, lpOverlapped=0x12925d0c) returned 1 [0169.278] GetFileType (hFile=0x408) returned 0x1 [0169.278] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x7fa, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afda01 | out: pbBuffer=0x12afda01) returned 1 [0169.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdb01 | out: pbBuffer=0x12afdb01) returned 1 [0169.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdc01 | out: pbBuffer=0x12afdc01) returned 1 [0169.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aab0 | out: pbBuffer=0x12a9aab0) returned 1 [0169.279] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.279] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.279] WriteFile (in: hFile=0x42c, lpBuffer=0x12d66000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d66000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.280] CloseHandle (hObject=0x42c) returned 1 [0169.284] CloseHandle (hObject=0x408) returned 1 [0169.286] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aac8 | out: pbBuffer=0x12a9aac8) returned 1 [0169.287] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[8BBD4696EB0E8CC4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[8bbd4696eb0e8cc4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.512] SetEvent (hEvent=0x3f8) returned 1 [0169.512] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0169.513] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.513] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d39ab3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d39ab3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65a5d95d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x178c4)) returned 1 [0169.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0169.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a310 | out: pbBuffer=0x12a9a310) returned 1 [0169.513] ReadFile (in: hFile=0x408, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12925d1c*=0x178c4, lpOverlapped=0x0) returned 1 [0169.522] GetFileType (hFile=0x408) returned 0x1 [0169.522] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.522] WriteFile (in: hFile=0x408, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x178c4, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12925d00*=0x178c4, lpOverlapped=0x12925d0c) returned 1 [0169.523] GetFileType (hFile=0x408) returned 0x1 [0169.523] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x178c4, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0169.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0169.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0169.524] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a3c8 | out: pbBuffer=0x12a9a3c8) returned 1 [0169.524] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.524] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.524] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.524] CloseHandle (hObject=0x42c) returned 1 [0169.533] CloseHandle (hObject=0x408) returned 1 [0169.537] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3e0 | out: pbBuffer=0x12a9a3e0) returned 1 [0169.537] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[F4744DEDFEB2216C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[f4744dedfeb2216c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.703] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0169.710] SetEvent (hEvent=0x1b8) returned 1 [0169.710] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0169.711] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.711] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82adb9f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82adb9f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6469c575, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xaac34)) returned 1 [0169.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6e0 | out: pbBuffer=0x1280e6e0) returned 1 [0169.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848c30 | out: pbBuffer=0x12848c30) returned 1 [0169.711] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c88000*, lpNumberOfBytesRead=0x12925d1c*=0x20000, lpOverlapped=0x0) returned 1 [0169.719] GetFileType (hFile=0x1a0) returned 0x1 [0169.720] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.720] WriteFile (in: hFile=0x1a0, lpBuffer=0x12cc8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12cc8000*, lpNumberOfBytesWritten=0x12925d00*=0x20000, lpOverlapped=0x12925d0c) returned 1 [0169.720] GetFileType (hFile=0x1a0) returned 0x1 [0169.720] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0169.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0169.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0169.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848d68 | out: pbBuffer=0x12848d68) returned 1 [0169.721] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.721] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0169.721] WriteFile (in: hFile=0x42c, lpBuffer=0x12a4ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4ca00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.727] CloseHandle (hObject=0x42c) returned 1 [0169.765] CloseHandle (hObject=0x1a0) returned 1 [0169.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d80 | out: pbBuffer=0x12848d80) returned 1 [0169.826] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[A6CD167D9EB63600]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[a6cd167d9eb63600]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.240] SetEvent (hEvent=0x3f8) returned 1 [0170.240] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0170.240] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0170.240] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70)) returned 1 [0170.240] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0170.241] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848600 | out: pbBuffer=0x12848600) returned 1 [0170.241] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c6e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c6e000*, lpNumberOfBytesRead=0x12925d1c*=0x20000, lpOverlapped=0x0) returned 1 [0170.248] GetFileType (hFile=0x1a0) returned 0x1 [0170.249] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.249] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d48000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x12d48000*, lpNumberOfBytesWritten=0x12925d00*=0x20000, lpOverlapped=0x12925d0c) returned 1 [0170.249] GetFileType (hFile=0x1a0) returned 0x1 [0170.250] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0170.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0170.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0170.250] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848708 | out: pbBuffer=0x12848708) returned 1 [0170.250] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0170.250] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0170.251] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0170.257] CloseHandle (hObject=0x42c) returned 1 [0170.315] CloseHandle (hObject=0x1a0) returned 1 [0170.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848720 | out: pbBuffer=0x12848720) returned 1 [0170.383] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[DB5D92E6EE81E32A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[db5d92e6ee81e32a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.622] SetEvent (hEvent=0x3f8) returned 1 [0170.622] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.622] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0170.622] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"), fInfoLevelId=0x0, lpFileInformation=0x12925ad0 | out: lpFileInformation=0x12925ad0*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d)) returned 1 [0170.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a982a0 | out: pbBuffer=0x12a982a0) returned 1 [0170.623] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128492f0 | out: pbBuffer=0x128492f0) returned 1 [0170.623] ReadFile (in: hFile=0x41c, lpBuffer=0x12cce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12925d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cce000*, lpNumberOfBytesRead=0x12925d1c*=0x61d, lpOverlapped=0x0) returned 1 [0170.638] GetFileType (hFile=0x41c) returned 0x1 [0170.638] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.638] WriteFile (in: hFile=0x41c, lpBuffer=0x1290c700*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x12925d00, lpOverlapped=0x12925d0c | out: lpBuffer=0x1290c700*, lpNumberOfBytesWritten=0x12925d00*=0x61d, lpOverlapped=0x12925d0c) returned 1 [0170.639] GetFileType (hFile=0x41c) returned 0x1 [0170.639] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x61d, lpNewFilePointer=0x0, dwMoveMethod=0x12925ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0170.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0170.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0170.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849418 | out: pbBuffer=0x12849418) returned 1 [0170.641] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0170.641] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12925d0c | out: lpMode=0x12925d0c) returned 0 [0170.642] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12925d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12925d0c*=0x276, lpOverlapped=0x0) returned 1 [0170.642] CloseHandle (hObject=0x1a0) returned 1 [0170.649] CloseHandle (hObject=0x41c) returned 1 [0170.650] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849450 | out: pbBuffer=0x12849450) returned 1 [0170.650] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778"), lpNewFileName="C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\#_THIS_FILE_IS_ENCRYPTED_[C7E89F5379EE48DB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\#_this_file_is_encrypted_[c7e89f5379ee48db]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.720] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.041] SwitchToThread () returned 1 [0172.077] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.078] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.078] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.376] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.376] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.376] SwitchToThread () returned 1 [0172.390] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.512] SetEvent (hEvent=0x10c) returned 1 [0172.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.513] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.513] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.513] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.513] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.514] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.514] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.526] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.551] SetEvent (hEvent=0x10c) returned 1 [0172.551] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.551] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.552] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.633] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.633] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.633] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.634] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.634] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.634] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.709] SetEvent (hEvent=0x10c) returned 1 [0172.709] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.709] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico\\*", lpFindFileData=0x12a67a44 | out: lpFindFileData=0x12a67a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.709] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.709] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.710] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.710] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.710] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.710] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.710] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.798] SetEvent (hEvent=0x1d0) returned 1 [0172.798] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0172.871] SetEvent (hEvent=0x10c) returned 1 [0172.887] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.887] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml\\*", lpFindFileData=0x1282fa44 | out: lpFindFileData=0x1282fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.938] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0173.023] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0173.023] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0173.068] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0173.068] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0173.070] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0173.070] SetEvent (hEvent=0x110) returned 1 [0173.081] SetEvent (hEvent=0x1d0) returned 1 [0173.081] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0173.129] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0173.129] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.130] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.130] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="cfc.flights.json", cAlternateFileName="CFCFLI~1.JSO")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x0, dwReserved1=0x0, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x0, dwReserved1=0x0, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1 [0173.132] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.132] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0173.134] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.135] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.135] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0173.136] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.136] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.138] CloseHandle (hObject=0x42c) returned 1 [0173.138] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9)) returned 1 [0173.231] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b)) returned 1 [0173.231] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334)) returned 1 [0173.232] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615)) returned 1 [0173.233] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0173.233] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12923d0c | out: lpMode=0x12923d0c) returned 0 [0173.233] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), fInfoLevelId=0x0, lpFileInformation=0x12923ad0 | out: lpFileInformation=0x12923ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334)) returned 1 [0173.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98080 | out: pbBuffer=0x12a98080) returned 1 [0173.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848d80 | out: pbBuffer=0x12848d80) returned 1 [0173.234] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12923d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12923d1c*=0x334, lpOverlapped=0x0) returned 1 [0173.448] GetFileType (hFile=0x42c) returned 0x1 [0173.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.448] WriteFile (in: hFile=0x42c, lpBuffer=0x12c22000*, nNumberOfBytesToWrite=0x334, lpNumberOfBytesWritten=0x12923d00, lpOverlapped=0x12923d0c | out: lpBuffer=0x12c22000*, lpNumberOfBytesWritten=0x12923d00*=0x334, lpOverlapped=0x12923d0c) returned 1 [0173.448] GetFileType (hFile=0x42c) returned 0x1 [0173.448] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x334, lpNewFilePointer=0x0, dwMoveMethod=0x12923ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0173.772] SetEvent (hEvent=0x10c) returned 1 [0173.774] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0174.659] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0174.725] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0174.868] SetEvent (hEvent=0x10c) returned 1 [0174.868] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0174.964] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0175.036] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0175.247] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0175.349] SetEvent (hEvent=0x40c) returned 1 [0175.349] SetEvent (hEvent=0x19c) returned 1 [0175.349] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0176.157] SetEvent (hEvent=0x1d0) returned 1 [0176.157] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0176.591] SwitchToThread () returned 1 [0176.609] SetEvent (hEvent=0xf4) returned 1 [0176.609] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0176.762] SwitchToThread () returned 1 [0177.226] SetEvent (hEvent=0x1d0) returned 1 [0177.226] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0180.191] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0180.492] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0180.602] SwitchToThread () returned 1 [0180.610] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0181.011] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0181.011] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.011] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xd1c)) returned 1 [0181.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128440a0 | out: pbBuffer=0x128440a0) returned 1 [0181.012] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0181.012] ReadFile (in: hFile=0x3c4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a63d1c*=0xd1c, lpOverlapped=0x0) returned 1 [0181.045] GetFileType (hFile=0x3c4) returned 0x1 [0181.045] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.045] WriteFile (in: hFile=0x3c4, lpBuffer=0x12850000*, nNumberOfBytesToWrite=0xd1c, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12850000*, lpNumberOfBytesWritten=0x12a63d00*=0xd1c, lpOverlapped=0x12a63d0c) returned 1 [0181.045] GetFileType (hFile=0x3c4) returned 0x1 [0181.045] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0xd1c, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0181.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0181.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0181.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101f0 | out: pbBuffer=0x128101f0) returned 1 [0181.046] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.047] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0181.047] WriteFile (in: hFile=0x428, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.047] CloseHandle (hObject=0x428) returned 1 [0181.048] CloseHandle (hObject=0x3c4) returned 1 [0181.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810208 | out: pbBuffer=0x12810208) returned 1 [0181.048] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\#_THIS_FILE_IS_ENCRYPTED_[A9D27D0BA2291083]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\#_this_file_is_encrypted_[a9d27d0ba2291083]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.050] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0181.090] SetEvent (hEvent=0x3f4) returned 1 [0181.090] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0181.090] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.091] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0181.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0181.091] ReadFile (in: hFile=0x43c, lpBuffer=0x12d16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d16000*, lpNumberOfBytesRead=0x12a65d1c*=0x10f, lpOverlapped=0x0) returned 1 [0181.092] GetFileType (hFile=0x43c) returned 0x1 [0181.092] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.092] WriteFile (in: hFile=0x43c, lpBuffer=0x12bea6c0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12bea6c0*, lpNumberOfBytesWritten=0x12a65d00*=0x10f, lpOverlapped=0x12a65d0c) returned 1 [0181.092] GetFileType (hFile=0x43c) returned 0x1 [0181.092] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0181.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0181.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0181.093] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0181.093] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.094] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.094] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.118] CloseHandle (hObject=0x1a0) returned 1 [0181.120] CloseHandle (hObject=0x43c) returned 1 [0181.120] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0181.121] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\#_THIS_FILE_IS_ENCRYPTED_[C2145F6BCF06C2D1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\#_this_file_is_encrypted_[c2145f6bcf06c2d1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.202] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0181.214] SetEvent (hEvent=0xfc) returned 1 [0181.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xebc2ab1, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x666)) returned 1 [0181.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.214] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.215] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.222] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.222] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18f51ef, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71d, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0181.222] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0181.223] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0181.223] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.223] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.224] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.226] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.226] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0181.227] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0181.227] WriteFile (in: hFile=0x15c, lpBuffer=0x12d60000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d60000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0181.229] CloseHandle (hObject=0x15c) returned 1 [0181.230] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0181.279] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.280] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.280] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0181.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0181.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0181.280] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.280] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0181.281] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.281] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.281] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.281] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0181.281] WriteFile (in: hFile=0x428, lpBuffer=0x12d61300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d61300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0181.283] CloseHandle (hObject=0x428) returned 1 [0181.284] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0181.284] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0181.284] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0181.284] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0181.284] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x0, dwReserved1=0x0, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0181.284] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0181.284] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0181.285] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0181.285] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0181.285] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.285] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0181.285] WriteFile (in: hFile=0x428, lpBuffer=0x12d63900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12d63900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0181.287] CloseHandle (hObject=0x428) returned 1 [0181.287] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416)) returned 1 [0181.308] SetEvent (hEvent=0xf4) returned 1 [0181.308] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0181.308] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18f51ef, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71d)) returned 1 [0181.308] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0181.308] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.309] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c)) returned 1 [0181.309] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a980a0 | out: pbBuffer=0x12a980a0) returned 1 [0181.309] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914580 | out: pbBuffer=0x12914580) returned 1 [0181.309] ReadFile (in: hFile=0x15c, lpBuffer=0x12d36000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d36000*, lpNumberOfBytesRead=0x12927d1c*=0x15c, lpOverlapped=0x0) returned 1 [0181.311] GetFileType (hFile=0x15c) returned 0x1 [0181.311] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.311] WriteFile (in: hFile=0x15c, lpBuffer=0x128849a0*, nNumberOfBytesToWrite=0x15c, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x128849a0*, lpNumberOfBytesWritten=0x12927d00*=0x15c, lpOverlapped=0x12927d0c) returned 1 [0181.311] GetFileType (hFile=0x15c) returned 0x1 [0181.311] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15c, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0181.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0181.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0181.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914638 | out: pbBuffer=0x12914638) returned 1 [0181.312] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0181.312] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0181.312] WriteFile (in: hFile=0x438, lpBuffer=0x12d68000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.396] CloseHandle (hObject=0x438) returned 1 [0181.396] CloseHandle (hObject=0x15c) returned 1 [0181.405] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914830 | out: pbBuffer=0x12914830) returned 1 [0181.405] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[0E3573FB3AABFA23]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\#_this_file_is_encrypted_[0e3573fb3aabfa23]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.727] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0181.746] SetEvent (hEvent=0x1d0) returned 1 [0181.747] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0181.766] SetEvent (hEvent=0x1d0) returned 1 [0181.766] SwitchToThread () returned 1 [0181.794] SetEvent (hEvent=0x3f8) returned 1 [0181.794] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0181.795] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0181.795] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0fddd6c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xda6)) returned 1 [0181.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0181.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0181.795] ReadFile (in: hFile=0x42c, lpBuffer=0x12cb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cb0000*, lpNumberOfBytesRead=0x12a61d1c*=0xda6, lpOverlapped=0x0) returned 1 [0181.800] GetFileType (hFile=0x42c) returned 0x1 [0181.800] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.800] WriteFile (in: hFile=0x42c, lpBuffer=0x12beb000*, nNumberOfBytesToWrite=0xda6, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12beb000*, lpNumberOfBytesWritten=0x12a61d00*=0xda6, lpOverlapped=0x12a61d0c) returned 1 [0181.803] GetFileType (hFile=0x42c) returned 0x1 [0181.803] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xda6, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.803] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0181.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0181.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0181.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0181.804] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0181.804] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0181.804] WriteFile (in: hFile=0x428, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.821] CloseHandle (hObject=0x428) returned 1 [0181.979] CloseHandle (hObject=0x42c) returned 1 [0182.045] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0182.045] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\#_THIS_FILE_IS_ENCRYPTED_[74BD0D99753C145E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\#_this_file_is_encrypted_[74bd0d99753c145e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.046] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.047] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0182.047] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0182.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0182.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848530 | out: pbBuffer=0x12848530) returned 1 [0182.047] ReadFile (in: hFile=0x42c, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12927d1c*=0x10f, lpOverlapped=0x0) returned 1 [0182.049] GetFileType (hFile=0x42c) returned 0x1 [0182.049] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.049] WriteFile (in: hFile=0x42c, lpBuffer=0x12c30d80*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12c30d80*, lpNumberOfBytesWritten=0x12927d00*=0x10f, lpOverlapped=0x12927d0c) returned 1 [0182.049] GetFileType (hFile=0x42c) returned 0x1 [0182.049] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0182.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0182.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0182.050] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848608 | out: pbBuffer=0x12848608) returned 1 [0182.050] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.050] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0182.050] WriteFile (in: hFile=0x428, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.062] CloseHandle (hObject=0x428) returned 1 [0182.063] CloseHandle (hObject=0x42c) returned 1 [0182.063] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0182.063] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\#_THIS_FILE_IS_ENCRYPTED_[0DE03F81BC02BCA8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\#_this_file_is_encrypted_[0de03f81bc02bca8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.065] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0182.083] SetEvent (hEvent=0xf4) returned 1 [0182.083] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.083] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.083] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa)) returned 1 [0182.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286c0 | out: pbBuffer=0x129286c0) returned 1 [0182.083] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486a8 | out: pbBuffer=0x128486a8) returned 1 [0182.084] ReadFile (in: hFile=0x43c, lpBuffer=0x12bfe000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bfe000*, lpNumberOfBytesRead=0x12a67d1c*=0x19aa, lpOverlapped=0x0) returned 1 [0182.093] GetFileType (hFile=0x43c) returned 0x1 [0182.093] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.093] WriteFile (in: hFile=0x43c, lpBuffer=0x12d5e000*, nNumberOfBytesToWrite=0x19aa, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12d5e000*, lpNumberOfBytesWritten=0x12a67d00*=0x19aa, lpOverlapped=0x12a67d0c) returned 1 [0182.094] GetFileType (hFile=0x43c) returned 0x1 [0182.094] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x19aa, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc81 | out: pbBuffer=0x12afcc81) returned 1 [0182.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd81 | out: pbBuffer=0x12afcd81) returned 1 [0182.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce81 | out: pbBuffer=0x12afce81) returned 1 [0182.095] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848790 | out: pbBuffer=0x12848790) returned 1 [0182.095] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0182.095] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.095] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.095] CloseHandle (hObject=0x3c4) returned 1 [0182.101] CloseHandle (hObject=0x43c) returned 1 [0182.101] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487b8 | out: pbBuffer=0x128487b8) returned 1 [0182.102] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[5F9BC8669C756523]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[5f9bc8669c756523]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.103] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.103] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.103] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939)) returned 1 [0182.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129288c0 | out: pbBuffer=0x129288c0) returned 1 [0182.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848800 | out: pbBuffer=0x12848800) returned 1 [0182.103] ReadFile (in: hFile=0x43c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a67d1c*=0x1939, lpOverlapped=0x0) returned 1 [0182.141] GetFileType (hFile=0x43c) returned 0x1 [0182.141] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.141] WriteFile (in: hFile=0x43c, lpBuffer=0x12bf4000*, nNumberOfBytesToWrite=0x1939, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12bf4000*, lpNumberOfBytesWritten=0x12a67d00*=0x1939, lpOverlapped=0x12a67d0c) returned 1 [0182.141] GetFileType (hFile=0x43c) returned 0x1 [0182.141] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x1939, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0182.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd101 | out: pbBuffer=0x12afd101) returned 1 [0182.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd201 | out: pbBuffer=0x12afd201) returned 1 [0182.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848948 | out: pbBuffer=0x12848948) returned 1 [0182.142] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0182.142] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.142] WriteFile (in: hFile=0x438, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.143] CloseHandle (hObject=0x438) returned 1 [0182.144] CloseHandle (hObject=0x43c) returned 1 [0182.145] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848970 | out: pbBuffer=0x12848970) returned 1 [0182.145] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_4.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[30CF3AD59E6A5F05]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[30cf3ad59e6a5f05]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.146] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.146] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.146] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757)) returned 1 [0182.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ac0 | out: pbBuffer=0x12928ac0) returned 1 [0182.147] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489d8 | out: pbBuffer=0x128489d8) returned 1 [0182.147] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0182.147] SetEvent (hEvent=0xfc) returned 1 [0182.147] ReadFile (in: hFile=0x43c, lpBuffer=0x12c8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c8c000*, lpNumberOfBytesRead=0x12a67d1c*=0x757, lpOverlapped=0x0) returned 1 [0182.159] GetFileType (hFile=0x43c) returned 0x1 [0182.159] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.159] WriteFile (in: hFile=0x43c, lpBuffer=0x12c3a000*, nNumberOfBytesToWrite=0x757, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c3a000*, lpNumberOfBytesWritten=0x12a67d00*=0x757, lpOverlapped=0x12a67d0c) returned 1 [0182.159] GetFileType (hFile=0x43c) returned 0x1 [0182.160] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x757, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0182.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0182.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0182.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810288 | out: pbBuffer=0x12810288) returned 1 [0182.160] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.160] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.160] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.161] CloseHandle (hObject=0x42c) returned 1 [0182.162] CloseHandle (hObject=0x43c) returned 1 [0182.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102b0 | out: pbBuffer=0x128102b0) returned 1 [0182.162] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_6.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[70F3E5048D1CF6B5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[70f3e5048d1cf6b5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.208] GetFileType (hFile=0x1a0) returned 0x1 [0182.208] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.208] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x1018, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12a61d00*=0x1018, lpOverlapped=0x12a61d0c) returned 1 [0182.208] GetFileType (hFile=0x1a0) returned 0x1 [0182.208] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1018, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0182.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0182.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0182.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0e0 | out: pbBuffer=0x12a9a0e0) returned 1 [0182.209] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0182.209] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0182.209] WriteFile (in: hFile=0x43c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.209] CloseHandle (hObject=0x43c) returned 1 [0182.211] CloseHandle (hObject=0x1a0) returned 1 [0182.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0182.211] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_2.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[B49E572B33D2803B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\#_this_file_is_encrypted_[b49e572b33d2803b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.213] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\power_7.provxml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f)) returned 1 [0182.213] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3)) returned 1 [0182.213] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaa9d106f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8)) returned 1 [0182.214] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search" (normalized: "c:\\programdata\\microsoft\\search"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.225] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search" (normalized: "c:\\programdata\\microsoft\\search"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.226] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0182.226] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.226] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0182.226] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.226] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0182.227] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.227] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.227] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.227] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.227] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.229] CloseHandle (hObject=0x42c) returned 1 [0182.230] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data" (normalized: "c:\\programdata\\microsoft\\search\\data"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.230] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data" (normalized: "c:\\programdata\\microsoft\\search\\data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.230] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.230] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.230] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0182.230] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0182.230] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.230] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.231] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.231] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.231] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.231] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.231] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.233] CloseHandle (hObject=0x42c) returned 1 [0182.233] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.233] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.234] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0182.234] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.234] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0182.234] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.234] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0182.234] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.235] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.235] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.235] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0182.235] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0182.237] CloseHandle (hObject=0x42c) returned 1 [0182.237] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.252] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.252] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x38834896, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x38834896, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63e1320b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x387c2346, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a628188, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63e1320b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x387c2346, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x387c2346, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3a64e43f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x387c2346, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x387e8567, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3a7f1e79, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00002.log", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3880e634, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3880e634, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3880e634, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3880e634, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3880e634, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3880e634, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x387c2346, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a7cbb36, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63e1320b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a412286, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3a412286, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GatherLogs", cAlternateFileName="GATHER~1")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x389fe671, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x389fe671, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Projects", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2220, ftCreationTime.dwLowDateTime=0x3885ad20, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3885ad20, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x810000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows.edb", cAlternateFileName="")) returned 1 [0182.342] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.342] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0182.344] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6407587b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.344] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.344] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0182.344] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.345] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.345] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0182.345] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.345] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.345] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.346] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0182.346] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0182.347] CloseHandle (hObject=0x42c) returned 1 [0182.348] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter" (normalized: "c:\\programdata\\microsoft\\smsrouter"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.348] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter" (normalized: "c:\\programdata\\microsoft\\smsrouter"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.348] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0182.348] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.348] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1 [0182.349] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.349] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0182.349] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.349] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.349] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.350] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\# SATAN CRYPTOR #.hta\\*", lpFindFileData=0x1282b6a4 | out: lpFindFileData=0x1282b6a4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.350] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.354] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.354] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1 [0182.358] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.358] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.359] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.360] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.360] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.363] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\# SATAN CRYPTOR #.hta\\*", lpFindFileData=0x1282b640 | out: lpFindFileData=0x1282b640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.364] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000)) returned 1 [0182.366] SetEvent (hEvent=0xfc) returned 1 [0182.367] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.chk"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0182.367] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.log"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0182.367] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.367] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.367] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.368] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.368] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb00001.log"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0182.368] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0182.368] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.368] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.369] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.369] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.369] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0182.369] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0182.369] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.370] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.370] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.370] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log\\*", lpFindFileData=0x12a61a44 | out: lpFindFileData=0x12a61a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0182.370] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures" (normalized: "c:\\programdata\\microsoft\\user account pictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0182.370] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures" (normalized: "c:\\programdata\\microsoft\\user account pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.370] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.370] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX.dat", cAlternateFileName="RDHJ0C~1.DAT")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-192.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-32.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-40.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="user-48.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.png", cAlternateFileName="")) returned 1 [0182.371] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.371] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.371] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.371] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.372] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.372] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.372] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.373] CloseHandle (hObject=0x42c) returned 1 [0182.374] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.377] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038)) returned 1 [0182.382] SetEvent (hEvent=0xfc) returned 1 [0182.382] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518)) returned 1 [0182.382] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x967)) returned 1 [0182.383] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f)) returned 1 [0182.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1)) returned 1 [0182.389] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.389] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.389] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f)) returned 1 [0182.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98460 | out: pbBuffer=0x12a98460) returned 1 [0182.389] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914728 | out: pbBuffer=0x12914728) returned 1 [0182.389] ReadFile (in: hFile=0x42c, lpBuffer=0x12a26000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a26000*, lpNumberOfBytesRead=0x12a67d1c*=0x19f, lpOverlapped=0x0) returned 1 [0182.391] GetFileType (hFile=0x42c) returned 0x1 [0182.391] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.391] WriteFile (in: hFile=0x42c, lpBuffer=0x12a46000*, nNumberOfBytesToWrite=0x19f, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a46000*, lpNumberOfBytesWritten=0x12a67d00*=0x19f, lpOverlapped=0x12a67d0c) returned 1 [0182.391] GetFileType (hFile=0x42c) returned 0x1 [0182.391] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x19f, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f81 | out: pbBuffer=0x12834f81) returned 1 [0182.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0182.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0182.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914840 | out: pbBuffer=0x12914840) returned 1 [0182.392] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.392] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.392] WriteFile (in: hFile=0x428, lpBuffer=0x12a58f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58f00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.572] CloseHandle (hObject=0x428) returned 1 [0182.573] CloseHandle (hObject=0x42c) returned 1 [0182.573] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914568 | out: pbBuffer=0x12914568) returned 1 [0182.574] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[5B071F83C9887E8B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[5b071f83c9887e8b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.576] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.576] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.577] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518)) returned 1 [0182.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0182.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145b0 | out: pbBuffer=0x129145b0) returned 1 [0182.577] ReadFile (in: hFile=0x42c, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12a67d1c*=0x1518, lpOverlapped=0x0) returned 1 [0182.579] GetFileType (hFile=0x42c) returned 0x1 [0182.579] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.579] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x1518, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12a67d00*=0x1518, lpOverlapped=0x12a67d0c) returned 1 [0182.579] GetFileType (hFile=0x42c) returned 0x1 [0182.579] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1518, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0182.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0182.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0182.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914668 | out: pbBuffer=0x12914668) returned 1 [0182.580] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.581] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.581] WriteFile (in: hFile=0x428, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.581] CloseHandle (hObject=0x428) returned 1 [0182.582] CloseHandle (hObject=0x42c) returned 1 [0182.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914690 | out: pbBuffer=0x12914690) returned 1 [0182.583] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), lpNewFileName="C:\\ProgramData\\Microsoft\\User Account Pictures\\#_THIS_FILE_IS_ENCRYPTED_[ACE5F7AF9F76BD7C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\user account pictures\\#_this_file_is_encrypted_[ace5f7af9f76bd7c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.585] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault" (normalized: "c:\\programdata\\microsoft\\vault"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0182.586] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault" (normalized: "c:\\programdata\\microsoft\\vault"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.586] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0182.586] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.586] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1 [0182.586] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.587] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0182.587] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.587] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.587] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.588] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0182.588] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0182.590] CloseHandle (hObject=0x42c) returned 1 [0182.590] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0182.590] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0182.591] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x0, dwReserved1=0x0, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0182.591] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0182.591] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0182.592] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0182.592] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0182.592] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.593] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0182.593] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0182.595] CloseHandle (hObject=0x42c) returned 1 [0182.595] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e)) returned 1 [0182.595] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e)) returned 1 [0182.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.596] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.596] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e)) returned 1 [0182.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284c0 | out: pbBuffer=0x129284c0) returned 1 [0182.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914ee0 | out: pbBuffer=0x12914ee0) returned 1 [0182.597] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a67d1c*=0x9e, lpOverlapped=0x0) returned 1 [0182.598] GetFileType (hFile=0x42c) returned 0x1 [0182.598] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.598] WriteFile (in: hFile=0x42c, lpBuffer=0x12c3a1e0*, nNumberOfBytesToWrite=0x9e, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c3a1e0*, lpNumberOfBytesWritten=0x12a67d00*=0x9e, lpOverlapped=0x12a67d0c) returned 1 [0182.598] GetFileType (hFile=0x42c) returned 0x1 [0182.599] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x9e, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0182.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0182.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0182.599] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914f98 | out: pbBuffer=0x12914f98) returned 1 [0182.599] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.600] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0182.600] WriteFile (in: hFile=0x428, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.637] CloseHandle (hObject=0x428) returned 1 [0182.720] CloseHandle (hObject=0x42c) returned 1 [0182.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915580 | out: pbBuffer=0x12915580) returned 1 [0182.720] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), lpNewFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\#_THIS_FILE_IS_ENCRYPTED_[888FB0D55BEDCC80]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\#_this_file_is_encrypted_[888fb0d55bedcc80]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.722] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.722] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.722] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc)) returned 1 [0182.722] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286e0 | out: pbBuffer=0x129286e0) returned 1 [0182.722] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129155c8 | out: pbBuffer=0x129155c8) returned 1 [0182.723] ReadFile (in: hFile=0x42c, lpBuffer=0x12cce000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cce000*, lpNumberOfBytesRead=0x12829d1c*=0x1bc, lpOverlapped=0x0) returned 1 [0182.724] GetFileType (hFile=0x42c) returned 0x1 [0182.724] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.724] WriteFile (in: hFile=0x42c, lpBuffer=0x12aeefc0*, nNumberOfBytesToWrite=0x1bc, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12aeefc0*, lpNumberOfBytesWritten=0x12829d00*=0x1bc, lpOverlapped=0x12829d0c) returned 1 [0182.724] GetFileType (hFile=0x42c) returned 0x1 [0182.724] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1bc, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0182.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0182.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0182.725] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915680 | out: pbBuffer=0x12915680) returned 1 [0182.725] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.726] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0182.726] WriteFile (in: hFile=0x428, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.756] CloseHandle (hObject=0x428) returned 1 [0182.757] CloseHandle (hObject=0x42c) returned 1 [0182.758] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129156c8 | out: pbBuffer=0x129156c8) returned 1 [0182.758] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), lpNewFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\#_THIS_FILE_IS_ENCRYPTED_[413639F86FB8C36F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\#_this_file_is_encrypted_[413639f86fb8c36f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.779] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0182.884] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0182.891] SetEvent (hEvent=0xfc) returned 1 [0182.891] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0182.903] SetEvent (hEvent=0xfc) returned 1 [0182.903] SetEvent (hEvent=0x3f4) returned 1 [0182.903] SwitchToThread () returned 1 [0182.944] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0182.945] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0182.945] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000)) returned 1 [0182.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0182.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0182.945] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0182.972] GetFileType (hFile=0x42c) returned 0x1 [0182.972] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.972] WriteFile (in: hFile=0x42c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0182.973] GetFileType (hFile=0x42c) returned 0x1 [0182.974] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0182.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0182.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0182.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0182.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0182.975] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0182.975] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0182.975] WriteFile (in: hFile=0x428, lpBuffer=0x12a80000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a80000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0182.976] CloseHandle (hObject=0x428) returned 1 [0182.985] CloseHandle (hObject=0x42c) returned 1 [0182.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0182.985] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[D915630013DD26A5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[d915630013dd26a5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0182.987] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0183.153] SetEvent (hEvent=0xfc) returned 1 [0183.153] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0183.154] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0183.154] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0xf36be)) returned 1 [0183.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0183.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0183.154] ReadFile (in: hFile=0x428, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0183.213] GetFileType (hFile=0x428) returned 0x1 [0183.213] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.213] WriteFile (in: hFile=0x428, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0183.214] GetFileType (hFile=0x428) returned 0x1 [0183.214] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0183.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0183.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0183.214] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0183.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0183.215] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0183.215] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0183.215] WriteFile (in: hFile=0x43c, lpBuffer=0x12a80500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a80500*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0183.465] CloseHandle (hObject=0x43c) returned 1 [0183.886] CloseHandle (hObject=0x428) returned 1 [0183.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0183.887] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[8D966DEF5B7C2012]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[8d966def5b7c2012]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.022] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0184.052] SetEvent (hEvent=0x1d0) returned 1 [0184.052] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0184.059] SetEvent (hEvent=0xfc) returned 1 [0184.059] SetEvent (hEvent=0x19c) returned 1 [0184.059] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0184.087] SetEvent (hEvent=0x1d0) returned 1 [0184.087] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0184.090] SetEvent (hEvent=0x1d0) returned 1 [0184.090] SetEvent (hEvent=0xfc) returned 1 [0184.090] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.091] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0184.091] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x12d31ad0 | out: lpFileInformation=0x12d31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428)) returned 1 [0184.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0184.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0184.092] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12d31d1c*=0x20000, lpOverlapped=0x0) returned 1 [0184.109] GetFileType (hFile=0x3c4) returned 0x1 [0184.109] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.109] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d31d00, lpOverlapped=0x12d31d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12d31d00*=0x20000, lpOverlapped=0x12d31d0c) returned 1 [0184.110] GetFileType (hFile=0x3c4) returned 0x1 [0184.110] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0184.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0184.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0184.111] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0184.111] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0184.111] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0184.112] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12d31d0c*=0x276, lpOverlapped=0x0) returned 1 [0184.132] CloseHandle (hObject=0x42c) returned 1 [0184.201] CloseHandle (hObject=0x3c4) returned 1 [0184.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e0 | out: pbBuffer=0x128483e0) returned 1 [0184.201] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\#_THIS_FILE_IS_ENCRYPTED_[80EE9C7C35B2DCA2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\#_this_file_is_encrypted_[80ee9c7c35b2dca2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0184.203] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0184.254] SetEvent (hEvent=0x1d0) returned 1 [0184.255] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.255] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0184.255] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c893534, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa7a1fb75, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e)) returned 1 [0184.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928240 | out: pbBuffer=0x12928240) returned 1 [0184.256] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0184.256] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ca8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca8000*, lpNumberOfBytesRead=0x12d33d1c*=0x27e, lpOverlapped=0x0) returned 1 [0184.257] GetFileType (hFile=0x3c4) returned 0x1 [0184.257] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.257] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ca4f00*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12ca4f00*, lpNumberOfBytesWritten=0x12d33d00*=0x27e, lpOverlapped=0x12d33d0c) returned 1 [0184.258] GetFileType (hFile=0x3c4) returned 0x1 [0184.258] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0184.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0184.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0184.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0184.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0184.258] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0184.259] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0184.259] WriteFile (in: hFile=0x42c, lpBuffer=0x12c38a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38a00*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0185.060] CloseHandle (hObject=0x42c) returned 1 [0185.215] CloseHandle (hObject=0x3c4) returned 1 [0185.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101f8 | out: pbBuffer=0x128101f8) returned 1 [0185.571] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\#_THIS_FILE_IS_ENCRYPTED_[31B2FAA4D15FB117]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\#_this_file_is_encrypted_[31b2faa4d15fb117]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0185.691] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0185.882] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0185.882] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0185.883] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaba9e611, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320)) returned 1 [0185.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0185.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0185.883] ReadFile (in: hFile=0x428, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12d33d1c*=0x320, lpOverlapped=0x0) returned 1 [0185.980] GetFileType (hFile=0x428) returned 0x1 [0185.980] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0185.980] WriteFile (in: hFile=0x428, lpBuffer=0x12916000*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12916000*, lpNumberOfBytesWritten=0x12d33d00*=0x320, lpOverlapped=0x12d33d0c) returned 1 [0185.980] GetFileType (hFile=0x428) returned 0x1 [0185.980] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x320, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.393] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0186.517] SetEvent (hEvent=0x19c) returned 1 [0186.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0186.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0186.532] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0186.647] SetEvent (hEvent=0xfc) returned 1 [0186.753] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810308 | out: pbBuffer=0x12810308) returned 1 [0186.754] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\vc_redist.x86.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0186.754] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0186.754] WriteFile (in: hFile=0x43c, lpBuffer=0x12c38f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38f00*, lpNumberOfBytesWritten=0x12d31d0c*=0x276, lpOverlapped=0x0) returned 1 [0186.791] CloseHandle (hObject=0x43c) returned 1 [0187.010] CloseHandle (hObject=0x1a0) returned 1 [0187.010] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810198 | out: pbBuffer=0x12810198) returned 1 [0187.010] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\vc_redist.x86.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\#_THIS_FILE_IS_ENCRYPTED_[A9738A9021CE0AAC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\#_this_file_is_encrypted_[a9738a9021ce0aac]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.012] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.043] SetEvent (hEvent=0x1d0) returned 1 [0187.043] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.044] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.044] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000)) returned 1 [0187.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98100 | out: pbBuffer=0x12a98100) returned 1 [0187.044] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129141f0 | out: pbBuffer=0x129141f0) returned 1 [0187.044] ReadFile (in: hFile=0x448, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.130] GetFileType (hFile=0x448) returned 0x1 [0187.130] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.130] WriteFile (in: hFile=0x448, lpBuffer=0x12a16000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12a16000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0187.131] GetFileType (hFile=0x448) returned 0x1 [0187.131] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0187.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0187.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0187.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914598 | out: pbBuffer=0x12914598) returned 1 [0187.176] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.176] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.176] WriteFile (in: hFile=0x43c, lpBuffer=0x12a70a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a70a00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.176] CloseHandle (hObject=0x43c) returned 1 [0187.176] CloseHandle (hObject=0x448) returned 1 [0187.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145b0 | out: pbBuffer=0x129145b0) returned 1 [0187.177] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[50D7CBF984C03DF3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[50d7cbf984c03df3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.178] SwitchToThread () returned 1 [0187.251] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.251] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.252] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d31ad0 | out: lpFileInformation=0x12d31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec82c300, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xec82c300, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xec82c300, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x554520)) returned 1 [0187.252] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98340 | out: pbBuffer=0x12a98340) returned 1 [0187.252] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914608 | out: pbBuffer=0x12914608) returned 1 [0187.252] ReadFile (in: hFile=0x448, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12d31d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.292] GetFileType (hFile=0x448) returned 0x1 [0187.292] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.293] WriteFile (in: hFile=0x448, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d31d00, lpOverlapped=0x12d31d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12d31d00*=0x20000, lpOverlapped=0x12d31d0c) returned 1 [0187.294] GetFileType (hFile=0x448) returned 0x1 [0187.294] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0187.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0187.294] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0187.295] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129146d0 | out: pbBuffer=0x129146d0) returned 1 [0187.295] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.295] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.295] WriteFile (in: hFile=0x428, lpBuffer=0x12a70f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a70f00*, lpNumberOfBytesWritten=0x12d31d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.347] CloseHandle (hObject=0x428) returned 1 [0187.347] CloseHandle (hObject=0x448) returned 1 [0187.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146e8 | out: pbBuffer=0x129146e8) returned 1 [0187.347] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\#_THIS_FILE_IS_ENCRYPTED_[82B5CECF4AC20EF0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\#_this_file_is_encrypted_[82b5cecf4ac20ef0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.348] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.518] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.577] SetEvent (hEvent=0x19c) returned 1 [0187.577] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.643] SetEvent (hEvent=0x19c) returned 1 [0187.643] SwitchToThread () returned 1 [0187.658] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.754] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.754] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.754] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x681d000, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x681d000, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x681d000, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25)) returned 1 [0187.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0187.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0187.755] ReadFile (in: hFile=0x448, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.773] GetFileType (hFile=0x448) returned 0x1 [0187.774] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.774] WriteFile (in: hFile=0x448, lpBuffer=0x129f6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129f6000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0187.775] GetFileType (hFile=0x448) returned 0x1 [0187.775] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0187.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0187.775] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0187.776] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0187.776] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.776] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.776] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.793] CloseHandle (hObject=0x3c4) returned 1 [0187.793] CloseHandle (hObject=0x448) returned 1 [0187.793] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0187.793] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[6B10C0BD79782136]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[6b10c0bd79782136]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.795] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.795] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.795] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9153a800, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0x9153a800, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0x9153a800, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x1704ac)) returned 1 [0187.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0187.796] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0187.796] ReadFile (in: hFile=0x448, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.822] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0187.827] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.827] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0187.828] SetEvent (hEvent=0x110) returned 1 [0187.828] SetEvent (hEvent=0x19c) returned 1 [0187.828] SetEvent (hEvent=0x3f4) returned 1 [0187.829] GetFileType (hFile=0x448) returned 0x1 [0187.829] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.829] WriteFile (in: hFile=0x448, lpBuffer=0x12b50000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12b50000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0187.830] GetFileType (hFile=0x448) returned 0x1 [0187.830] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0187.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0187.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0187.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0187.831] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.832] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.832] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58500*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.840] CloseHandle (hObject=0x3c4) returned 1 [0187.840] CloseHandle (hObject=0x448) returned 1 [0187.840] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0187.840] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[75CD3D276774A5B6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[75cd3d276774a5b6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.842] SetEvent (hEvent=0x3f4) returned 1 [0187.842] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0187.857] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.857] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0187.857] SetEvent (hEvent=0x3f4) returned 1 [0187.857] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0187.869] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0187.869] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.869] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.869] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc3166700, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520)) returned 1 [0187.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0187.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0187.870] ReadFile (in: hFile=0x428, lpBuffer=0x12d38000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d38000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.894] GetFileType (hFile=0x428) returned 0x1 [0187.894] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.894] WriteFile (in: hFile=0x428, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0187.895] GetFileType (hFile=0x428) returned 0x1 [0187.895] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.895] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0187.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0187.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0187.896] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0187.896] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.897] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0187.897] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.916] CloseHandle (hObject=0x1a0) returned 1 [0187.916] CloseHandle (hObject=0x428) returned 1 [0187.917] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0187.917] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[16420D1276A28994]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[16420d1276a28994]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.939] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.939] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.939] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa4f13e84, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e)) returned 1 [0187.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0187.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0187.940] ReadFile (in: hFile=0x428, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12829d1c*=0x27e, lpOverlapped=0x0) returned 1 [0187.942] GetFileType (hFile=0x428) returned 0x1 [0187.942] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.942] WriteFile (in: hFile=0x428, lpBuffer=0x12c3ca00*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c3ca00*, lpNumberOfBytesWritten=0x12829d00*=0x27e, lpOverlapped=0x12829d0c) returned 1 [0187.942] GetFileType (hFile=0x428) returned 0x1 [0187.942] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0187.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0187.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0187.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484c8 | out: pbBuffer=0x128484c8) returned 1 [0187.943] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0187.943] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.943] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.974] CloseHandle (hObject=0x3c4) returned 1 [0187.974] CloseHandle (hObject=0x428) returned 1 [0187.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484e0 | out: pbBuffer=0x128484e0) returned 1 [0187.974] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\#_THIS_FILE_IS_ENCRYPTED_[6136ACC63F210973]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\#_this_file_is_encrypted_[6136acc63f210973]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.976] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0188.091] SetEvent (hEvent=0x19c) returned 1 [0188.092] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.119] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.119] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x93900d5f, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x93b3bb89, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x349)) returned 1 [0188.119] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284a0 | out: pbBuffer=0x129284a0) returned 1 [0188.119] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810298 | out: pbBuffer=0x12810298) returned 1 [0188.120] VirtualAlloc (lpAddress=0x12d6e000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x12d6e000 [0188.122] ReadFile (in: hFile=0x43c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12d35d1c*=0x349, lpOverlapped=0x0) returned 1 [0188.122] GetFileType (hFile=0x43c) returned 0x1 [0188.122] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.122] WriteFile (in: hFile=0x43c, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x349, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12d35d00*=0x349, lpOverlapped=0x12d35d0c) returned 1 [0188.122] GetFileType (hFile=0x43c) returned 0x1 [0188.122] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x349, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0188.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0188.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0188.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810350 | out: pbBuffer=0x12810350) returned 1 [0188.123] CreateFileW (lpFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.124] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0188.124] WriteFile (in: hFile=0x42c, lpBuffer=0x12c24a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24a00*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.124] CloseHandle (hObject=0x42c) returned 1 [0188.124] CloseHandle (hObject=0x43c) returned 1 [0188.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0188.124] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), lpNewFileName="C:\\ProgramData\\USOPrivate\\UpdateStore\\#_THIS_FILE_IS_ENCRYPTED_[A7C02DADDA916BE2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoprivate\\updatestore\\#_this_file_is_encrypted_[a7c02dadda916be2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.126] SetEvent (hEvent=0x1d0) returned 1 [0188.126] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0188.144] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0188.144] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0188.153] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0188.153] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0188.153] SetEvent (hEvent=0x19c) returned 1 [0188.153] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0188.165] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0188.165] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.165] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.166] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.166] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0188.166] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.167] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.167] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0188.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129151e0 | out: pbBuffer=0x129151e0) returned 1 [0188.167] ReadFile (in: hFile=0x448, lpBuffer=0x12b70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b70000*, lpNumberOfBytesRead=0x12d37d1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.179] GetFileType (hFile=0x448) returned 0x1 [0188.180] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.180] WriteFile (in: hFile=0x448, lpBuffer=0x12a3d000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12a3d000*, lpNumberOfBytesWritten=0x12d37d00*=0x3000, lpOverlapped=0x12d37d0c) returned 1 [0188.180] GetFileType (hFile=0x448) returned 0x1 [0188.180] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0188.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0188.180] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0188.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915298 | out: pbBuffer=0x12915298) returned 1 [0188.181] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.181] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.181] WriteFile (in: hFile=0x43c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.182] CloseHandle (hObject=0x43c) returned 1 [0188.197] CloseHandle (hObject=0x448) returned 1 [0188.200] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129152b0 | out: pbBuffer=0x129152b0) returned 1 [0188.200] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[446110F029397354]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[446110f029397354]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.401] SetEvent (hEvent=0x110) returned 1 [0188.401] SetEvent (hEvent=0xfc) returned 1 [0188.401] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0188.402] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.402] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0188.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928700 | out: pbBuffer=0x12928700) returned 1 [0188.402] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8248 | out: pbBuffer=0x128e8248) returned 1 [0188.402] ReadFile (in: hFile=0x1a0, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12d37d1c*=0x3000, lpOverlapped=0x0) returned 1 [0188.408] GetFileType (hFile=0x1a0) returned 0x1 [0188.408] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.408] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c1f000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12c1f000*, lpNumberOfBytesWritten=0x12d37d00*=0x3000, lpOverlapped=0x12d37d0c) returned 1 [0188.408] GetFileType (hFile=0x1a0) returned 0x1 [0188.408] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0188.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0188.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0188.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8300 | out: pbBuffer=0x128e8300) returned 1 [0188.409] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.409] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.410] WriteFile (in: hFile=0x448, lpBuffer=0x12c24f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24f00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.410] CloseHandle (hObject=0x448) returned 1 [0188.413] CloseHandle (hObject=0x1a0) returned 1 [0188.416] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8318 | out: pbBuffer=0x128e8318) returned 1 [0188.416] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[F4319359505E08FD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[f4319359505e08fd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.576] SetEvent (hEvent=0xfc) returned 1 [0188.576] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0188.576] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.576] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.576] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0188.576] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0188.578] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12d37d1c*=0x1000, lpOverlapped=0x0) returned 1 [0188.632] GetFileType (hFile=0x1a0) returned 0x1 [0188.632] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.632] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a9e000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12a9e000*, lpNumberOfBytesWritten=0x12d37d00*=0x1000, lpOverlapped=0x12d37d0c) returned 1 [0188.633] GetFileType (hFile=0x1a0) returned 0x1 [0188.633] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0188.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0188.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0188.634] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0188.634] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.634] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.634] WriteFile (in: hFile=0x42c, lpBuffer=0x12a58a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58a00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.635] CloseHandle (hObject=0x42c) returned 1 [0188.641] CloseHandle (hObject=0x1a0) returned 1 [0188.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a0 | out: pbBuffer=0x129146a0) returned 1 [0188.657] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[90FD80B48353FAAF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[90fd80b48353faaf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.806] SetEvent (hEvent=0xfc) returned 1 [0188.806] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.807] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.807] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f)) returned 1 [0188.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286e0 | out: pbBuffer=0x129286e0) returned 1 [0188.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914808 | out: pbBuffer=0x12914808) returned 1 [0188.807] ReadFile (in: hFile=0x43c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12d37d1c*=0x42f, lpOverlapped=0x0) returned 1 [0188.813] GetFileType (hFile=0x43c) returned 0x1 [0188.813] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.814] WriteFile (in: hFile=0x43c, lpBuffer=0x12a49680*, nNumberOfBytesToWrite=0x42f, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12a49680*, lpNumberOfBytesWritten=0x12d37d00*=0x42f, lpOverlapped=0x12d37d0c) returned 1 [0188.814] GetFileType (hFile=0x43c) returned 0x1 [0188.814] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x42f, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0188.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0188.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0188.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914970 | out: pbBuffer=0x12914970) returned 1 [0188.815] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.815] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0188.815] WriteFile (in: hFile=0x438, lpBuffer=0x12a59400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a59400*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.816] CloseHandle (hObject=0x438) returned 1 [0188.822] CloseHandle (hObject=0x43c) returned 1 [0188.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914988 | out: pbBuffer=0x12914988) returned 1 [0188.827] MoveFileExW (lpExistingFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), lpNewFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\#_THIS_FILE_IS_ENCRYPTED_[80E1D4995060AA12]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\#_this_file_is_encrypted_[80e1d4995060aa12]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.964] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0188.973] SetEvent (hEvent=0xf4) returned 1 [0188.973] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.974] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.974] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fff9e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x251fff9e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160)) returned 1 [0188.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129288e0 | out: pbBuffer=0x129288e0) returned 1 [0188.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914a30 | out: pbBuffer=0x12914a30) returned 1 [0188.974] ReadFile (in: hFile=0x43c, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12d5fd1c*=0x160, lpOverlapped=0x0) returned 1 [0188.977] GetFileType (hFile=0x43c) returned 0x1 [0188.977] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.977] WriteFile (in: hFile=0x43c, lpBuffer=0x12bec2c0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12bec2c0*, lpNumberOfBytesWritten=0x12d5fd00*=0x160, lpOverlapped=0x12d5fd0c) returned 1 [0188.977] GetFileType (hFile=0x43c) returned 0x1 [0188.978] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x160, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b401 | out: pbBuffer=0x1286b401) returned 1 [0188.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b501 | out: pbBuffer=0x1286b501) returned 1 [0188.978] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b601 | out: pbBuffer=0x1286b601) returned 1 [0188.979] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914b18 | out: pbBuffer=0x12914b18) returned 1 [0188.979] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.980] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.980] WriteFile (in: hFile=0x438, lpBuffer=0x12a59900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a59900*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.049] CloseHandle (hObject=0x438) returned 1 [0189.049] CloseHandle (hObject=0x43c) returned 1 [0189.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914b30 | out: pbBuffer=0x12914b30) returned 1 [0189.049] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[0B1478304E438194]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[0b1478304e438194]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.050] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.051] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0189.051] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf6600cb, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee52126, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94)) returned 1 [0189.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ae0 | out: pbBuffer=0x12928ae0) returned 1 [0189.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914b78 | out: pbBuffer=0x12914b78) returned 1 [0189.053] ReadFile (in: hFile=0x43c, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12d33d1c*=0x94, lpOverlapped=0x0) returned 1 [0189.055] GetFileType (hFile=0x43c) returned 0x1 [0189.055] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.055] WriteFile (in: hFile=0x43c, lpBuffer=0x12a926e0*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12a926e0*, lpNumberOfBytesWritten=0x12d33d00*=0x94, lpOverlapped=0x12d33d0c) returned 1 [0189.055] GetFileType (hFile=0x43c) returned 0x1 [0189.055] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x94, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b781 | out: pbBuffer=0x1286b781) returned 1 [0189.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b881 | out: pbBuffer=0x1286b881) returned 1 [0189.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b981 | out: pbBuffer=0x1286b981) returned 1 [0189.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914c40 | out: pbBuffer=0x12914c40) returned 1 [0189.056] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.056] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0189.056] WriteFile (in: hFile=0x438, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.074] CloseHandle (hObject=0x438) returned 1 [0189.074] CloseHandle (hObject=0x43c) returned 1 [0189.074] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914c58 | out: pbBuffer=0x12914c58) returned 1 [0189.074] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\#_THIS_FILE_IS_ENCRYPTED_[FC140FB886CB42B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\#_this_file_is_encrypted_[fc140fb886cb42b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.075] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.087] SetEvent (hEvent=0xf4) returned 1 [0189.088] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music" (normalized: "c:\\users\\default\\documents\\my music"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.088] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.088] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures" (normalized: "c:\\users\\default\\documents\\my pictures"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.088] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x12d5fa44 | out: lpFindFileData=0x12d5fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.088] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos" (normalized: "c:\\users\\default\\documents\\my videos"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.088] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.088] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.139] SetEvent (hEvent=0xf4) returned 1 [0189.140] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.140] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0189.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0189.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ce0 | out: pbBuffer=0x12928ce0) returned 1 [0189.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914cc8 | out: pbBuffer=0x12914cc8) returned 1 [0189.140] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0189.143] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.143] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0189.143] SetEvent (hEvent=0x110) returned 1 [0189.143] SetEvent (hEvent=0xf4) returned 1 [0189.143] SetEvent (hEvent=0x19c) returned 1 [0189.144] ReadFile (in: hFile=0x1a0, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12d5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0189.152] GetFileType (hFile=0x1a0) returned 0x1 [0189.152] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.153] WriteFile (in: hFile=0x1a0, lpBuffer=0x129d6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x129d6000*, lpNumberOfBytesWritten=0x12d5fd00*=0x20000, lpOverlapped=0x12d5fd0c) returned 1 [0189.154] GetFileType (hFile=0x1a0) returned 0x1 [0189.154] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0189.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bb01 | out: pbBuffer=0x1286bb01) returned 1 [0189.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bc01 | out: pbBuffer=0x1286bc01) returned 1 [0189.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286bd01 | out: pbBuffer=0x1286bd01) returned 1 [0189.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914de0 | out: pbBuffer=0x12914de0) returned 1 [0189.155] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.155] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0189.155] WriteFile (in: hFile=0x438, lpBuffer=0x12c20500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20500*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0189.157] CloseHandle (hObject=0x438) returned 1 [0189.157] CloseHandle (hObject=0x1a0) returned 1 [0189.157] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914df8 | out: pbBuffer=0x12914df8) returned 1 [0189.157] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[DAB9F601E2FEBD3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[dab9f601e2febd3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.158] SetEvent (hEvent=0x19c) returned 1 [0189.158] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0189.164] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.164] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0189.164] SetEvent (hEvent=0x19c) returned 1 [0189.164] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0189.170] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.171] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0189.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0189.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0189.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0189.171] ReadFile (in: hFile=0x1a0, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12d37d1c*=0x5000, lpOverlapped=0x0) returned 1 [0189.223] GetFileType (hFile=0x1a0) returned 0x1 [0189.223] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.223] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12d37d00*=0x5000, lpOverlapped=0x12d37d0c) returned 1 [0189.223] GetFileType (hFile=0x1a0) returned 0x1 [0189.223] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x5000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0189.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0189.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0189.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0189.224] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.224] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0189.224] WriteFile (in: hFile=0x448, lpBuffer=0x12a00500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a00500*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.225] CloseHandle (hObject=0x448) returned 1 [0189.225] CloseHandle (hObject=0x1a0) returned 1 [0189.225] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0189.225] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[EC92A3FD059370BA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[ec92a3fd059370ba]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.227] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.302] SetEvent (hEvent=0xfc) returned 1 [0189.302] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood" (normalized: "c:\\users\\default\\printhood"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.302] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.302] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.528] SetEvent (hEvent=0xf4) returned 1 [0189.528] SetEvent (hEvent=0x3f4) returned 1 [0189.528] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0189.825] SetEvent (hEvent=0x19c) returned 1 [0189.825] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.044] SetEvent (hEvent=0x1d0) returned 1 [0198.044] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.048] SetEvent (hEvent=0x1d0) returned 1 [0198.048] SetEvent (hEvent=0x19c) returned 1 [0198.048] SwitchToThread () returned 1 [0198.051] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.068] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.098] SetEvent (hEvent=0x19c) returned 1 [0198.098] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23fb071d-e9ec-4666-a0cb-7d6993563959"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.099] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23fb071d-e9ec-4666-a0cb-7d6993563959"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d4b04, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d4b04, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d5f98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3bcb)) returned 1 [0198.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0198.099] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0198.099] ReadFile (in: hFile=0x3c4, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x3bcb, lpOverlapped=0x0) returned 1 [0198.104] GetFileType (hFile=0x3c4) returned 0x1 [0198.104] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.104] WriteFile (in: hFile=0x3c4, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x3bcb, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12a6dd00*=0x3bcb, lpOverlapped=0x12a6dd0c) returned 1 [0198.104] GetFileType (hFile=0x3c4) returned 0x1 [0198.104] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x3bcb, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0198.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0198.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0198.105] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0198.105] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23fb071d-e9ec-4666-a0cb-7d6993563959"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.106] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.106] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d8c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12d8c500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.106] CloseHandle (hObject=0x1a0) returned 1 [0198.113] CloseHandle (hObject=0x3c4) returned 1 [0198.117] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0198.117] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\23fb071d-e9ec-4666-a0cb-7d6993563959"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[948AE97D84DCB748]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[948ae97d84dcb748]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.264] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.310] SetEvent (hEvent=0x19c) returned 1 [0198.311] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2dfaac69-9c98-47d4-8e3b-6ad109fd232d"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.311] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2dfaac69-9c98-47d4-8e3b-6ad109fd232d"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49fb16b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49fb16b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49fb16b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4af4)) returned 1 [0198.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282c0 | out: pbBuffer=0x129282c0) returned 1 [0198.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a6b0 | out: pbBuffer=0x12a9a6b0) returned 1 [0198.312] ReadFile (in: hFile=0x438, lpBuffer=0x129a8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x129a8000*, lpNumberOfBytesRead=0x12a6dd1c*=0x4af4, lpOverlapped=0x0) returned 1 [0198.318] GetFileType (hFile=0x438) returned 0x1 [0198.318] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.318] WriteFile (in: hFile=0x438, lpBuffer=0x12a5a000*, nNumberOfBytesToWrite=0x4af4, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12a5a000*, lpNumberOfBytesWritten=0x12a6dd00*=0x4af4, lpOverlapped=0x12a6dd0c) returned 1 [0198.318] GetFileType (hFile=0x438) returned 0x1 [0198.318] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x4af4, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0198.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0198.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0198.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a768 | out: pbBuffer=0x12a9a768) returned 1 [0198.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2dfaac69-9c98-47d4-8e3b-6ad109fd232d"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0198.319] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.320] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b44500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.320] CloseHandle (hObject=0x1a0) returned 1 [0198.323] CloseHandle (hObject=0x438) returned 1 [0198.325] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a790 | out: pbBuffer=0x12a9a790) returned 1 [0198.325] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\2dfaac69-9c98-47d4-8e3b-6ad109fd232d"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[076F600AA9963F4E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[076f600aa9963f4e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.577] SetEvent (hEvent=0x1d0) returned 1 [0198.577] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0198.583] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.584] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0198.586] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.586] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0198.586] SetEvent (hEvent=0x19c) returned 1 [0198.587] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0198.591] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0198.591] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0199.047] SetEvent (hEvent=0x3f4) returned 1 [0199.047] SetEvent (hEvent=0x1d0) returned 1 [0199.048] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0199.108] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0199.777] SetEvent (hEvent=0x1d0) returned 1 [0199.777] SetEvent (hEvent=0x3f4) returned 1 [0199.777] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0199.786] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0199.903] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.333] SetEvent (hEvent=0xfc) returned 1 [0200.333] SetEvent (hEvent=0x1d0) returned 1 [0200.333] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.378] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\82b38e75-3368-40d2-b1e5-193e0e558d48"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.379] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.379] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\82b38e75-3368-40d2-b1e5-193e0e558d48"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84e7d50, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84e7d50, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84e9287, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9c3)) returned 1 [0200.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0200.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0200.379] ReadFile (in: hFile=0x15c, lpBuffer=0x12a2e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a2e000*, lpNumberOfBytesRead=0x12a6fd1c*=0x9c3, lpOverlapped=0x0) returned 1 [0200.385] GetFileType (hFile=0x15c) returned 0x1 [0200.385] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.385] WriteFile (in: hFile=0x15c, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0x9c3, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12a6fd00*=0x9c3, lpOverlapped=0x12a6fd0c) returned 1 [0200.385] GetFileType (hFile=0x15c) returned 0x1 [0200.385] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x9c3, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0200.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0200.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0200.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0200.386] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0200.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\82b38e75-3368-40d2-b1e5-193e0e558d48"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.386] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0200.386] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.387] CloseHandle (hObject=0x3c4) returned 1 [0200.388] CloseHandle (hObject=0x15c) returned 1 [0200.390] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0200.390] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\82b38e75-3368-40d2-b1e5-193e0e558d48"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[3CD031288805AAED]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[3cd031288805aaed]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.439] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.446] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.566] SetEvent (hEvent=0x1d0) returned 1 [0200.566] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\92d09c47-effb-4e54-b85d-797f67b0527c"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49b7e91, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49b7e91, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49b7e91, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b8)) returned 1 [0200.566] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.739] SetEvent (hEvent=0x1d0) returned 1 [0200.739] SetEvent (hEvent=0x19c) returned 1 [0200.739] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.884] SetEvent (hEvent=0x19c) returned 1 [0200.884] GetFileType (hFile=0x438) returned 0x1 [0200.885] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a89ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.885] WriteFile (in: hFile=0x438, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0x990a, lpNumberOfBytesWritten=0x12a89d00, lpOverlapped=0x12a89d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12a89d00*=0x990a, lpOverlapped=0x12a89d0c) returned 1 [0200.885] GetFileType (hFile=0x438) returned 0x1 [0200.885] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x990a, lpNewFilePointer=0x0, dwMoveMethod=0x12a89ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835981 | out: pbBuffer=0x12835981) returned 1 [0200.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835a81 | out: pbBuffer=0x12835a81) returned 1 [0200.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835b81 | out: pbBuffer=0x12835b81) returned 1 [0200.889] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b4d0 | out: pbBuffer=0x12a9b4d0) returned 1 [0200.889] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a2f95592-6a7f-475a-878f-c593da8bbedd"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.889] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.890] WriteFile (in: hFile=0x3c4, lpBuffer=0x129b4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4000*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.890] CloseHandle (hObject=0x3c4) returned 1 [0200.890] CloseHandle (hObject=0x438) returned 1 [0200.890] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b4e8 | out: pbBuffer=0x12a9b4e8) returned 1 [0200.890] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a2f95592-6a7f-475a-878f-c593da8bbedd"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[1416EB1B4D3872FD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[1416eb1b4d3872fd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.891] SetEvent (hEvent=0x3f4) returned 1 [0200.891] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.976] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0200.989] SetEvent (hEvent=0x3f4) returned 1 [0200.990] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c52b4a7c-c9fd-485a-8375-f97f3a24c1ba"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.990] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0200.990] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c52b4a7c-c9fd-485a-8375-f97f3a24c1ba"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4974447, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4974447, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49759af, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2bd8)) returned 1 [0200.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0200.990] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0200.990] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x1282fd1c*=0x2bd8, lpOverlapped=0x0) returned 1 [0201.035] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.053] GetFileType (hFile=0x3c4) returned 0x1 [0201.053] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.053] WriteFile (in: hFile=0x3c4, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x2bd8, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x1282fd00*=0x2bd8, lpOverlapped=0x1282fd0c) returned 1 [0201.053] GetFileType (hFile=0x3c4) returned 0x1 [0201.053] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x2bd8, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0201.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0201.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0201.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0201.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c52b4a7c-c9fd-485a-8375-f97f3a24c1ba"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.054] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.054] WriteFile (in: hFile=0x15c, lpBuffer=0x12856500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12856500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.054] CloseHandle (hObject=0x15c) returned 1 [0201.055] CloseHandle (hObject=0x3c4) returned 1 [0201.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0201.055] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c52b4a7c-c9fd-485a-8375-f97f3a24c1ba"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[BEF716D7D6BFCF21]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[bef716d7d6bfcf21]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d1658a87-36b4-4565-b36f-cef71ffc7033"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d990d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d990d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9ee668, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c5d)) returned 1 [0201.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d69fd789-7aaa-4b6a-86db-6ad5f309b97f"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c85c72, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c85c72, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c8700a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3894)) returned 1 [0201.057] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d7f62263-4202-4285-ab58-35dfbbb7899c"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e43432, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e43432, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e43432, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6f72)) returned 1 [0201.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d69fd789-7aaa-4b6a-86db-6ad5f309b97f"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.057] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.058] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d69fd789-7aaa-4b6a-86db-6ad5f309b97f"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c85c72, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c85c72, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c8700a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3894)) returned 1 [0201.058] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0201.058] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109a0 | out: pbBuffer=0x128109a0) returned 1 [0201.058] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0201.062] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0201.062] SetEvent (hEvent=0x110) returned 1 [0201.062] SetEvent (hEvent=0x3f4) returned 1 [0201.063] ReadFile (in: hFile=0x3c4, lpBuffer=0x12968000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12968000*, lpNumberOfBytesRead=0x1282fd1c*=0x3894, lpOverlapped=0x0) returned 1 [0201.150] GetFileType (hFile=0x3c4) returned 0x1 [0201.150] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.150] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aec000*, nNumberOfBytesToWrite=0x3894, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12aec000*, lpNumberOfBytesWritten=0x1282fd00*=0x3894, lpOverlapped=0x1282fd0c) returned 1 [0201.150] GetFileType (hFile=0x3c4) returned 0x1 [0201.150] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x3894, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0201.150] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0201.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0201.151] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128109c8 | out: pbBuffer=0x128109c8) returned 1 [0201.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d69fd789-7aaa-4b6a-86db-6ad5f309b97f"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.151] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.151] WriteFile (in: hFile=0x448, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.152] CloseHandle (hObject=0x448) returned 1 [0201.152] CloseHandle (hObject=0x3c4) returned 1 [0201.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109e0 | out: pbBuffer=0x128109e0) returned 1 [0201.152] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d69fd789-7aaa-4b6a-86db-6ad5f309b97f"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[9ACEED609E6652D9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[9aceed609e6652d9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e2b74c9d-38f9-4af3-849b-6f6ed185ffc9"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.154] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e2b74c9d-38f9-4af3-849b-6f6ed185ffc9"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89439d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89439d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89439d3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2516)) returned 1 [0201.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98840 | out: pbBuffer=0x12a98840) returned 1 [0201.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a28 | out: pbBuffer=0x12810a28) returned 1 [0201.154] ReadFile (in: hFile=0x3c4, lpBuffer=0x129f8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129f8000*, lpNumberOfBytesRead=0x1282fd1c*=0x2516, lpOverlapped=0x0) returned 1 [0201.239] GetFileType (hFile=0x3c4) returned 0x1 [0201.239] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.239] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x2516, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282fd00*=0x2516, lpOverlapped=0x1282fd0c) returned 1 [0201.239] GetFileType (hFile=0x3c4) returned 0x1 [0201.239] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x2516, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0201.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0201.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0201.240] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811498 | out: pbBuffer=0x12811498) returned 1 [0201.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e2b74c9d-38f9-4af3-849b-6f6ed185ffc9"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.240] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.240] WriteFile (in: hFile=0x448, lpBuffer=0x12925400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12925400*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.240] CloseHandle (hObject=0x448) returned 1 [0201.240] CloseHandle (hObject=0x3c4) returned 1 [0201.240] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128114b0 | out: pbBuffer=0x128114b0) returned 1 [0201.240] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e2b74c9d-38f9-4af3-849b-6f6ed185ffc9"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A2F20ABAA4E1D4F2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a2f20abaa4e1d4f2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.241] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0201.246] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.246] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0201.251] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.251] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0201.251] SetEvent (hEvent=0x40c) returned 1 [0201.251] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0201.261] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f0a28b79-40ac-459c-968d-4f68e9798715"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.262] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f0a28b79-40ac-459c-968d-4f68e9798715"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8424f42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8424f42, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8427531, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x153e)) returned 1 [0201.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0201.262] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0201.262] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x153e, lpOverlapped=0x0) returned 1 [0201.270] GetFileType (hFile=0x3c4) returned 0x1 [0201.270] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.270] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x153e, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x1282fd00*=0x153e, lpOverlapped=0x1282fd0c) returned 1 [0201.271] GetFileType (hFile=0x3c4) returned 0x1 [0201.271] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x153e, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0201.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0201.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0201.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0201.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f0a28b79-40ac-459c-968d-4f68e9798715"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.272] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.272] WriteFile (in: hFile=0x448, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.272] CloseHandle (hObject=0x448) returned 1 [0201.272] CloseHandle (hObject=0x3c4) returned 1 [0201.272] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0201.272] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f0a28b79-40ac-459c-968d-4f68e9798715"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[38316B89D6040F61]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[38316b89d6040f61]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.273] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f8c7174f-633a-4fa0-9187-67153391986a"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4df95, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d4df95, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d4df95, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1362)) returned 1 [0201.273] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f97cf839-8f66-44ed-8db4-5a4d6d408f2e"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2675f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2675f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2675f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x447b)) returned 1 [0201.273] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f8c7174f-633a-4fa0-9187-67153391986a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0201.274] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.274] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f8c7174f-633a-4fa0-9187-67153391986a"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4df95, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d4df95, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d4df95, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1362)) returned 1 [0201.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0201.274] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128107f0 | out: pbBuffer=0x128107f0) returned 1 [0201.274] ReadFile (in: hFile=0x3c4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282fd1c*=0x1362, lpOverlapped=0x0) returned 1 [0201.411] GetFileType (hFile=0x3c4) returned 0x1 [0201.411] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.411] WriteFile (in: hFile=0x3c4, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x1362, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x1282fd00*=0x1362, lpOverlapped=0x1282fd0c) returned 1 [0201.411] GetFileType (hFile=0x3c4) returned 0x1 [0201.411] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x1362, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0201.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0201.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0201.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0201.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810ad8 | out: pbBuffer=0x12810ad8) returned 1 [0201.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f8c7174f-633a-4fa0-9187-67153391986a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.412] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0201.412] WriteFile (in: hFile=0x15c, lpBuffer=0x12a40000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a40000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0201.413] CloseHandle (hObject=0x15c) returned 1 [0201.413] CloseHandle (hObject=0x3c4) returned 1 [0201.413] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810af0 | out: pbBuffer=0x12810af0) returned 1 [0201.413] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f8c7174f-633a-4fa0-9187-67153391986a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[6CCEF94087291DBD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[6ccef94087291dbd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.414] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.418] SetEvent (hEvent=0x3f4) returned 1 [0201.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\4958AB69-A28E-4C1F-916A-BDF19CB99CF0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\4958ab69-a28e-4c1f-916a-bdf19cb99cf0"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0201.418] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.418] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\4958AB69-A28E-4C1F-916A-BDF19CB99CF0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\4958ab69-a28e-4c1f-916a-bdf19cb99cf0"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d374b6c, ftCreationTime.dwHighDateTime=0x1d7b058, ftLastAccessTime.dwLowDateTime=0x5d374b6c, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x5d37726a, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x21d15)) returned 1 [0201.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a20 | out: pbBuffer=0x12a98a20) returned 1 [0201.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b38 | out: pbBuffer=0x12810b38) returned 1 [0201.419] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0201.421] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0201.421] SetEvent (hEvent=0x110) returned 1 [0201.421] SetEvent (hEvent=0x3f4) returned 1 [0201.421] ReadFile (in: hFile=0x15c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a73d1c*=0x20000, lpOverlapped=0x0) returned 1 [0201.551] SetEvent (hEvent=0x110) returned 1 [0201.552] GetFileType (hFile=0x15c) returned 0x1 [0201.553] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.553] WriteFile (in: hFile=0x15c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a73d00*=0x20000, lpOverlapped=0x12a73d0c) returned 1 [0201.554] GetFileType (hFile=0x15c) returned 0x1 [0201.554] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0201.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0201.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0201.555] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0201.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\4958AB69-A28E-4C1F-916A-BDF19CB99CF0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\4958ab69-a28e-4c1f-916a-bdf19cb99cf0"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.555] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0201.555] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.584] CloseHandle (hObject=0x448) returned 1 [0201.584] CloseHandle (hObject=0x15c) returned 1 [0201.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128106a8 | out: pbBuffer=0x128106a8) returned 1 [0201.585] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\4958AB69-A28E-4C1F-916A-BDF19CB99CF0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\4958ab69-a28e-4c1f-916a-bdf19cb99cf0"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\#_THIS_FILE_IS_ENCRYPTED_[C1AF5EBCFCE7F7F8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\#_this_file_is_encrypted_[c1af5ebcfce7f7f8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.627] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.645] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0201.742] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0204.185] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0204.379] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0204.414] SetEvent (hEvent=0x3f8) returned 1 [0204.414] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0204.452] SetEvent (hEvent=0x3f4) returned 1 [0204.454] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0204.790] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0205.945] SetEvent (hEvent=0x10c) returned 1 [0205.945] SetEvent (hEvent=0x19c) returned 1 [0205.945] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0205.951] SetEvent (hEvent=0x10c) returned 1 [0205.951] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0205.956] SetEvent (hEvent=0x10c) returned 1 [0205.956] SetEvent (hEvent=0x19c) returned 1 [0205.956] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0205.957] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0205.957] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x164ea204, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x164ea204, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ba724f0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0)) returned 1 [0205.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129281c0 | out: pbBuffer=0x129281c0) returned 1 [0205.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0205.957] ReadFile (in: hFile=0x3c4, lpBuffer=0x12986000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12986000*, lpNumberOfBytesRead=0x129a7d1c*=0x20000, lpOverlapped=0x0) returned 1 [0206.183] GetFileType (hFile=0x3c4) returned 0x1 [0206.183] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.183] WriteFile (in: hFile=0x3c4, lpBuffer=0x129ce000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x129ce000*, lpNumberOfBytesWritten=0x129a7d00*=0x20000, lpOverlapped=0x129a7d0c) returned 1 [0206.184] GetFileType (hFile=0x3c4) returned 0x1 [0206.185] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0206.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0206.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0206.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342f0 | out: pbBuffer=0x12c342f0) returned 1 [0206.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.187] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.187] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.199] CloseHandle (hObject=0x42c) returned 1 [0206.199] CloseHandle (hObject=0x3c4) returned 1 [0206.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34308 | out: pbBuffer=0x12c34308) returned 1 [0206.199] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[4B24FF2EB42AA291]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[4b24ff2eb42aa291]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.201] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425801e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0206.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928820 | out: pbBuffer=0x12928820) returned 1 [0206.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34350 | out: pbBuffer=0x12c34350) returned 1 [0206.201] ReadFile (in: hFile=0x3c4, lpBuffer=0x129ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x129ee000*, lpNumberOfBytesRead=0x129a7d1c*=0x152c0, lpOverlapped=0x0) returned 1 [0206.217] GetFileType (hFile=0x3c4) returned 0x1 [0206.217] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.217] WriteFile (in: hFile=0x3c4, lpBuffer=0x1296c000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x1296c000*, lpNumberOfBytesWritten=0x129a7d00*=0x152c0, lpOverlapped=0x129a7d0c) returned 1 [0206.218] GetFileType (hFile=0x3c4) returned 0x1 [0206.218] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0206.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0206.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0206.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34408 | out: pbBuffer=0x12c34408) returned 1 [0206.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.219] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.219] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.219] CloseHandle (hObject=0x42c) returned 1 [0206.220] CloseHandle (hObject=0x3c4) returned 1 [0206.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34420 | out: pbBuffer=0x12c34420) returned 1 [0206.220] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\#_THIS_FILE_IS_ENCRYPTED_[D8D207347A65E3CB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\#_this_file_is_encrypted_[d8d207347a65e3cb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.221] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.236] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.243] SetEvent (hEvent=0x3f8) returned 1 [0206.243] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.248] SetEvent (hEvent=0x19c) returned 1 [0206.248] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1610a43c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.249] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1610a43c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0206.249] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1610a43c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.249] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1610a43c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16392bdd, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.249] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.249] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0206.249] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.250] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.250] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.250] WriteFile (in: hFile=0x42c, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.252] CloseHandle (hObject=0x42c) returned 1 [0206.252] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1610a43c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16392bdd, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0206.253] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0206.267] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.267] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0206.281] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.281] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0206.286] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.286] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0206.286] SetEvent (hEvent=0x110) returned 1 [0206.286] SetEvent (hEvent=0x3f4) returned 1 [0206.286] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0206.288] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.289] GetFileType (hFile=0x1a0) returned 0x1 [0206.289] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.289] WriteFile (in: hFile=0x1a0, lpBuffer=0x129ae000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129ae000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0206.290] GetFileType (hFile=0x1a0) returned 0x1 [0206.291] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0206.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0206.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0206.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0206.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.292] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0206.292] WriteFile (in: hFile=0x42c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.336] CloseHandle (hObject=0x42c) returned 1 [0206.360] CloseHandle (hObject=0x1a0) returned 1 [0206.367] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0206.367] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[B98B9F17CA00ADB5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[b98b9f17ca00adb5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.558] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.595] SetEvent (hEvent=0x10c) returned 1 [0206.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.595] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0206.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac24464, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ad092fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0206.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444e0 | out: pbBuffer=0x128444e0) returned 1 [0206.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848450 | out: pbBuffer=0x12848450) returned 1 [0206.596] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0206.598] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0206.598] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0206.599] SetEvent (hEvent=0x110) returned 1 [0206.599] SetEvent (hEvent=0x10c) returned 1 [0206.599] SetEvent (hEvent=0xfc) returned 1 [0206.599] ReadFile (in: hFile=0x1a0, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x129add1c*=0x156c0, lpOverlapped=0x0) returned 1 [0206.638] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0207.061] SetEvent (hEvent=0x10c) returned 1 [0207.062] SetEvent (hEvent=0x19c) returned 1 [0207.062] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0207.497] GetFileType (hFile=0x3c4) returned 0x1 [0207.497] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0207.497] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x129add00*=0x123c, lpOverlapped=0x129add0c) returned 1 [0207.498] GetFileType (hFile=0x3c4) returned 0x1 [0207.498] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x123c, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0207.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0207.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0207.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0207.498] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810208 | out: pbBuffer=0x12810208) returned 1 [0207.499] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0207.499] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0207.499] WriteFile (in: hFile=0x438, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0207.499] CloseHandle (hObject=0x438) returned 1 [0207.607] CloseHandle (hObject=0x3c4) returned 1 [0207.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102f8 | out: pbBuffer=0x128102f8) returned 1 [0207.694] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[6ECBB4E77FBFD3EA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[6ecbb4e77fbfd3ea]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0208.772] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0208.884] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0208.924] SetEvent (hEvent=0x3f8) returned 1 [0208.924] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0208.924] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0208.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77c8633, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77c8633, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d9801d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0208.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928b00 | out: pbBuffer=0x12928b00) returned 1 [0208.925] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343d8 | out: pbBuffer=0x12c343d8) returned 1 [0208.925] ReadFile (in: hFile=0x438, lpBuffer=0x129ae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x129ae000*, lpNumberOfBytesRead=0x129abd1c*=0x20000, lpOverlapped=0x0) returned 1 [0208.935] GetFileType (hFile=0x438) returned 0x1 [0208.935] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0208.935] WriteFile (in: hFile=0x438, lpBuffer=0x129ee000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x129ee000*, lpNumberOfBytesWritten=0x129abd00*=0x20000, lpOverlapped=0x129abd0c) returned 1 [0208.936] GetFileType (hFile=0x438) returned 0x1 [0208.936] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0208.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0208.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0208.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0208.938] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34490 | out: pbBuffer=0x12c34490) returned 1 [0208.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0208.939] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0208.940] WriteFile (in: hFile=0x42c, lpBuffer=0x12b40500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b40500*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0208.940] CloseHandle (hObject=0x42c) returned 1 [0208.945] CloseHandle (hObject=0x438) returned 1 [0208.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344a8 | out: pbBuffer=0x12c344a8) returned 1 [0208.954] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[9BA079585040427F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[9ba079585040427f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0209.964] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0210.008] SetEvent (hEvent=0x1d0) returned 1 [0210.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0210.009] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0210.009] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2454520, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2454520, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x253922a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0210.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0210.009] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0210.009] ReadFile (in: hFile=0x448, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x129abd1c*=0x20000, lpOverlapped=0x0) returned 1 [0210.021] GetFileType (hFile=0x448) returned 0x1 [0210.021] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0210.021] WriteFile (in: hFile=0x448, lpBuffer=0x12974000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12974000*, lpNumberOfBytesWritten=0x129abd00*=0x20000, lpOverlapped=0x129abd0c) returned 1 [0210.023] GetFileType (hFile=0x448) returned 0x1 [0210.023] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0210.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0210.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0210.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0210.024] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484f8 | out: pbBuffer=0x128484f8) returned 1 [0210.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0210.025] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0210.025] WriteFile (in: hFile=0x438, lpBuffer=0x12850500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12850500*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0210.032] CloseHandle (hObject=0x438) returned 1 [0210.035] CloseHandle (hObject=0x448) returned 1 [0210.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848510 | out: pbBuffer=0x12848510) returned 1 [0210.104] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[D7CCE33A95CED239]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[d7cce33a95ced239]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0210.309] SetEvent (hEvent=0xf4) returned 1 [0210.309] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0210.310] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0210.310] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x126710a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x126710a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0210.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845340 | out: pbBuffer=0x12845340) returned 1 [0210.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128487e0 | out: pbBuffer=0x128487e0) returned 1 [0210.313] ReadFile (in: hFile=0x448, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x129abd1c*=0x124b, lpOverlapped=0x0) returned 1 [0210.318] GetFileType (hFile=0x448) returned 0x1 [0210.319] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0210.319] WriteFile (in: hFile=0x448, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x124b, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x129abd00*=0x124b, lpOverlapped=0x129abd0c) returned 1 [0210.319] GetFileType (hFile=0x448) returned 0x1 [0210.319] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x124b, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0210.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0210.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0210.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835101 | out: pbBuffer=0x12835101) returned 1 [0210.320] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848908 | out: pbBuffer=0x12848908) returned 1 [0210.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0210.321] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0210.321] WriteFile (in: hFile=0x3c4, lpBuffer=0x12851400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12851400*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0210.321] CloseHandle (hObject=0x3c4) returned 1 [0210.326] CloseHandle (hObject=0x448) returned 1 [0210.330] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489a0 | out: pbBuffer=0x128489a0) returned 1 [0210.330] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[6D41B1F2F97E315C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[6d41b1f2f97e315c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0211.469] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0211.970] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0212.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0212.288] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0212.288] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd779fe38, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda79b1fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0212.289] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0212.289] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0212.461] SwitchToThread () returned 1 [0212.667] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a101 | out: pbBuffer=0x1286a101) returned 1 [0212.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a281 | out: pbBuffer=0x1286a281) returned 1 [0212.912] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810060 | out: pbBuffer=0x12810060) returned 1 [0212.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0212.913] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0212.913] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0212.920] CloseHandle (hObject=0x3c4) returned 1 [0212.921] CloseHandle (hObject=0x438) returned 1 [0212.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0212.930] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[D9C33E51FA73CF7F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[d9c33e51fa73cf7f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0212.932] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0212.932] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0212.932] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec58f0d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0212.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98140 | out: pbBuffer=0x12a98140) returned 1 [0212.932] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100e0 | out: pbBuffer=0x128100e0) returned 1 [0212.934] ReadFile (in: hFile=0x438, lpBuffer=0x12d6e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12d6e000*, lpNumberOfBytesRead=0x129add1c*=0xfcc0, lpOverlapped=0x0) returned 1 [0212.950] GetFileType (hFile=0x438) returned 0x1 [0212.950] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0212.950] WriteFile (in: hFile=0x438, lpBuffer=0x12a5a000*, nNumberOfBytesToWrite=0xfcc0, lpNumberOfBytesWritten=0x129add00, lpOverlapped=0x129add0c | out: lpBuffer=0x12a5a000*, lpNumberOfBytesWritten=0x129add00*=0xfcc0, lpOverlapped=0x129add0c) returned 1 [0212.951] GetFileType (hFile=0x438) returned 0x1 [0212.951] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x129adce4 | out: lpNewFilePointer=0x0) returned 1 [0212.951] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0212.951] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0212.964] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0212.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810198 | out: pbBuffer=0x12810198) returned 1 [0212.965] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0212.965] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0212.965] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129add0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x129add0c*=0x276, lpOverlapped=0x0) returned 1 [0212.965] CloseHandle (hObject=0x1a0) returned 1 [0212.966] CloseHandle (hObject=0x438) returned 1 [0212.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101b0 | out: pbBuffer=0x128101b0) returned 1 [0212.966] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\#_THIS_FILE_IS_ENCRYPTED_[754356EB6423504F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\#_this_file_is_encrypted_[754356eb6423504f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0212.993] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0212.998] SetEvent (hEvent=0x40c) returned 1 [0212.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0212.999] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0212.999] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a9ad0 | out: lpFileInformation=0x129a9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5cd1ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0212.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eac0 | out: pbBuffer=0x1280eac0) returned 1 [0212.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2e0 | out: pbBuffer=0x12a9a2e0) returned 1 [0213.000] ReadFile (in: hFile=0x438, lpBuffer=0x12984000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12984000*, lpNumberOfBytesRead=0x129a9d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0213.176] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.195] SetEvent (hEvent=0x10c) returned 1 [0213.195] SetEvent (hEvent=0xf4) returned 1 [0213.196] GetFileType (hFile=0x438) returned 0x1 [0213.196] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.196] WriteFile (in: hFile=0x438, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x129a9d00, lpOverlapped=0x129a9d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x129a9d00*=0x164c0, lpOverlapped=0x129a9d0c) returned 1 [0213.197] GetFileType (hFile=0x438) returned 0x1 [0213.197] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x129a9ce4 | out: lpNewFilePointer=0x0) returned 1 [0213.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0213.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0213.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0213.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0213.198] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.198] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a9d0c | out: lpMode=0x129a9d0c) returned 0 [0213.198] WriteFile (in: hFile=0x15c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129a9d0c*=0x276, lpOverlapped=0x0) returned 1 [0213.199] CloseHandle (hObject=0x15c) returned 1 [0213.199] CloseHandle (hObject=0x438) returned 1 [0213.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0213.199] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\#_THIS_FILE_IS_ENCRYPTED_[D5617673679D1D2B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\#_this_file_is_encrypted_[d5617673679d1d2b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.410] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.444] SetEvent (hEvent=0xf4) returned 1 [0213.444] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.445] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.445] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bfc6d0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1f43a35, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0213.445] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0213.445] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0213.445] ReadFile (in: hFile=0x438, lpBuffer=0x129ae000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x129ae000*, lpNumberOfBytesRead=0x129abd1c*=0xf2c0, lpOverlapped=0x0) returned 1 [0213.517] SetEvent (hEvent=0x110) returned 1 [0213.517] GetFileType (hFile=0x438) returned 0x1 [0213.517] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.517] WriteFile (in: hFile=0x438, lpBuffer=0x12a5a000*, nNumberOfBytesToWrite=0xf2c0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12a5a000*, lpNumberOfBytesWritten=0x129abd00*=0xf2c0, lpOverlapped=0x129abd0c) returned 1 [0213.518] GetFileType (hFile=0x438) returned 0x1 [0213.518] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xf2c0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0213.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0213.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0213.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0213.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.520] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.520] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a2e000*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0213.521] CloseHandle (hObject=0x3c4) returned 1 [0213.521] CloseHandle (hObject=0x438) returned 1 [0213.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a128 | out: pbBuffer=0x12a9a128) returned 1 [0213.521] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\#_THIS_FILE_IS_ENCRYPTED_[707054FF89C8CF3F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\#_this_file_is_encrypted_[707054ff89c8cf3f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.522] SetEvent (hEvent=0xfc) returned 1 [0213.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0213.523] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8878a7e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0213.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844560 | out: pbBuffer=0x12844560) returned 1 [0213.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0213.523] ReadFile (in: hFile=0x438, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x129abd1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0213.576] GetFileType (hFile=0x438) returned 0x1 [0213.576] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.576] WriteFile (in: hFile=0x438, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x129abd00*=0x15ac0, lpOverlapped=0x129abd0c) returned 1 [0213.577] GetFileType (hFile=0x438) returned 0x1 [0213.577] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0213.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a01 | out: pbBuffer=0x12834a01) returned 1 [0213.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0213.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c01 | out: pbBuffer=0x12834c01) returned 1 [0213.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a248 | out: pbBuffer=0x12a9a248) returned 1 [0213.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.578] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0213.578] WriteFile (in: hFile=0x15c, lpBuffer=0x12a2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a2e500*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0213.579] CloseHandle (hObject=0x15c) returned 1 [0213.579] CloseHandle (hObject=0x438) returned 1 [0213.579] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0213.579] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\#_THIS_FILE_IS_ENCRYPTED_[05AB47372488F0A7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\#_this_file_is_encrypted_[05ab47372488f0a7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.608] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.709] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.724] SetEvent (hEvent=0xfc) returned 1 [0213.724] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.832] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.885] SetEvent (hEvent=0x3f8) returned 1 [0213.885] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.886] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0213.886] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xff2499db, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e420 | out: pbBuffer=0x1280e420) returned 1 [0213.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae70 | out: pbBuffer=0x12a9ae70) returned 1 [0213.886] ReadFile (in: hFile=0x15c, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x1282fd1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0213.918] GetFileType (hFile=0x15c) returned 0x1 [0213.918] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0213.918] WriteFile (in: hFile=0x15c, lpBuffer=0x129f8000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x129f8000*, lpNumberOfBytesWritten=0x1282fd00*=0x15cc0, lpOverlapped=0x1282fd0c) returned 1 [0213.919] GetFileType (hFile=0x15c) returned 0x1 [0213.919] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0213.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0213.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0213.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0213.920] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b030 | out: pbBuffer=0x12a9b030) returned 1 [0213.920] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0213.921] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0213.921] WriteFile (in: hFile=0x3c4, lpBuffer=0x12924500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12924500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0213.921] CloseHandle (hObject=0x3c4) returned 1 [0213.921] CloseHandle (hObject=0x15c) returned 1 [0213.921] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b048 | out: pbBuffer=0x12a9b048) returned 1 [0213.922] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\#_THIS_FILE_IS_ENCRYPTED_[304B17B992438ED1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\#_this_file_is_encrypted_[304b17b992438ed1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0213.989] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0213.998] SetEvent (hEvent=0x10c) returned 1 [0213.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0213.998] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0213.998] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ba12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1a7e8c8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0213.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98820 | out: pbBuffer=0x12a98820) returned 1 [0213.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108b8 | out: pbBuffer=0x128108b8) returned 1 [0213.999] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0214.003] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0214.015] SetEvent (hEvent=0x110) returned 1 [0214.015] SetEvent (hEvent=0x10c) returned 1 [0214.016] ReadFile (in: hFile=0x15c, lpBuffer=0x12a0e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a0e000*, lpNumberOfBytesRead=0x12be7d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0214.104] GetFileType (hFile=0x15c) returned 0x1 [0214.105] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.105] WriteFile (in: hFile=0x15c, lpBuffer=0x12d38000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d38000*, lpNumberOfBytesWritten=0x12be7d00*=0x15cc0, lpOverlapped=0x12be7d0c) returned 1 [0214.105] GetFileType (hFile=0x15c) returned 0x1 [0214.105] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801901 | out: pbBuffer=0x12801901) returned 1 [0214.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a01 | out: pbBuffer=0x12801a01) returned 1 [0214.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b01 | out: pbBuffer=0x12801b01) returned 1 [0214.106] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810970 | out: pbBuffer=0x12810970) returned 1 [0214.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.107] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.107] WriteFile (in: hFile=0x438, lpBuffer=0x1297b900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x1297b900*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.108] CloseHandle (hObject=0x438) returned 1 [0214.108] CloseHandle (hObject=0x15c) returned 1 [0214.108] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810988 | out: pbBuffer=0x12810988) returned 1 [0214.108] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\#_THIS_FILE_IS_ENCRYPTED_[8F2DF2FE7E194C1B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\#_this_file_is_encrypted_[8f2df2fe7e194c1b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.110] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.113] SetEvent (hEvent=0x40c) returned 1 [0214.113] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.114] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6d7e5c9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0214.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a40 | out: pbBuffer=0x12a98a40) returned 1 [0214.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109d0 | out: pbBuffer=0x128109d0) returned 1 [0214.115] ReadFile (in: hFile=0x15c, lpBuffer=0x12d4e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d4e000*, lpNumberOfBytesRead=0x12be7d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0214.155] GetFileType (hFile=0x15c) returned 0x1 [0214.155] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.155] WriteFile (in: hFile=0x15c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12be7d00*=0x14cc0, lpOverlapped=0x12be7d0c) returned 1 [0214.156] GetFileType (hFile=0x15c) returned 0x1 [0214.156] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0214.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0214.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0214.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0214.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0214.157] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.157] WriteFile (in: hFile=0x3c4, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.157] CloseHandle (hObject=0x3c4) returned 1 [0214.158] CloseHandle (hObject=0x15c) returned 1 [0214.158] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0214.158] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\#_THIS_FILE_IS_ENCRYPTED_[165B8136AC84AE88]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\#_this_file_is_encrypted_[165b8136ac84ae88]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.159] SetEvent (hEvent=0xf4) returned 1 [0214.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.160] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.160] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9aa4e53, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0214.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0214.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0214.160] ReadFile (in: hFile=0x15c, lpBuffer=0x12c9a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c9a000*, lpNumberOfBytesRead=0x12be7d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0214.322] GetFileType (hFile=0x15c) returned 0x1 [0214.322] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.322] WriteFile (in: hFile=0x15c, lpBuffer=0x12ce2000*, nNumberOfBytesToWrite=0x164c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12ce2000*, lpNumberOfBytesWritten=0x12be7d00*=0x164c0, lpOverlapped=0x12be7d0c) returned 1 [0214.324] GetFileType (hFile=0x15c) returned 0x1 [0214.324] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x164c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801381 | out: pbBuffer=0x12801381) returned 1 [0214.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801481 | out: pbBuffer=0x12801481) returned 1 [0214.340] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0214.341] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848fe0 | out: pbBuffer=0x12848fe0) returned 1 [0214.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0214.342] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.342] WriteFile (in: hFile=0x44c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.342] CloseHandle (hObject=0x44c) returned 1 [0214.356] CloseHandle (hObject=0x15c) returned 1 [0214.356] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849008 | out: pbBuffer=0x12849008) returned 1 [0214.356] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\#_THIS_FILE_IS_ENCRYPTED_[B0D45E20D3669A20]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\#_this_file_is_encrypted_[b0d45e20d3669a20]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.522] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.628] SetEvent (hEvent=0xfc) returned 1 [0214.628] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.629] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0214.629] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc88a52c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd4e8897, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0)) returned 1 [0214.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f180 | out: pbBuffer=0x1280f180) returned 1 [0214.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849378 | out: pbBuffer=0x12849378) returned 1 [0214.629] ReadFile (in: hFile=0x438, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12be5d1c*=0x16cc0, lpOverlapped=0x0) returned 1 [0214.643] GetFileType (hFile=0x438) returned 0x1 [0214.643] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.643] WriteFile (in: hFile=0x438, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x16cc0, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x12be5d00*=0x16cc0, lpOverlapped=0x12be5d0c) returned 1 [0214.643] GetFileType (hFile=0x438) returned 0x1 [0214.643] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x16cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0214.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0214.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0214.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0214.645] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.645] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0214.645] WriteFile (in: hFile=0x15c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.645] CloseHandle (hObject=0x15c) returned 1 [0214.645] CloseHandle (hObject=0x438) returned 1 [0214.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0214.646] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\#_THIS_FILE_IS_ENCRYPTED_[912B9A8781172E41]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\#_this_file_is_encrypted_[912b9a8781172e41]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.647] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0214.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0214.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0214.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848400 | out: pbBuffer=0x12848400) returned 1 [0214.648] ReadFile (in: hFile=0x438, lpBuffer=0x1297c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x1297c000*, lpNumberOfBytesRead=0x12be3d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0214.674] GetFileType (hFile=0x438) returned 0x1 [0214.674] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.674] WriteFile (in: hFile=0x438, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be3d00*=0x174c0, lpOverlapped=0x12be3d0c) returned 1 [0214.675] GetFileType (hFile=0x438) returned 0x1 [0214.675] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0214.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0214.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0214.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484d8 | out: pbBuffer=0x128484d8) returned 1 [0214.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0214.676] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0214.677] WriteFile (in: hFile=0x15c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.677] CloseHandle (hObject=0x15c) returned 1 [0214.677] CloseHandle (hObject=0x438) returned 1 [0214.677] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484f0 | out: pbBuffer=0x128484f0) returned 1 [0214.677] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\#_THIS_FILE_IS_ENCRYPTED_[02BF0AFFF1E4F6E1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\#_this_file_is_encrypted_[02bf0afff1e4f6e1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.679] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.682] SetEvent (hEvent=0x3f8) returned 1 [0214.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0214.683] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0214.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfb947ac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0214.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e960 | out: pbBuffer=0x1280e960) returned 1 [0214.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848538 | out: pbBuffer=0x12848538) returned 1 [0214.698] ReadFile (in: hFile=0x438, lpBuffer=0x1299c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x1299c000*, lpNumberOfBytesRead=0x12829d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0214.767] GetFileType (hFile=0x438) returned 0x1 [0214.767] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.767] WriteFile (in: hFile=0x438, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12829d00*=0x15ec0, lpOverlapped=0x12829d0c) returned 1 [0214.768] GetFileType (hFile=0x438) returned 0x1 [0214.768] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.768] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0214.768] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af01 | out: pbBuffer=0x1286af01) returned 1 [0214.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b081 | out: pbBuffer=0x1286b081) returned 1 [0214.769] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0214.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.769] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0214.769] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0214.770] CloseHandle (hObject=0x42c) returned 1 [0214.770] CloseHandle (hObject=0x438) returned 1 [0214.770] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848638 | out: pbBuffer=0x12848638) returned 1 [0214.771] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\#_THIS_FILE_IS_ENCRYPTED_[D8CAAE98045272E5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\#_this_file_is_encrypted_[d8caae98045272e5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0214.772] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.813] SetEvent (hEvent=0x10c) returned 1 [0214.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0214.814] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0214.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x135ad91f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0214.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844560 | out: pbBuffer=0x12844560) returned 1 [0214.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810190 | out: pbBuffer=0x12810190) returned 1 [0214.815] ReadFile (in: hFile=0x42c, lpBuffer=0x12cd4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cd4000*, lpNumberOfBytesRead=0x12be7d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0214.881] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.892] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0214.906] SetEvent (hEvent=0x10c) returned 1 [0214.907] GetFileType (hFile=0x42c) returned 0x1 [0214.907] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0214.907] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12be7d00*=0x15ac0, lpOverlapped=0x12be7d0c) returned 1 [0215.502] GetFileType (hFile=0x42c) returned 0x1 [0215.502] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0215.502] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0215.502] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0215.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0215.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8420 | out: pbBuffer=0x128e8420) returned 1 [0215.503] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0215.503] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0215.503] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0215.510] CloseHandle (hObject=0x3c4) returned 1 [0215.510] CloseHandle (hObject=0x42c) returned 1 [0215.541] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8438 | out: pbBuffer=0x128e8438) returned 1 [0215.541] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\#_THIS_FILE_IS_ENCRYPTED_[7116499F2197C34E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\#_this_file_is_encrypted_[7116499f2197c34e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0215.577] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0217.547] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0218.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0218.265] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0218.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174cef11, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17ac4b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0218.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0218.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8480 | out: pbBuffer=0x128e8480) returned 1 [0218.267] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d52000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d52000*, lpNumberOfBytesRead=0x12be7d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0218.424] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0218.568] GetFileType (hFile=0x3c4) returned 0x1 [0218.568] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0218.568] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d72000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12d72000*, lpNumberOfBytesWritten=0x12be7d00*=0x156c0, lpOverlapped=0x12be7d0c) returned 1 [0218.569] GetFileType (hFile=0x3c4) returned 0x1 [0218.570] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0218.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0218.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0218.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0218.736] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848810 | out: pbBuffer=0x12848810) returned 1 [0218.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0218.737] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0218.737] WriteFile (in: hFile=0x42c, lpBuffer=0x12cf8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf8000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0218.737] CloseHandle (hObject=0x42c) returned 1 [0218.737] CloseHandle (hObject=0x3c4) returned 1 [0218.738] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848838 | out: pbBuffer=0x12848838) returned 1 [0218.738] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\#_THIS_FILE_IS_ENCRYPTED_[990E750C34F82F09]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\#_this_file_is_encrypted_[990e750c34f82f09]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0218.740] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0218.741] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0218.741] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aec60c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bb96a1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0218.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844a60 | out: pbBuffer=0x12844a60) returned 1 [0218.741] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128488c0 | out: pbBuffer=0x128488c0) returned 1 [0218.755] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0218.809] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0218.872] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0218.872] SetEvent (hEvent=0x110) returned 1 [0218.872] SetEvent (hEvent=0x3f8) returned 1 [0218.872] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a1c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a1c000*, lpNumberOfBytesRead=0x12be7d1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0219.057] GetFileType (hFile=0x3c4) returned 0x1 [0219.057] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0219.057] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12be7d00, lpOverlapped=0x12be7d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12be7d00*=0x15ac0, lpOverlapped=0x12be7d0c) returned 1 [0219.058] GetFileType (hFile=0x3c4) returned 0x1 [0219.058] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12be7ce4 | out: lpNewFilePointer=0x0) returned 1 [0219.059] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0219.059] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0219.059] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0219.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0219.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0219.060] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0219.060] WriteFile (in: hFile=0x42c, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be7d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x12be7d0c*=0x276, lpOverlapped=0x0) returned 1 [0219.060] CloseHandle (hObject=0x42c) returned 1 [0219.060] CloseHandle (hObject=0x3c4) returned 1 [0219.061] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0219.061] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\#_THIS_FILE_IS_ENCRYPTED_[5E522286C8B2835D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\#_this_file_is_encrypted_[5e522286c8b2835d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0219.488] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0219.666] SetEvent (hEvent=0xf4) returned 1 [0219.699] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0219.700] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0219.700] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1478f592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1478f592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x149cb731, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40)) returned 1 [0219.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928080 | out: pbBuffer=0x12928080) returned 1 [0219.701] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a098 | out: pbBuffer=0x12a9a098) returned 1 [0219.701] ReadFile (in: hFile=0x3c4, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12be3d1c*=0x20000, lpOverlapped=0x0) returned 1 [0219.902] GetFileType (hFile=0x3c4) returned 0x1 [0219.902] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0219.902] WriteFile (in: hFile=0x3c4, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12be3d00*=0x20000, lpOverlapped=0x12be3d0c) returned 1 [0219.903] GetFileType (hFile=0x3c4) returned 0x1 [0219.903] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0219.913] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0219.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0219.914] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0219.959] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a170 | out: pbBuffer=0x12a9a170) returned 1 [0219.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0219.959] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0219.959] WriteFile (in: hFile=0x15c, lpBuffer=0x1285a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be3d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285a500*, lpNumberOfBytesWritten=0x12be3d0c*=0x276, lpOverlapped=0x0) returned 1 [0219.960] CloseHandle (hObject=0x15c) returned 1 [0219.960] CloseHandle (hObject=0x3c4) returned 1 [0219.960] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a188 | out: pbBuffer=0x12a9a188) returned 1 [0219.960] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\#_THIS_FILE_IS_ENCRYPTED_[42C560D4782B0131]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\#_this_file_is_encrypted_[42c560d4782b0131]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0220.020] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0220.220] SetEvent (hEvent=0x1b8) returned 1 [0220.220] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0220.221] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be7d0c | out: lpMode=0x12be7d0c) returned 0 [0220.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x12be7ad0 | out: lpFileInformation=0x12be7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c2263c9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2263c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c416268, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0220.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3e0 | out: pbBuffer=0x1280e3e0) returned 1 [0220.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0220.222] ReadFile (in: hFile=0x42c, lpBuffer=0x12d0e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d0e000*, lpNumberOfBytesRead=0x12be7d1c*=0x123c, lpOverlapped=0x0) returned 1 [0222.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0222.564] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be3d0c | out: lpMode=0x12be3d0c) returned 0 [0222.564] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x12be3ad0 | out: lpFileInformation=0x12be3ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f863ecc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f863ecc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0222.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eba0 | out: pbBuffer=0x1280eba0) returned 1 [0222.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8520 | out: pbBuffer=0x128e8520) returned 1 [0222.565] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c90000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c90000*, lpNumberOfBytesRead=0x12be3d1c*=0x16da, lpOverlapped=0x0) returned 1 [0222.710] GetFileType (hFile=0x1a0) returned 0x1 [0222.711] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0222.711] WriteFile (in: hFile=0x1a0, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x16da, lpNumberOfBytesWritten=0x12be3d00, lpOverlapped=0x12be3d0c | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12be3d00*=0x16da, lpOverlapped=0x12be3d0c) returned 1 [0222.711] GetFileType (hFile=0x1a0) returned 0x1 [0222.711] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x16da, lpNewFilePointer=0x0, dwMoveMethod=0x12be3ce4 | out: lpNewFilePointer=0x0) returned 1 [0223.203] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0223.215] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0223.216] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0223.577] SetEvent (hEvent=0xf4) returned 1 [0223.621] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0224.182] SetEvent (hEvent=0xf4) returned 1 [0224.182] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.425] SwitchToThread () returned 1 [0224.457] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.617] SetEvent (hEvent=0x3cc) returned 1 [0224.617] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.730] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.856] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.956] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0224.989] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0225.000] SetEvent (hEvent=0x10c) returned 1 [0225.000] SetEvent (hEvent=0x3f4) returned 1 [0225.000] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0225.004] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0225.004] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0225.004] SetEvent (hEvent=0x3f4) returned 1 [0225.004] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0225.007] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0225.007] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0225.779] SetEvent (hEvent=0x3cc) returned 1 [0225.779] SetEvent (hEvent=0x10c) returned 1 [0225.780] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0225.796] SetEvent (hEvent=0x3f4) returned 1 [0225.796] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.099] SetEvent (hEvent=0xf4) returned 1 [0236.099] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.103] SetEvent (hEvent=0xf4) returned 1 [0236.103] SetEvent (hEvent=0x3f8) returned 1 [0236.103] SwitchToThread () returned 1 [0236.104] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.218] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.347] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.416] SetEvent (hEvent=0x40c) returned 1 [0236.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.417] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0236.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x237ffd48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x237ffd48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x245604a7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0236.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0236.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0236.417] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a65d1c*=0x9ac0, lpOverlapped=0x0) returned 1 [0236.484] GetFileType (hFile=0x3e4) returned 0x1 [0236.484] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.484] WriteFile (in: hFile=0x3e4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x9ac0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a65d00*=0x9ac0, lpOverlapped=0x12a65d0c) returned 1 [0236.502] GetFileType (hFile=0x3e4) returned 0x1 [0236.502] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x9ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.502] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0236.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0236.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0236.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a110 | out: pbBuffer=0x12a9a110) returned 1 [0236.505] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0236.506] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0236.506] WriteFile (in: hFile=0x45c, lpBuffer=0x1285e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285e000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.506] CloseHandle (hObject=0x45c) returned 1 [0236.539] CloseHandle (hObject=0x3e4) returned 1 [0236.549] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0236.549] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[3E5978F9D6FC91E6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[3e5978f9d6fc91e6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.698] SetEvent (hEvent=0x19c) returned 1 [0236.699] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0236.699] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0236.699] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3949b564, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3949b564, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a77d98f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0)) returned 1 [0236.699] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284c0 | out: pbBuffer=0x129284c0) returned 1 [0236.700] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7e0 | out: pbBuffer=0x12a9a7e0) returned 1 [0236.700] ReadFile (in: hFile=0x44c, lpBuffer=0x12d28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d28000*, lpNumberOfBytesRead=0x12a65d1c*=0x20000, lpOverlapped=0x0) returned 1 [0236.919] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0236.959] SetEvent (hEvent=0x1b8) returned 1 [0236.959] GetFileType (hFile=0x44c) returned 0x1 [0236.960] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.960] WriteFile (in: hFile=0x44c, lpBuffer=0x12a00000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12a00000*, lpNumberOfBytesWritten=0x12a65d00*=0x20000, lpOverlapped=0x12a65d0c) returned 1 [0236.961] GetFileType (hFile=0x44c) returned 0x1 [0236.961] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.961] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0236.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0236.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0236.962] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e91e0 | out: pbBuffer=0x128e91e0) returned 1 [0236.962] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0236.963] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0236.963] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d6c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6c000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.967] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.008] CloseHandle (hObject=0x3e4) returned 1 [0237.008] CloseHandle (hObject=0x44c) returned 1 [0237.008] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34108 | out: pbBuffer=0x12c34108) returned 1 [0237.008] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\#_THIS_FILE_IS_ENCRYPTED_[45D961CD62604934]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\#_this_file_is_encrypted_[45d961cd62604934]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.010] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.014] SetEvent (hEvent=0xfc) returned 1 [0237.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0237.038] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0237.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be5ad0 | out: lpFileInformation=0x12be5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c993fab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c993fab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e46677b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x45cc0)) returned 1 [0237.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0237.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34150 | out: pbBuffer=0x12c34150) returned 1 [0237.039] ReadFile (in: hFile=0x44c, lpBuffer=0x12d48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be5d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d48000*, lpNumberOfBytesRead=0x12be5d1c*=0x20000, lpOverlapped=0x0) returned 1 [0237.055] GetFileType (hFile=0x44c) returned 0x1 [0237.055] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.055] WriteFile (in: hFile=0x44c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be5d00, lpOverlapped=0x12be5d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12be5d00*=0x20000, lpOverlapped=0x12be5d0c) returned 1 [0237.056] GetFileType (hFile=0x44c) returned 0x1 [0237.056] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be5ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0237.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0237.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0237.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34208 | out: pbBuffer=0x12c34208) returned 1 [0237.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.058] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be5d0c | out: lpMode=0x12be5d0c) returned 0 [0237.058] WriteFile (in: hFile=0x450, lpBuffer=0x12d6ca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be5d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6ca00*, lpNumberOfBytesWritten=0x12be5d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.090] CloseHandle (hObject=0x450) returned 1 [0237.096] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.101] CloseHandle (hObject=0x44c) returned 1 [0237.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34220 | out: pbBuffer=0x12c34220) returned 1 [0237.115] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\#_THIS_FILE_IS_ENCRYPTED_[A51BC0EDC15DFF11]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\#_this_file_is_encrypted_[a51bc0edc15dff11]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.150] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.182] SetEvent (hEvent=0x40c) returned 1 [0237.182] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.187] SetEvent (hEvent=0xfc) returned 1 [0237.187] SetEvent (hEvent=0x1b8) returned 1 [0237.187] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.343] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.363] SetEvent (hEvent=0xfc) returned 1 [0237.363] SwitchToThread () returned 1 [0237.370] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.412] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.467] SetEvent (hEvent=0xfc) returned 1 [0237.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.469] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7445ea47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7470d604, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0237.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0237.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0237.469] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x1282fd1c*=0x168c0, lpOverlapped=0x0) returned 1 [0237.526] GetFileType (hFile=0x3e4) returned 0x1 [0237.526] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.526] WriteFile (in: hFile=0x3e4, lpBuffer=0x12cda000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12cda000*, lpNumberOfBytesWritten=0x1282fd00*=0x168c0, lpOverlapped=0x1282fd0c) returned 1 [0237.526] GetFileType (hFile=0x3e4) returned 0x1 [0237.526] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0237.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0237.527] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0237.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0237.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0237.528] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.528] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0237.528] CloseHandle (hObject=0x458) returned 1 [0237.529] CloseHandle (hObject=0x3e4) returned 1 [0237.529] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0237.529] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\#_THIS_FILE_IS_ENCRYPTED_[6A98929DACCA2E8F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\#_this_file_is_encrypted_[6a98929dacca2e8f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.531] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.531] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.531] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7512f465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7568cb81, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0237.531] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0237.532] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0237.532] ReadFile (in: hFile=0x3e4, lpBuffer=0x12cf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf2000*, lpNumberOfBytesRead=0x1282fd1c*=0x156c0, lpOverlapped=0x0) returned 1 [0237.552] GetFileType (hFile=0x3e4) returned 0x1 [0237.552] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.552] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d32000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12d32000*, lpNumberOfBytesWritten=0x1282fd00*=0x156c0, lpOverlapped=0x1282fd0c) returned 1 [0237.553] GetFileType (hFile=0x3e4) returned 0x1 [0237.553] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0237.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0237.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0237.553] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0237.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0237.554] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.554] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0237.554] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0237.554] CloseHandle (hObject=0x450) returned 1 [0237.554] CloseHandle (hObject=0x3e4) returned 1 [0237.554] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0237.555] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\#_THIS_FILE_IS_ENCRYPTED_[3B81BEE9682BD2EE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\#_this_file_is_encrypted_[3b81bee9682bd2ee]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.590] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.598] SetEvent (hEvent=0x1d0) returned 1 [0237.598] SetEvent (hEvent=0x19c) returned 1 [0237.598] SwitchToThread () returned 1 [0237.630] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.748] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.749] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641c0ca, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76a5e2f9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0237.749] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0237.749] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0237.749] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesRead=0x12a65d1c*=0x17ec0, lpOverlapped=0x0) returned 1 [0237.761] GetFileType (hFile=0x3e4) returned 0x1 [0237.761] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.761] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ba0000*, nNumberOfBytesToWrite=0x17ec0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12ba0000*, lpNumberOfBytesWritten=0x12a65d00*=0x17ec0, lpOverlapped=0x12a65d0c) returned 1 [0237.762] GetFileType (hFile=0x3e4) returned 0x1 [0237.762] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x17ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0237.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc181 | out: pbBuffer=0x12afc181) returned 1 [0237.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc281 | out: pbBuffer=0x12afc281) returned 1 [0237.763] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0237.763] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0237.763] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0237.763] WriteFile (in: hFile=0x450, lpBuffer=0x12c24000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.763] CloseHandle (hObject=0x450) returned 1 [0237.764] CloseHandle (hObject=0x3e4) returned 1 [0237.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0237.764] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\#_THIS_FILE_IS_ENCRYPTED_[5EA00FD57B473544]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\#_this_file_is_encrypted_[5ea00fd57b473544]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.853] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0237.866] SetEvent (hEvent=0x1b8) returned 1 [0237.866] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0237.868] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0237.868] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773c1775, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x778ac20d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0)) returned 1 [0237.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e740 | out: pbBuffer=0x1280e740) returned 1 [0237.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0237.868] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bb8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb8000*, lpNumberOfBytesRead=0x12a63d1c*=0x17cc0, lpOverlapped=0x0) returned 1 [0237.884] GetFileType (hFile=0x3e4) returned 0x1 [0237.884] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.884] WriteFile (in: hFile=0x3e4, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x17cc0, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12a63d00*=0x17cc0, lpOverlapped=0x12a63d0c) returned 1 [0237.885] GetFileType (hFile=0x3e4) returned 0x1 [0237.885] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x17cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0237.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0237.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0237.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0237.886] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0237.886] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0237.886] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0237.886] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0237.886] CloseHandle (hObject=0x42c) returned 1 [0237.886] CloseHandle (hObject=0x3e4) returned 1 [0237.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34200 | out: pbBuffer=0x12c34200) returned 1 [0237.887] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\#_THIS_FILE_IS_ENCRYPTED_[D20C908DFFBDC908]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\#_this_file_is_encrypted_[d20c908dffbdc908]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0237.915] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.073] SetEvent (hEvent=0x1b8) returned 1 [0238.073] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.078] SetEvent (hEvent=0x19c) returned 1 [0238.078] SetEvent (hEvent=0xfc) returned 1 [0238.078] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.111] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.123] SetEvent (hEvent=0xfc) returned 1 [0238.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.123] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0238.123] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a69ad0 | out: lpFileInformation=0x12a69ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b90bbb9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bad5697, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0238.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0238.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0238.124] ReadFile (in: hFile=0x44c, lpBuffer=0x12cbc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a69d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cbc000*, lpNumberOfBytesRead=0x12a69d1c*=0x15cc0, lpOverlapped=0x0) returned 1 [0238.141] GetFileType (hFile=0x44c) returned 0x1 [0238.141] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.142] WriteFile (in: hFile=0x44c, lpBuffer=0x12d34000*, nNumberOfBytesToWrite=0x15cc0, lpNumberOfBytesWritten=0x12a69d00, lpOverlapped=0x12a69d0c | out: lpBuffer=0x12d34000*, lpNumberOfBytesWritten=0x12a69d00*=0x15cc0, lpOverlapped=0x12a69d0c) returned 1 [0238.142] GetFileType (hFile=0x44c) returned 0x1 [0238.142] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12a69ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.142] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0238.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0238.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0238.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0238.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.143] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12a69d0c | out: lpMode=0x12a69d0c) returned 0 [0238.144] WriteFile (in: hFile=0x450, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a69d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12a69d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.144] CloseHandle (hObject=0x450) returned 1 [0238.144] CloseHandle (hObject=0x44c) returned 1 [0238.144] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0238.144] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\#_THIS_FILE_IS_ENCRYPTED_[D26051C526B4F176]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\#_this_file_is_encrypted_[d26051c526b4f176]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.145] SetEvent (hEvent=0x1b8) returned 1 [0238.145] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.180] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.405] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.406] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0238.406] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a17039, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0238.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0238.408] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a298 | out: pbBuffer=0x12a9a298) returned 1 [0238.408] ReadFile (in: hFile=0x450, lpBuffer=0x129c8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x129c8000*, lpNumberOfBytesRead=0x12927d1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0238.416] GetFileType (hFile=0x450) returned 0x1 [0238.416] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.416] WriteFile (in: hFile=0x450, lpBuffer=0x12a08000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12a08000*, lpNumberOfBytesWritten=0x12927d00*=0x15ec0, lpOverlapped=0x12927d0c) returned 1 [0238.417] GetFileType (hFile=0x450) returned 0x1 [0238.417] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0238.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0238.418] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0238.418] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a350 | out: pbBuffer=0x12a9a350) returned 1 [0238.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.418] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0238.419] WriteFile (in: hFile=0x458, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.419] CloseHandle (hObject=0x458) returned 1 [0238.419] CloseHandle (hObject=0x450) returned 1 [0238.419] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a368 | out: pbBuffer=0x12a9a368) returned 1 [0238.419] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\#_THIS_FILE_IS_ENCRYPTED_[E7A81C69AE2407D4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\#_this_file_is_encrypted_[e7a81c69ae2407d4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.529] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.529] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb5896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83f4e3ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0238.529] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0238.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c355b0 | out: pbBuffer=0x12c355b0) returned 1 [0238.530] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0238.534] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0238.534] SetEvent (hEvent=0xfc) returned 1 [0238.535] ReadFile (in: hFile=0x450, lpBuffer=0x12a1e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a1e000*, lpNumberOfBytesRead=0x1282fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0238.540] GetFileType (hFile=0x450) returned 0x1 [0238.541] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.541] WriteFile (in: hFile=0x450, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x1282fd00*=0x15ec0, lpOverlapped=0x1282fd0c) returned 1 [0238.541] GetFileType (hFile=0x450) returned 0x1 [0238.541] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0238.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0238.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0238.543] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35668 | out: pbBuffer=0x12c35668) returned 1 [0238.543] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.543] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.543] WriteFile (in: hFile=0x42c, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.543] CloseHandle (hObject=0x42c) returned 1 [0238.544] CloseHandle (hObject=0x450) returned 1 [0238.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35680 | out: pbBuffer=0x12c35680) returned 1 [0238.544] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\#_THIS_FILE_IS_ENCRYPTED_[D007818B6AC170B8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\#_this_file_is_encrypted_[d007818b6ac170b8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.546] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.555] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.555] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0238.556] SetEvent (hEvent=0x19c) returned 1 [0238.556] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.583] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.584] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12affd0c | out: lpMode=0x12affd0c) returned 0 [0238.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12affad0 | out: lpFileInformation=0x12affad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848b1595, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8494a1db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0)) returned 1 [0238.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0238.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0238.585] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12affd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesRead=0x12affd1c*=0x138c0, lpOverlapped=0x0) returned 1 [0238.631] GetFileType (hFile=0x3e4) returned 0x1 [0238.632] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12affce4 | out: lpNewFilePointer=0x0) returned 1 [0238.632] WriteFile (in: hFile=0x3e4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x138c0, lpNumberOfBytesWritten=0x12affd00, lpOverlapped=0x12affd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12affd00*=0x138c0, lpOverlapped=0x12affd0c) returned 1 [0238.633] GetFileType (hFile=0x3e4) returned 0x1 [0238.633] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x138c0, lpNewFilePointer=0x0, dwMoveMethod=0x12affce4 | out: lpNewFilePointer=0x0) returned 1 [0238.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0238.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0238.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0238.633] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0238.634] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.634] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12affd0c | out: lpMode=0x12affd0c) returned 0 [0238.634] WriteFile (in: hFile=0x458, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12affd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x12affd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.634] CloseHandle (hObject=0x458) returned 1 [0238.635] CloseHandle (hObject=0x3e4) returned 1 [0238.635] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0238.635] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\#_THIS_FILE_IS_ENCRYPTED_[F393945AC1445166]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\#_this_file_is_encrypted_[f393945ac1445166]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.637] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12affd0c | out: lpMode=0x12affd0c) returned 0 [0238.637] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12affad0 | out: lpFileInformation=0x12affad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3e4e43, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdd9805f5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0238.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e540 | out: pbBuffer=0x1280e540) returned 1 [0238.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0238.638] ReadFile (in: hFile=0x3e4, lpBuffer=0x1296a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12affd1c, lpOverlapped=0x0 | out: lpBuffer=0x1296a000*, lpNumberOfBytesRead=0x12affd1c*=0x164c0, lpOverlapped=0x0) returned 1 [0238.729] SetEvent (hEvent=0xfc) returned 1 [0238.729] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.735] SetEvent (hEvent=0x19c) returned 1 [0238.736] SetEvent (hEvent=0x1b8) returned 1 [0238.736] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.781] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.781] SetEvent (hEvent=0x19c) returned 1 [0238.781] SetEvent (hEvent=0x1d0) returned 1 [0238.781] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.791] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.791] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.814] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.814] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0238.814] SetEvent (hEvent=0x1b8) returned 1 [0238.814] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0238.860] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0238.861] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.861] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.861] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0443839, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe07b0e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0238.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0238.862] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0238.862] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x172c0, lpOverlapped=0x0) returned 1 [0238.932] GetFileType (hFile=0x3e4) returned 0x1 [0238.932] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.932] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x172c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12855d00*=0x172c0, lpOverlapped=0x12855d0c) returned 1 [0238.933] GetFileType (hFile=0x3e4) returned 0x1 [0238.933] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x172c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.933] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0238.933] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0238.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0238.934] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0238.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.934] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0238.934] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.935] CloseHandle (hObject=0x450) returned 1 [0238.935] CloseHandle (hObject=0x3e4) returned 1 [0238.935] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0238.935] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\#_THIS_FILE_IS_ENCRYPTED_[3A23BEDDD4ECF4D3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\#_this_file_is_encrypted_[3a23beddd4ecf4d3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.936] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.937] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0238.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0b90d17, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0d5aa8c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0238.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0238.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0238.938] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12857d1c*=0xf2c0, lpOverlapped=0x0) returned 1 [0238.954] GetFileType (hFile=0x3e4) returned 0x1 [0238.954] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.954] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0xf2c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12857d00*=0xf2c0, lpOverlapped=0x12857d0c) returned 1 [0238.955] GetFileType (hFile=0x3e4) returned 0x1 [0238.955] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0xf2c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0238.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0238.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0238.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0238.956] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.956] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0238.956] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.956] CloseHandle (hObject=0x42c) returned 1 [0238.956] CloseHandle (hObject=0x3e4) returned 1 [0238.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0238.957] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\#_THIS_FILE_IS_ENCRYPTED_[31467D1CA6FBE3A6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\#_this_file_is_encrypted_[31467d1ca6fbe3a6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.958] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0239.008] SetEvent (hEvent=0xfc) returned 1 [0239.008] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0239.065] SetEvent (hEvent=0x19c) returned 1 [0239.066] SetEvent (hEvent=0x1b8) returned 1 [0239.066] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0239.083] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0239.128] GetFileType (hFile=0x3e4) returned 0x1 [0239.128] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.128] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12855d00*=0x15ac0, lpOverlapped=0x12855d0c) returned 1 [0239.129] GetFileType (hFile=0x3e4) returned 0x1 [0239.129] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0239.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0239.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0239.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0239.130] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0239.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0239.130] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0239.130] WriteFile (in: hFile=0x458, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0239.131] CloseHandle (hObject=0x458) returned 1 [0239.131] CloseHandle (hObject=0x3e4) returned 1 [0239.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a108 | out: pbBuffer=0x12a9a108) returned 1 [0239.131] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\#_THIS_FILE_IS_ENCRYPTED_[D91E592ADE229556]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\#_this_file_is_encrypted_[d91e592ade229556]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0239.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe884ff12, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.192] SetEvent (hEvent=0x110) returned 1 [0239.192] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.192] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe884ff12, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0239.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe884ff12, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe884ff12, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8c7c0a1, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.193] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.193] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0239.193] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0239.221] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.221] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.223] CloseHandle (hObject=0x450) returned 1 [0239.223] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe884ff12, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8c7c0a1, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x186c0)) returned 1 [0239.235] SetEvent (hEvent=0x110) returned 1 [0239.235] SetEvent (hEvent=0xfc) returned 1 [0239.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe905bcdb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.236] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.236] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe905bcdb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0239.236] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe905bcdb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.236] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe905bcdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xea041623, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.236] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.236] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0239.236] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.238] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.238] WriteFile (in: hFile=0x44c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.239] CloseHandle (hObject=0x44c) returned 1 [0239.239] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe905bcdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xea041623, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0239.240] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef0be497, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.240] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef0be497, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0239.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef0be497, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0be497, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef8f0a82, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.240] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.240] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0239.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0239.243] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0239.243] WriteFile (in: hFile=0x44c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0239.245] CloseHandle (hObject=0x44c) returned 1 [0239.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0be497, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef8f0a82, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0239.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0502516, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0239.246] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0239.247] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0502516, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0239.247] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0502516, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0239.247] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0502516, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0764d71, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0239.247] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0239.247] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0239.247] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0239.248] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0239.579] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0240.181] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0240.668] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0240.931] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0240.931] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0241.093] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0241.093] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0241.115] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0241.152] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0241.196] SetEvent (hEvent=0x110) returned 1 [0241.211] SetEvent (hEvent=0x1d0) returned 1 [0241.212] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0241.277] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0242.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0242.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0242.417] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0242.750] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0242.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0242.750] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0242.750] WriteFile (in: hFile=0x450, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0242.751] CloseHandle (hObject=0x450) returned 1 [0242.751] CloseHandle (hObject=0x44c) returned 1 [0242.751] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0242.874] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\#_THIS_FILE_IS_ENCRYPTED_[2E92BCB485BE9E22]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\#_this_file_is_encrypted_[2e92bcb485be9e22]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0242.876] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0242.903] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.053] SetEvent (hEvent=0xfc) returned 1 [0243.053] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.079] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.079] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf137687f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf16257fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0)) returned 1 [0243.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0243.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34488 | out: pbBuffer=0x12c34488) returned 1 [0243.080] ReadFile (in: hFile=0x44c, lpBuffer=0x12d00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d00000*, lpNumberOfBytesRead=0x12829d1c*=0x14cc0, lpOverlapped=0x0) returned 1 [0243.087] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.117] VirtualAlloc (lpAddress=0x12d8e000, dwSize=0x16000, flAllocationType=0x1000, flProtect=0x4) returned 0x12d8e000 [0243.121] GetFileType (hFile=0x44c) returned 0x1 [0243.121] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.122] WriteFile (in: hFile=0x44c, lpBuffer=0x12d8e000*, nNumberOfBytesToWrite=0x14cc0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d8e000*, lpNumberOfBytesWritten=0x12829d00*=0x14cc0, lpOverlapped=0x12829d0c) returned 1 [0243.123] GetFileType (hFile=0x44c) returned 0x1 [0243.123] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x14cc0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0243.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0243.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0243.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849db8 | out: pbBuffer=0x12849db8) returned 1 [0243.124] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0243.124] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.124] WriteFile (in: hFile=0x450, lpBuffer=0x12b1aa00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b1aa00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.124] CloseHandle (hObject=0x450) returned 1 [0243.124] CloseHandle (hObject=0x44c) returned 1 [0243.124] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849e10 | out: pbBuffer=0x12849e10) returned 1 [0243.125] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\#_THIS_FILE_IS_ENCRYPTED_[9FDFAEE8AC769BF6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\#_this_file_is_encrypted_[9fdfaee8ac769bf6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.126] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.449] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.572] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.837] SetEvent (hEvent=0x19c) returned 1 [0243.837] SetEvent (hEvent=0x1d0) returned 1 [0243.837] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0243.970] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0244.143] SetEvent (hEvent=0xf4) returned 1 [0244.143] SetEvent (hEvent=0x1d0) returned 1 [0244.144] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0244.164] SetEvent (hEvent=0x1b8) returned 1 [0244.164] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0245.516] SetEvent (hEvent=0x19c) returned 1 [0245.517] GetFileType (hFile=0x44c) returned 0x1 [0245.517] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.517] WriteFile (in: hFile=0x44c, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x168c0, lpNumberOfBytesWritten=0x12a83d00, lpOverlapped=0x12a83d0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x12a83d00*=0x168c0, lpOverlapped=0x12a83d0c) returned 1 [0245.518] GetFileType (hFile=0x44c) returned 0x1 [0245.518] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x168c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a83ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0245.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0245.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0245.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e80 | out: pbBuffer=0x12810e80) returned 1 [0245.519] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.519] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0245.519] WriteFile (in: hFile=0x458, lpBuffer=0x12afa500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12afa500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.519] CloseHandle (hObject=0x458) returned 1 [0245.519] CloseHandle (hObject=0x44c) returned 1 [0245.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810e98 | out: pbBuffer=0x12810e98) returned 1 [0245.520] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\#_THIS_FILE_IS_ENCRYPTED_[CEF824C882017D8E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\#_this_file_is_encrypted_[cef824c882017d8e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.521] SetEvent (hEvent=0x1b8) returned 1 [0245.522] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0245.526] SetEvent (hEvent=0x19c) returned 1 [0245.526] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0245.549] SetEvent (hEvent=0x1b8) returned 1 [0245.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.550] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0245.550] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f2e5a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x65f2e5a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f8974f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x20ae)) returned 1 [0245.550] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0245.550] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0245.551] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x20ae, lpOverlapped=0x0) returned 1 [0245.573] GetFileType (hFile=0x3e4) returned 0x1 [0245.573] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.573] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20ae, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12855d00*=0x20ae, lpOverlapped=0x12855d0c) returned 1 [0245.574] GetFileType (hFile=0x3e4) returned 0x1 [0245.574] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x20ae, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0245.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0245.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0245.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0245.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0245.577] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0245.577] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.577] CloseHandle (hObject=0x450) returned 1 [0245.577] CloseHandle (hObject=0x3e4) returned 1 [0245.578] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0245.578] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[8425C3A0450C8D67]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[8425c3a0450c8d67]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.579] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bb4b96d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4bb4b96d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x390a2)) returned 1 [0245.774] SetEvent (hEvent=0x3f8) returned 1 [0245.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd27489e1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd27489e1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8afcf13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5c1cc)) returned 1 [0245.835] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0245.874] SetEvent (hEvent=0x40c) returned 1 [0245.875] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0245.974] SetEvent (hEvent=0x1b8) returned 1 [0245.974] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13219ec0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13219ec0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae607dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0246.151] SetEvent (hEvent=0x1d0) returned 1 [0246.151] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce65674c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xce65674c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed3dd471, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0246.734] SetEvent (hEvent=0x3f8) returned 1 [0246.734] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b7b80c2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4b7b80c2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5db470, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0247.178] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0247.314] SetEvent (hEvent=0x40c) returned 1 [0247.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2499e2e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2499e2e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8b2a3f4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xfa9c)) returned 1 [0248.351] SwitchToThread () returned 1 [0248.444] SetEvent (hEvent=0x19c) returned 1 [0248.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0248.769] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0248.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2499e2e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2499e2e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8b2a3f4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xfa9c)) returned 1 [0248.789] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928100 | out: pbBuffer=0x12928100) returned 1 [0248.789] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a440 | out: pbBuffer=0x12a9a440) returned 1 [0248.790] ReadFile (in: hFile=0x44c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12857d1c*=0xfa9c, lpOverlapped=0x0) returned 1 [0248.965] GetFileType (hFile=0x44c) returned 0x1 [0248.965] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0248.965] WriteFile (in: hFile=0x44c, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0xfa9c, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12857d00*=0xfa9c, lpOverlapped=0x12857d0c) returned 1 [0248.965] GetFileType (hFile=0x44c) returned 0x1 [0248.965] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xfa9c, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0249.043] SetEvent (hEvent=0x1d0) returned 1 [0249.043] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0252.565] SetEvent (hEvent=0x3f8) returned 1 [0252.565] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0252.692] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0252.910] SetEvent (hEvent=0xf4) returned 1 [0252.910] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0252.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.920] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.920] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0252.921] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.921] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.921] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0252.921] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.923] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.923] WriteFile (in: hFile=0x3e4, lpBuffer=0x12924c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12924c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.925] CloseHandle (hObject=0x3e4) returned 1 [0252.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.925] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0252.926] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.926] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.926] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0252.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.940] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.974] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.976] CloseHandle (hObject=0x3e4) returned 1 [0252.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.977] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0252.978] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_N")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0252.996] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0252.996] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0253.013] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.016] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0253.016] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a93300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a93300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0253.017] CloseHandle (hObject=0x3e4) returned 1 [0253.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x344a3528, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.043] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0253.052] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.052] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0253.053] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0253.053] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0253.053] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0253.053] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.053] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0253.054] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.057] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.057] WriteFile (in: hFile=0x42c, lpBuffer=0x12a94600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a94600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.059] CloseHandle (hObject=0x42c) returned 1 [0253.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.062] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.062] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.062] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.062] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.062] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.063] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.063] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.064] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.064] WriteFile (in: hFile=0x42c, lpBuffer=0x12a95900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a95900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.066] CloseHandle (hObject=0x42c) returned 1 [0253.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.067] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.067] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.068] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.068] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.068] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.069] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.070] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.070] WriteFile (in: hFile=0x42c, lpBuffer=0x12a96c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a96c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.072] CloseHandle (hObject=0x42c) returned 1 [0253.072] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.073] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.073] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0253.073] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.073] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.073] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0253.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.075] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.075] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.077] CloseHandle (hObject=0x42c) returned 1 [0253.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.078] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0253.078] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.078] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.078] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0253.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.081] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.081] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.082] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.082] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.084] CloseHandle (hObject=0x42c) returned 1 [0253.084] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.085] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.085] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.085] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.087] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.087] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.091] CloseHandle (hObject=0x42c) returned 1 [0253.102] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.104] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.104] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0253.104] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.104] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.104] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0253.105] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.105] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.105] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.106] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.106] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.109] CloseHandle (hObject=0x42c) returned 1 [0253.109] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.109] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.109] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.110] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.110] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.110] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.112] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.112] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.113] CloseHandle (hObject=0x42c) returned 1 [0253.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.114] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.115] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.115] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0253.115] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.115] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.115] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.117] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.117] WriteFile (in: hFile=0x42c, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.118] CloseHandle (hObject=0x42c) returned 1 [0253.119] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.123] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37a393d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x37a393d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0253.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0253.128] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0253.129] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.129] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.132] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.133] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0253.133] WriteFile (in: hFile=0x42c, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0253.135] CloseHandle (hObject=0x42c) returned 1 [0253.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37a393d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x37a393d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0253.135] SetEvent (hEvent=0xf4) returned 1 [0253.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0253.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.136] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0253.137] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.137] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.137] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0253.137] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.137] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.137] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.138] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.138] WriteFile (in: hFile=0x42c, lpBuffer=0x12923900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12923900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.140] CloseHandle (hObject=0x42c) returned 1 [0253.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0253.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0253.141] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0253.141] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0253.141] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0253.141] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0253.141] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0253.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0253.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0253.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.143] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0253.143] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0253.144] CloseHandle (hObject=0x42c) returned 1 [0253.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.153] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.153] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.153] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929240 | out: pbBuffer=0x12929240) returned 1 [0253.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9af40 | out: pbBuffer=0x12a9af40) returned 1 [0253.154] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.154] CloseHandle (hObject=0x42c) returned 1 [0253.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.155] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.155] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0253.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929260 | out: pbBuffer=0x12929260) returned 1 [0253.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9af50 | out: pbBuffer=0x12a9af50) returned 1 [0253.155] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0253.158] GetFileType (hFile=0x42c) returned 0x1 [0253.158] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.158] WriteFile (in: hFile=0x42c, lpBuffer=0x1285a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1285a000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0253.158] GetFileType (hFile=0x42c) returned 0x1 [0253.159] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0253.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0253.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0253.159] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b008 | out: pbBuffer=0x12a9b008) returned 1 [0253.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.160] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0253.160] WriteFile (in: hFile=0x3e4, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.160] CloseHandle (hObject=0x3e4) returned 1 [0253.160] CloseHandle (hObject=0x42c) returned 1 [0253.161] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b020 | out: pbBuffer=0x12a9b020) returned 1 [0253.161] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[97444779B580369A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[97444779b580369a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.234] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0253.303] SetEvent (hEvent=0x1d0) returned 1 [0253.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0253.304] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.304] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3102f837, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3102f837, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0253.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845280 | out: pbBuffer=0x12845280) returned 1 [0253.305] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8a30 | out: pbBuffer=0x128e8a30) returned 1 [0253.305] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0253.308] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0253.308] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0253.308] SetEvent (hEvent=0x110) returned 1 [0253.308] SetEvent (hEvent=0x1d0) returned 1 [0253.309] ReadFile (in: hFile=0x42c, lpBuffer=0x12c7c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c7c000*, lpNumberOfBytesRead=0x12851d1c*=0x8000, lpOverlapped=0x0) returned 1 [0253.314] GetFileType (hFile=0x42c) returned 0x1 [0253.314] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.314] WriteFile (in: hFile=0x42c, lpBuffer=0x12ca4000*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12ca4000*, lpNumberOfBytesWritten=0x12851d00*=0x8000, lpOverlapped=0x12851d0c) returned 1 [0253.314] GetFileType (hFile=0x42c) returned 0x1 [0253.314] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x8000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0253.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0253.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0253.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0253.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8af8 | out: pbBuffer=0x128e8af8) returned 1 [0253.315] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0253.316] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0253.316] WriteFile (in: hFile=0x458, lpBuffer=0x12ad8500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ad8500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0253.316] CloseHandle (hObject=0x458) returned 1 [0253.316] CloseHandle (hObject=0x42c) returned 1 [0253.316] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8b10 | out: pbBuffer=0x128e8b10) returned 1 [0253.317] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[31BA01853AE4CB84]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[31ba01853ae4cb84]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0253.319] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0253.360] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0253.365] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0253.365] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0253.365] SetEvent (hEvent=0x1d0) returned 1 [0253.365] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0253.375] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0253.376] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0253.376] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12d61d0c | out: lpMode=0x12d61d0c) returned 0 [0253.376] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12d61ad0 | out: lpFileInformation=0x12d61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0253.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0253.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0253.377] ReadFile (in: hFile=0x3e4, lpBuffer=0x12d8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d8a000*, lpNumberOfBytesRead=0x12d61d1c*=0x0, lpOverlapped=0x0) returned 1 [0253.377] CloseHandle (hObject=0x3e4) returned 1 [0253.377] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0253.884] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0254.158] SetEvent (hEvent=0xf4) returned 1 [0254.158] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0254.164] SetEvent (hEvent=0x19c) returned 1 [0254.164] SetEvent (hEvent=0x3f8) returned 1 [0254.164] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0254.247] SetEvent (hEvent=0x1d0) returned 1 [0254.247] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0255.768] SetEvent (hEvent=0xf4) returned 1 [0255.768] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0255.869] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0256.128] SetEvent (hEvent=0x40c) returned 1 [0256.128] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.129] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0256.129] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0256.129] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0256.130] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x128afd1c*=0x0, lpOverlapped=0x0) returned 1 [0256.130] CloseHandle (hObject=0x3e4) returned 1 [0256.130] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.131] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0256.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26e4617, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2d005a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2d005a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0256.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e280 | out: pbBuffer=0x1280e280) returned 1 [0256.132] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848038 | out: pbBuffer=0x12848038) returned 1 [0256.132] ReadFile (in: hFile=0x3e4, lpBuffer=0x12cf8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cf8000*, lpNumberOfBytesRead=0x12851d1c*=0x4000, lpOverlapped=0x0) returned 1 [0256.154] GetFileType (hFile=0x3e4) returned 0x1 [0256.154] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.154] WriteFile (in: hFile=0x3e4, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x12851d00*=0x4000, lpOverlapped=0x12851d0c) returned 1 [0256.154] GetFileType (hFile=0x3e4) returned 0x1 [0256.154] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.154] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0256.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0256.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0256.155] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0256.155] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.156] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0256.156] WriteFile (in: hFile=0x458, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0256.156] CloseHandle (hObject=0x458) returned 1 [0256.156] CloseHandle (hObject=0x3e4) returned 1 [0256.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0256.157] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[57FF58E623483B02]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[57ff58e623483b02]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.314] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0256.502] SetEvent (hEvent=0x40c) returned 1 [0256.502] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.503] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0256.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89660 | out: pbBuffer=0x12b89660) returned 1 [0256.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811188 | out: pbBuffer=0x12811188) returned 1 [0256.504] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0256.507] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0256.507] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0256.508] SetEvent (hEvent=0x110) returned 1 [0256.508] SetEvent (hEvent=0x40c) returned 1 [0256.508] SetEvent (hEvent=0x3f4) returned 1 [0256.508] ReadFile (in: hFile=0x3e4, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x1282bd1c*=0x3000, lpOverlapped=0x0) returned 1 [0256.514] GetFileType (hFile=0x3e4) returned 0x1 [0256.514] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.514] WriteFile (in: hFile=0x3e4, lpBuffer=0x12bd2000*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12bd2000*, lpNumberOfBytesWritten=0x1282bd00*=0x3000, lpOverlapped=0x1282bd0c) returned 1 [0256.515] GetFileType (hFile=0x3e4) returned 0x1 [0256.515] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0256.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0256.516] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835381 | out: pbBuffer=0x12835381) returned 1 [0256.516] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811240 | out: pbBuffer=0x12811240) returned 1 [0256.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0256.519] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.519] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0256.520] CloseHandle (hObject=0x44c) returned 1 [0256.520] CloseHandle (hObject=0x3e4) returned 1 [0256.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34410 | out: pbBuffer=0x12c34410) returned 1 [0256.520] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[BA66A3827612ACE5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[ba66a3827612ace5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.523] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.523] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928480 | out: pbBuffer=0x12928480) returned 1 [0256.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34458 | out: pbBuffer=0x12c34458) returned 1 [0256.523] ReadFile (in: hFile=0x3e4, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0256.531] GetFileType (hFile=0x3e4) returned 0x1 [0256.531] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.531] WriteFile (in: hFile=0x3e4, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0256.532] GetFileType (hFile=0x3e4) returned 0x1 [0256.532] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0256.532] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0256.532] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0256.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0256.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0256.533] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0256.533] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0256.533] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0256.533] CloseHandle (hObject=0x44c) returned 1 [0256.534] CloseHandle (hObject=0x3e4) returned 1 [0256.534] SwitchToThread () returned 1 [0256.656] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0256.656] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[9CF026FC3B81631B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[9cf026fc3b81631b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.657] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0257.227] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0257.280] SwitchToThread () returned 1 [0257.346] SetEvent (hEvent=0x40c) returned 1 [0257.346] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0257.349] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0257.349] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d8b269b, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88200 | out: pbBuffer=0x12b88200) returned 1 [0257.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0257.350] ReadFile (in: hFile=0x3e4, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0257.350] CloseHandle (hObject=0x3e4) returned 1 [0257.350] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\privatetransportid.setting"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0258.041] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0258.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\privatetransportid.setting"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b327c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bde25fe, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4)) returned 1 [0258.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0258.042] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0258.043] ReadFile (in: hFile=0x3e4, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x1282fd1c*=0x4, lpOverlapped=0x0) returned 1 [0258.044] GetFileType (hFile=0x3e4) returned 0x1 [0258.044] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0258.044] WriteFile (in: hFile=0x3e4, lpBuffer=0x12810178*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12810178*, lpNumberOfBytesWritten=0x1282fd00*=0x4, lpOverlapped=0x1282fd0c) returned 1 [0258.045] GetFileType (hFile=0x3e4) returned 0x1 [0258.045] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x4, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0258.099] SetEvent (hEvent=0x3f4) returned 1 [0258.099] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.152] SetEvent (hEvent=0xf4) returned 1 [0258.168] SetEvent (hEvent=0x19c) returned 1 [0258.168] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0258.231] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.231] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0258.275] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.276] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0258.319] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0258.321] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.322] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0258.322] SetEvent (hEvent=0x110) returned 1 [0258.336] SetEvent (hEvent=0x3f4) returned 1 [0258.336] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0258.382] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0258.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0258.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0258.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810060 | out: pbBuffer=0x12810060) returned 1 [0258.565] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0258.565] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0258.565] WriteFile (in: hFile=0x460, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0258.565] CloseHandle (hObject=0x460) returned 1 [0258.566] CloseHandle (hObject=0x458) returned 1 [0258.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0258.593] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\#_THIS_FILE_IS_ENCRYPTED_[F20DF4262145387F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\#_this_file_is_encrypted_[f20df4262145387f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.631] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.720] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.720] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0258.720] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.743] SetEvent (hEvent=0x3f4) returned 1 [0258.743] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0258.747] SetEvent (hEvent=0x3f4) returned 1 [0258.747] SetEvent (hEvent=0x40c) returned 1 [0258.747] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0258.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.749] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="#!001", cAlternateFileName="")) returned 1 [0258.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0258.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0258.749] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0258.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0258.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0258.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0258.750] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.750] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.751] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0258.751] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0258.753] CloseHandle (hObject=0x42c) returned 1 [0258.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.754] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0258.757] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.757] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0258.759] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.760] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.760] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.761] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0258.762] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0258.763] CloseHandle (hObject=0x42c) returned 1 [0258.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.768] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.768] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.768] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.769] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.770] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0258.771] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0258.772] CloseHandle (hObject=0x42c) returned 1 [0258.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.773] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.773] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.773] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.773] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.775] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0258.775] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0258.777] CloseHandle (hObject=0x42c) returned 1 [0258.777] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.777] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0258.778] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.778] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.778] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0258.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.779] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0258.780] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0258.781] CloseHandle (hObject=0x42c) returned 1 [0258.781] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.782] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0258.782] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.782] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.782] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0258.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.783] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.783] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0258.868] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0258.900] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0258.907] CloseHandle (hObject=0x42c) returned 1 [0258.930] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.931] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0258.931] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.932] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.932] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.002] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.002] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.003] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.004] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.005] CloseHandle (hObject=0x42c) returned 1 [0259.005] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.006] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.006] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.006] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.006] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.006] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.006] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.006] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.007] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.008] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.008] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.009] CloseHandle (hObject=0x42c) returned 1 [0259.009] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.013] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.014] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.014] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.014] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.014] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.016] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.016] WriteFile (in: hFile=0x42c, lpBuffer=0x12937300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12937300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.017] CloseHandle (hObject=0x42c) returned 1 [0259.017] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.018] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.018] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.018] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.019] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.019] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.044] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.044] WriteFile (in: hFile=0x42c, lpBuffer=0x12938600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12938600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.046] CloseHandle (hObject=0x42c) returned 1 [0259.046] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.046] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0259.047] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.047] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.047] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0259.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.049] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.049] WriteFile (in: hFile=0x42c, lpBuffer=0x12939900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12939900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.050] CloseHandle (hObject=0x42c) returned 1 [0259.050] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.051] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.051] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0259.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0259.051] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.051] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.051] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.053] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.053] WriteFile (in: hFile=0x42c, lpBuffer=0x1293ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1293ac00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.054] CloseHandle (hObject=0x42c) returned 1 [0259.054] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.055] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\Windows\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0259.055] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.055] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.055] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0259.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0259.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.055] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cache", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatUaCache", cAlternateFileName="IECOMP~2")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PlayReady", cAlternateFileName="PLAYRE~1")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UrlBlock", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 1 [0259.057] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.057] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.058] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.059] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.061] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.061] WriteFile (in: hFile=0x42c, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.063] CloseHandle (hObject=0x42c) returned 1 [0259.063] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.063] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.063] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0259.064] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.064] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0259.064] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.064] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0259.064] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.065] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.066] WriteFile (in: hFile=0x42c, lpBuffer=0x12c45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12c45300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.067] CloseHandle (hObject=0x42c) returned 1 [0259.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.093] SetEvent (hEvent=0x40c) returned 1 [0259.093] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.094] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0259.094] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.094] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.094] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0259.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.097] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.097] WriteFile (in: hFile=0x42c, lpBuffer=0x12c46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12c46600*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.098] CloseHandle (hObject=0x42c) returned 1 [0259.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.099] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.099] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666840 [0259.099] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.099] FindNextFileW (in: hFindFile=0x33666840, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.099] FindClose (in: hFindFile=0x33666840 | out: hFindFile=0x33666840) returned 1 [0259.099] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.100] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.102] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.102] WriteFile (in: hFile=0x42c, lpBuffer=0x12c47900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12c47900*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.103] CloseHandle (hObject=0x42c) returned 1 [0259.103] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.103] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.104] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.104] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.104] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0259.104] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.104] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.104] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.104] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.104] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.105] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.105] WriteFile (in: hFile=0x42c, lpBuffer=0x12c48c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x12c48c00*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.107] CloseHandle (hObject=0x42c) returned 1 [0259.107] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.107] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.127] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.127] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0259.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.127] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.127] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.130] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.130] WriteFile (in: hFile=0x42c, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.132] CloseHandle (hObject=0x42c) returned 1 [0259.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.142] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.142] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.142] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.142] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.144] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.144] WriteFile (in: hFile=0x42c, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.145] CloseHandle (hObject=0x42c) returned 1 [0259.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.146] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.146] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.146] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.146] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.147] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.147] WriteFile (in: hFile=0x42c, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.153] CloseHandle (hObject=0x42c) returned 1 [0259.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.154] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\*", lpFindFileData=0x1285783c | out: lpFindFileData=0x1285783c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0259.155] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.155] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0259.155] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x12857880 | out: lpFindFileData=0x12857880*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.155] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0259.155] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857504 | out: lpFileInformation=0x12857504*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.155] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.155] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.156] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857714 | out: lpMode=0x12857714) returned 0 [0259.156] WriteFile (in: hFile=0x42c, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857714, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x12857714*=0x118a, lpOverlapped=0x0) returned 1 [0259.158] CloseHandle (hObject=0x42c) returned 1 [0259.158] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default"), fInfoLevelId=0x0, lpFileInformation=0x12857900 | out: lpFileInformation=0x12857900*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.161] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.161] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\*", lpFindFileData=0x128577d8 | out: lpFindFileData=0x128577d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.164] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.164] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DataStore", cAlternateFileName="DATAST~1")) returned 1 [0259.164] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DownloadHistory", cAlternateFileName="DOWNLO~1")) returned 1 [0259.164] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0259.165] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0259.165] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285781c | out: lpFindFileData=0x1285781c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.165] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128574a0 | out: lpFileInformation=0x128574a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.167] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.167] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.169] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128576b0 | out: lpMode=0x128576b0) returned 0 [0259.169] WriteFile (in: hFile=0x42c, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128576b0, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x128576b0*=0x118a, lpOverlapped=0x0) returned 1 [0259.171] CloseHandle (hObject=0x42c) returned 1 [0259.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.172] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.172] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.172] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.172] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0259.172] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed", cAlternateFileName="")) returned 1 [0259.172] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.172] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.173] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.174] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0259.174] WriteFile (in: hFile=0x42c, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0259.176] CloseHandle (hObject=0x42c) returned 1 [0259.176] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.177] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.177] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\*", lpFindFileData=0x12857710 | out: lpFindFileData=0x12857710*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0259.177] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.177] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nouser1", cAlternateFileName="")) returned 1 [0259.177] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.177] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.178] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128573d8 | out: lpFileInformation=0x128573d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.178] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.179] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128575e8 | out: lpMode=0x128575e8) returned 0 [0259.179] WriteFile (in: hFile=0x42c, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128575e8, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x128575e8*=0x118a, lpOverlapped=0x0) returned 1 [0259.181] CloseHandle (hObject=0x42c) returned 1 [0259.181] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1"), fInfoLevelId=0x0, lpFileInformation=0x128577d4 | out: lpFileInformation=0x128577d4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.181] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\*", lpFindFileData=0x128576ac | out: lpFindFileData=0x128576ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.182] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.182] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 1 [0259.182] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.182] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.182] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857374 | out: lpFileInformation=0x12857374*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.183] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857584 | out: lpMode=0x12857584) returned 0 [0259.183] WriteFile (in: hFile=0x42c, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857584, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x12857584*=0x118a, lpOverlapped=0x0) returned 1 [0259.187] CloseHandle (hObject=0x42c) returned 1 [0259.187] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049"), fInfoLevelId=0x0, lpFileInformation=0x12857770 | out: lpFileInformation=0x12857770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.188] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.188] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\*", lpFindFileData=0x12857648 | out: lpFindFileData=0x12857648*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.188] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.188] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBStore", cAlternateFileName="")) returned 1 [0259.188] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.188] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.188] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857310 | out: lpFileInformation=0x12857310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.190] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857520 | out: lpMode=0x12857520) returned 0 [0259.190] WriteFile (in: hFile=0x42c, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857520, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x12857520*=0x118a, lpOverlapped=0x0) returned 1 [0259.191] CloseHandle (hObject=0x42c) returned 1 [0259.192] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore"), fInfoLevelId=0x0, lpFileInformation=0x1285770c | out: lpFileInformation=0x1285770c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.196] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\*", lpFindFileData=0x128575e4 | out: lpFindFileData=0x128575e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0259.196] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.196] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0259.196] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LogFiles", cAlternateFileName="")) returned 1 [0259.196] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x48e101d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="spartan.edb", cAlternateFileName="")) returned 1 [0259.196] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.196] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0259.197] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128572ac | out: lpFileInformation=0x128572ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.199] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128574bc | out: lpMode=0x128574bc) returned 0 [0259.200] WriteFile (in: hFile=0x42c, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128574bc, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x128574bc*=0x118a, lpOverlapped=0x0) returned 1 [0259.201] CloseHandle (hObject=0x42c) returned 1 [0259.201] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles"), fInfoLevelId=0x0, lpFileInformation=0x128576a8 | out: lpFileInformation=0x128576a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.202] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\*", lpFindFileData=0x12857580 | out: lpFindFileData=0x12857580*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0259.202] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128575c4 | out: lpFindFileData=0x128575c4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.203] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0259.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857248 | out: lpFileInformation=0x12857248*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.203] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.203] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.213] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857458 | out: lpMode=0x12857458) returned 0 [0259.213] WriteFile (in: hFile=0x42c, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857458, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x12857458*=0x118a, lpOverlapped=0x0) returned 1 [0259.214] CloseHandle (hObject=0x42c) returned 1 [0259.214] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), fInfoLevelId=0x0, lpFileInformation=0x12857644 | out: lpFileInformation=0x12857644*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.217] SetEvent (hEvent=0x40c) returned 1 [0259.217] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00001.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12857644 | out: lpFileInformation=0x12857644*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12857644 | out: lpFileInformation=0x12857644*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), fInfoLevelId=0x0, lpFileInformation=0x12857644 | out: lpFileInformation=0x12857644*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\edb.chk"), fInfoLevelId=0x0, lpFileInformation=0x128576a8 | out: lpFileInformation=0x128576a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.220] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0259.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0259.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0259.220] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9c0 | out: pbBuffer=0x12a9a9c0) returned 1 [0259.221] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0259.269] GetFileType (hFile=0x42c) returned 0x1 [0259.269] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.269] WriteFile (in: hFile=0x42c, lpBuffer=0x12caa000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12caa000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0259.270] GetFileType (hFile=0x42c) returned 0x1 [0259.270] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0259.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0259.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0259.342] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aa78 | out: pbBuffer=0x12a9aa78) returned 1 [0259.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.343] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0259.343] WriteFile (in: hFile=0x458, lpBuffer=0x12dac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dac000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.344] CloseHandle (hObject=0x458) returned 1 [0259.345] CloseHandle (hObject=0x42c) returned 1 [0259.345] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aa90 | out: pbBuffer=0x12a9aa90) returned 1 [0259.345] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\#_THIS_FILE_IS_ENCRYPTED_[EAF6E74EE510A07D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\#_this_file_is_encrypted_[eaf6e74ee510a07d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\spartan.edb"), fInfoLevelId=0x0, lpFileInformation=0x128576a8 | out: lpFileInformation=0x128576a8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x48e101d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0259.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.347] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\*", lpFindFileData=0x12857710 | out: lpFindFileData=0x12857710*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0259.348] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.348] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0259.348] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.348] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0259.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128573d8 | out: lpFileInformation=0x128573d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.349] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.350] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128575e8 | out: lpMode=0x128575e8) returned 0 [0259.350] WriteFile (in: hFile=0x42c, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128575e8, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x128575e8*=0x118a, lpOverlapped=0x0) returned 1 [0259.351] CloseHandle (hObject=0x42c) returned 1 [0259.351] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data"), fInfoLevelId=0x0, lpFileInformation=0x128577d4 | out: lpFileInformation=0x128577d4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.352] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.352] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\*", lpFindFileData=0x128576ac | out: lpFindFileData=0x128576ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0259.352] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.352] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nouser1", cAlternateFileName="")) returned 1 [0259.352] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128576f0 | out: lpFindFileData=0x128576f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.352] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0259.353] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857374 | out: lpFileInformation=0x12857374*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.354] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857584 | out: lpMode=0x12857584) returned 0 [0259.354] WriteFile (in: hFile=0x42c, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857584, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x12857584*=0x118a, lpOverlapped=0x0) returned 1 [0259.355] CloseHandle (hObject=0x42c) returned 1 [0259.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1"), fInfoLevelId=0x0, lpFileInformation=0x12857770 | out: lpFileInformation=0x12857770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.397] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0259.413] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0259.471] SetEvent (hEvent=0x40c) returned 1 [0259.471] SetEvent (hEvent=0x3f8) returned 1 [0259.471] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.471] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\*", lpFindFileData=0x12857648 | out: lpFindFileData=0x12857648*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.471] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.471] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 1 [0259.471] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1285768c | out: lpFindFileData=0x1285768c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.471] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857310 | out: lpFileInformation=0x12857310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.472] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.472] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.473] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857520 | out: lpMode=0x12857520) returned 0 [0259.473] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857520, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857520*=0x118a, lpOverlapped=0x0) returned 1 [0259.475] CloseHandle (hObject=0x42c) returned 1 [0259.475] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049"), fInfoLevelId=0x0, lpFileInformation=0x1285770c | out: lpFileInformation=0x1285770c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.475] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\*", lpFindFileData=0x128575e4 | out: lpFindFileData=0x128575e4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.476] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857628 | out: lpFindFileData=0x12857628*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.476] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128572ac | out: lpFileInformation=0x128572ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.476] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.476] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.477] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128574bc | out: lpMode=0x128574bc) returned 0 [0259.477] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128574bc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128574bc*=0x118a, lpOverlapped=0x0) returned 1 [0259.479] CloseHandle (hObject=0x42c) returned 1 [0259.479] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.479] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.480] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0259.480] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.480] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.480] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0259.480] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.480] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.480] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.481] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0259.481] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0259.483] CloseHandle (hObject=0x42c) returned 1 [0259.483] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.483] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.483] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0259.483] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.483] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.483] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0259.484] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.485] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0259.485] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0259.486] CloseHandle (hObject=0x42c) returned 1 [0259.487] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery"), fInfoLevelId=0x0, lpFileInformation=0x1285789c | out: lpFileInformation=0x1285789c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.487] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.487] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\*", lpFindFileData=0x12857774 | out: lpFindFileData=0x12857774*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0259.487] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.487] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x78edcc8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active", cAlternateFileName="")) returned 1 [0259.487] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128577b8 | out: lpFindFileData=0x128577b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.487] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0259.487] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285743c | out: lpFileInformation=0x1285743c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.490] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1285764c | out: lpMode=0x1285764c) returned 0 [0259.490] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285764c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1285764c*=0x118a, lpOverlapped=0x0) returned 1 [0259.491] CloseHandle (hObject=0x42c) returned 1 [0259.491] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active"), fInfoLevelId=0x0, lpFileInformation=0x12857838 | out: lpFileInformation=0x12857838*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.491] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.491] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\*", lpFindFileData=0x12857710 | out: lpFindFileData=0x12857710*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78c7a52, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78c7a52, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat", cAlternateFileName="RECOVE~2.DAT")) returned 1 [0259.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d19e41, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat", cAlternateFileName="{44F17~1.DAT")) returned 1 [0259.493] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857754 | out: lpFindFileData=0x12857754*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.493] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.494] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128573d8 | out: lpFileInformation=0x128573d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.495] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.496] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.497] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128575e8 | out: lpMode=0x128575e8) returned 0 [0259.497] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128575e8, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128575e8*=0x118a, lpOverlapped=0x0) returned 1 [0259.498] CloseHandle (hObject=0x42c) returned 1 [0259.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), fInfoLevelId=0x0, lpFileInformation=0x128577d4 | out: lpFileInformation=0x128577d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78c7a52, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78c7a52, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1400)) returned 1 [0259.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), fInfoLevelId=0x0, lpFileInformation=0x128577d4 | out: lpFileInformation=0x128577d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d19e41, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1200)) returned 1 [0259.500] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.500] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78c7a52, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78c7a52, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1400)) returned 1 [0259.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0259.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7c0 | out: pbBuffer=0x12a9a7c0) returned 1 [0259.501] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12855d1c*=0x1400, lpOverlapped=0x0) returned 1 [0259.510] GetFileType (hFile=0x42c) returned 0x1 [0259.510] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.511] WriteFile (in: hFile=0x42c, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x12855d00*=0x1400, lpOverlapped=0x12855d0c) returned 1 [0259.511] GetFileType (hFile=0x42c) returned 0x1 [0259.511] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1400, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0259.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0259.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0259.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a878 | out: pbBuffer=0x12a9a878) returned 1 [0259.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.512] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.512] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.513] CloseHandle (hObject=0x458) returned 1 [0259.513] CloseHandle (hObject=0x42c) returned 1 [0259.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a890 | out: pbBuffer=0x12a9a890) returned 1 [0259.513] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\#_THIS_FILE_IS_ENCRYPTED_[13938DB2D9EFEF23]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\#_this_file_is_encrypted_[13938db2d9efef23]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.518] SetEvent (hEvent=0x3f8) returned 1 [0259.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.519] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.519] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d19e41, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1200)) returned 1 [0259.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88260 | out: pbBuffer=0x12b88260) returned 1 [0259.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8d8 | out: pbBuffer=0x12a9a8d8) returned 1 [0259.519] ReadFile (in: hFile=0x42c, lpBuffer=0x12d8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d8a000*, lpNumberOfBytesRead=0x12855d1c*=0x1200, lpOverlapped=0x0) returned 1 [0259.561] GetFileType (hFile=0x42c) returned 0x1 [0259.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.562] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12855d00*=0x1200, lpOverlapped=0x12855d0c) returned 1 [0259.562] GetFileType (hFile=0x42c) returned 0x1 [0259.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0259.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0259.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0259.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a990 | out: pbBuffer=0x12a9a990) returned 1 [0259.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0259.563] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.564] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.564] CloseHandle (hObject=0x450) returned 1 [0259.564] CloseHandle (hObject=0x42c) returned 1 [0259.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9a8 | out: pbBuffer=0x12a9a9a8) returned 1 [0259.564] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\#_THIS_FILE_IS_ENCRYPTED_[1DBB0BC5C810D2FA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\#_this_file_is_encrypted_[1dbb0bc5c810d2fa]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.583] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0259.666] SetEvent (hEvent=0x3f4) returned 1 [0259.666] SetEvent (hEvent=0x1d0) returned 1 [0259.666] SetEvent (hEvent=0x40c) returned 1 [0259.666] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0259.673] SetEvent (hEvent=0x3f4) returned 1 [0259.673] SwitchToThread () returned 1 [0259.705] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.217] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.219] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0260.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0260.228] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0260.228] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0260.228] CloseHandle (hObject=0x3e4) returned 1 [0260.228] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.461] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.475] SetEvent (hEvent=0x40c) returned 1 [0260.475] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.959] SetEvent (hEvent=0x40c) returned 1 [0260.959] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.966] SetEvent (hEvent=0x40c) returned 1 [0260.966] SetEvent (hEvent=0x1d0) returned 1 [0260.966] SetEvent (hEvent=0x3f4) returned 1 [0260.966] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.980] SetEvent (hEvent=0x40c) returned 1 [0260.981] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0260.985] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0261.077] SetEvent (hEvent=0x40c) returned 1 [0261.077] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.078] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0261.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0261.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0261.078] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0x0, lpOverlapped=0x0) returned 1 [0261.078] CloseHandle (hObject=0x3e4) returned 1 [0261.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.079] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0261.079] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b508d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e280 | out: pbBuffer=0x1280e280) returned 1 [0261.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848038 | out: pbBuffer=0x12848038) returned 1 [0261.080] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0261.090] GetFileType (hFile=0x3e4) returned 0x1 [0261.090] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0261.090] WriteFile (in: hFile=0x3e4, lpBuffer=0x128f4000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x128f4000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0261.090] GetFileType (hFile=0x3e4) returned 0x1 [0261.090] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0261.090] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0261.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0261.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0261.091] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483c0 | out: pbBuffer=0x128483c0) returned 1 [0261.091] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0261.091] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0261.091] WriteFile (in: hFile=0x44c, lpBuffer=0x12be2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12be2000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0261.091] CloseHandle (hObject=0x44c) returned 1 [0261.092] CloseHandle (hObject=0x3e4) returned 1 [0261.092] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483d8 | out: pbBuffer=0x128483d8) returned 1 [0261.092] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[CF7038129A3E0009]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[cf7038129a3e0009]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.093] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.094] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0261.094] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4e0 | out: pbBuffer=0x1280e4e0) returned 1 [0261.094] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848440 | out: pbBuffer=0x12848440) returned 1 [0261.094] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0261.094] CloseHandle (hObject=0x3e4) returned 1 [0261.094] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0261.601] SetEvent (hEvent=0x40c) returned 1 [0261.601] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0261.623] SetEvent (hEvent=0x40c) returned 1 [0261.623] SetEvent (hEvent=0x3f4) returned 1 [0261.623] SetEvent (hEvent=0x19c) returned 1 [0261.623] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0261.638] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0261.878] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.038] SetEvent (hEvent=0x3f8) returned 1 [0262.038] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.039] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0262.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e636973, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e636973, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0262.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0262.039] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0262.039] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0262.044] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.044] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0262.044] SetEvent (hEvent=0x110) returned 1 [0262.044] SetEvent (hEvent=0x3f8) returned 1 [0262.044] SetEvent (hEvent=0x3f4) returned 1 [0262.044] ReadFile (in: hFile=0x42c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x1282bd1c*=0x8000, lpOverlapped=0x0) returned 1 [0262.059] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.066] SwitchToThread () returned 1 [0262.069] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.108] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.196] SetEvent (hEvent=0x3f4) returned 1 [0262.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.197] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0262.197] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0262.197] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0262.197] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0262.197] CloseHandle (hObject=0x3e4) returned 1 [0262.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.198] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0262.198] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8a8edde, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8a8edde, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0262.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0262.198] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.220] GetFileType (hFile=0x3e4) returned 0x1 [0262.220] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.221] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a6e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a6e000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0262.221] GetFileType (hFile=0x3e4) returned 0x1 [0262.221] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0262.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0262.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0262.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340d0 | out: pbBuffer=0x12c340d0) returned 1 [0262.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0262.222] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0262.222] WriteFile (in: hFile=0x458, lpBuffer=0x12b44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0262.222] CloseHandle (hObject=0x458) returned 1 [0262.222] CloseHandle (hObject=0x3e4) returned 1 [0262.223] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340e8 | out: pbBuffer=0x12c340e8) returned 1 [0262.223] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[1988C30450307DB1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\#_this_file_is_encrypted_[1988c30450307db1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.224] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.302] SetEvent (hEvent=0x3f4) returned 1 [0262.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.303] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbe8daed, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0262.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0262.303] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34130 | out: pbBuffer=0x12c34130) returned 1 [0262.303] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0262.310] GetFileType (hFile=0x42c) returned 0x1 [0262.311] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.311] WriteFile (in: hFile=0x42c, lpBuffer=0x12c32000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c32000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0262.311] GetFileType (hFile=0x42c) returned 0x1 [0262.311] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0262.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0262.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0262.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0262.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341e8 | out: pbBuffer=0x12c341e8) returned 1 [0262.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0262.312] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0262.312] WriteFile (in: hFile=0x44c, lpBuffer=0x12b44500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0262.312] CloseHandle (hObject=0x44c) returned 1 [0262.312] CloseHandle (hObject=0x42c) returned 1 [0262.312] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34200 | out: pbBuffer=0x12c34200) returned 1 [0262.312] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[997808CAC3BD2620]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[997808cac3bd2620]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0262.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0262.315] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0262.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928460 | out: pbBuffer=0x12928460) returned 1 [0262.315] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34248 | out: pbBuffer=0x12c34248) returned 1 [0262.315] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0262.317] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.317] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0262.317] SetEvent (hEvent=0x110) returned 1 [0262.317] SetEvent (hEvent=0x3f8) returned 1 [0262.317] SetEvent (hEvent=0x19c) returned 1 [0262.317] ReadFile (in: hFile=0x42c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0262.317] CloseHandle (hObject=0x42c) returned 1 [0262.318] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0262.326] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.326] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0262.333] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.333] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0262.333] SetEvent (hEvent=0x3f4) returned 1 [0262.333] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0262.342] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0262.342] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0263.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0263.053] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0263.053] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0263.053] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0263.053] ReadFile (in: hFile=0x44c, lpBuffer=0x12c4a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c4a000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.053] CloseHandle (hObject=0x44c) returned 1 [0263.053] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0263.154] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0263.408] SetEvent (hEvent=0x3f8) returned 1 [0263.408] SetEvent (hEvent=0x40c) returned 1 [0263.408] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0263.419] SetEvent (hEvent=0x19c) returned 1 [0263.419] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0263.423] SetEvent (hEvent=0x19c) returned 1 [0263.423] SetEvent (hEvent=0x3f4) returned 1 [0263.423] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.437] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.438] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0263.452] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.452] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.452] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0263.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.467] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.467] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.479] CloseHandle (hObject=0x42c) returned 1 [0263.479] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.479] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.480] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0263.485] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.485] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0263.485] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93c418e8, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93c418e8, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0263.486] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0263.486] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0263.486] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.486] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0263.487] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.488] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.489] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.491] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.491] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.493] CloseHandle (hObject=0x42c) returned 1 [0263.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.501] SetEvent (hEvent=0x3f4) returned 1 [0263.501] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93c418e8, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93c418e8, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.502] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.502] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.503] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.503] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0263.503] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.503] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.503] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0263.503] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.505] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.505] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.507] CloseHandle (hObject=0x42c) returned 1 [0263.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.507] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.508] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0263.508] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.508] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.508] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0263.508] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.509] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.510] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.510] WriteFile (in: hFile=0x42c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.511] CloseHandle (hObject=0x42c) returned 1 [0263.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0263.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.512] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0263.513] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.513] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0263.514] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.515] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0263.515] WriteFile (in: hFile=0x42c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0263.517] CloseHandle (hObject=0x42c) returned 1 [0263.517] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0263.517] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.517] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0263.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.519] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.525] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.526] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.573] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.573] WriteFile (in: hFile=0x42c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.575] CloseHandle (hObject=0x42c) returned 1 [0263.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.582] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.582] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.582] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.582] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.583] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.583] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.584] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.584] WriteFile (in: hFile=0x42c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.586] CloseHandle (hObject=0x42c) returned 1 [0263.586] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.587] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.587] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.587] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.587] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.587] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.587] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.588] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.589] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.589] WriteFile (in: hFile=0x42c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.591] CloseHandle (hObject=0x42c) returned 1 [0263.591] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.591] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0263.592] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.592] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.592] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0263.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.592] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.592] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.593] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.593] WriteFile (in: hFile=0x42c, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.595] CloseHandle (hObject=0x42c) returned 1 [0263.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.596] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0263.596] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.596] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.596] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0263.596] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.597] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.597] WriteFile (in: hFile=0x42c, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.599] CloseHandle (hObject=0x42c) returned 1 [0263.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.600] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0263.600] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.600] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.600] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0263.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.601] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.601] WriteFile (in: hFile=0x42c, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.603] CloseHandle (hObject=0x42c) returned 1 [0263.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.612] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.613] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.613] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.613] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.639] SetEvent (hEvent=0x110) returned 1 [0263.639] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.639] WriteFile (in: hFile=0x458, lpBuffer=0x1285cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.641] CloseHandle (hObject=0x458) returned 1 [0263.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.642] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.642] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0263.642] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.642] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.642] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0263.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.647] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.647] WriteFile (in: hFile=0x458, lpBuffer=0x12c10000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c10000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.649] CloseHandle (hObject=0x458) returned 1 [0263.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.649] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0263.650] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.650] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.650] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.650] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.755] SetEvent (hEvent=0x110) returned 1 [0263.755] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.755] WriteFile (in: hFile=0x458, lpBuffer=0x12c11300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c11300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.757] CloseHandle (hObject=0x458) returned 1 [0263.759] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.759] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.759] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0263.761] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.761] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9da2e714, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9da2e714, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0263.761] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0263.762] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0263.762] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.762] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0263.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.764] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.766] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0263.766] WriteFile (in: hFile=0x458, lpBuffer=0x12c12600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c12600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0263.767] CloseHandle (hObject=0x458) returned 1 [0263.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9da2e714, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9da2e714, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.771] SetEvent (hEvent=0x19c) returned 1 [0263.771] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.771] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.772] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.772] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0263.772] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.772] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.773] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0263.773] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.773] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.822] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.822] WriteFile (in: hFile=0x458, lpBuffer=0x12c13900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c13900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.824] CloseHandle (hObject=0x458) returned 1 [0263.824] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9404784f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.825] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x941c4e32, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x941c4e32, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0263.900] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.900] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0263.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.914] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0263.915] SetEvent (hEvent=0x40c) returned 1 [0263.915] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.917] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.917] WriteFile (in: hFile=0x458, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.918] CloseHandle (hObject=0x458) returned 1 [0263.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x941c4e32, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x941c4e32, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.920] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.920] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0263.920] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.920] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.921] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0263.921] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.921] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.923] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.923] WriteFile (in: hFile=0x458, lpBuffer=0x12b01300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b01300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.924] CloseHandle (hObject=0x458) returned 1 [0263.924] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.924] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.924] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0263.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.925] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0263.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0263.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0263.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.926] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0263.926] WriteFile (in: hFile=0x458, lpBuffer=0x12b02600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b02600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0263.928] CloseHandle (hObject=0x458) returned 1 [0263.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.928] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0263.928] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0264.001] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.001] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0264.001] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0264.001] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0264.001] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0264.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0264.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0264.066] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0264.066] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0264.066] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0264.066] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.067] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0264.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.087] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0264.087] WriteFile (in: hFile=0x450, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0264.093] CloseHandle (hObject=0x450) returned 1 [0264.102] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.105] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.105] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0264.173] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.173] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0264.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.178] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.178] WriteFile (in: hFile=0x44c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.179] CloseHandle (hObject=0x44c) returned 1 [0264.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.180] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.181] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0264.181] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.181] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.181] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0264.181] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.183] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0264.183] WriteFile (in: hFile=0x44c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0264.184] CloseHandle (hObject=0x44c) returned 1 [0264.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.185] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.185] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0264.185] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.185] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.185] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0264.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.186] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.186] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.187] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0264.187] WriteFile (in: hFile=0x44c, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0264.188] CloseHandle (hObject=0x44c) returned 1 [0264.188] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.189] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0264.189] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.189] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.189] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0264.189] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.192] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0264.192] WriteFile (in: hFile=0x44c, lpBuffer=0x12b00000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b00000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0264.194] CloseHandle (hObject=0x44c) returned 1 [0264.195] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.195] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0264.195] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.195] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.195] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0264.195] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0264.196] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0264.196] WriteFile (in: hFile=0x44c, lpBuffer=0x12b03900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b03900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0264.198] CloseHandle (hObject=0x44c) returned 1 [0264.198] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.240] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.240] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0264.240] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.240] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.240] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0264.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.241] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.242] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.242] WriteFile (in: hFile=0x450, lpBuffer=0x12b04c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b04c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.244] CloseHandle (hObject=0x450) returned 1 [0264.244] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.244] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.244] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0264.245] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.245] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.245] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0264.245] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.245] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.245] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.247] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.247] WriteFile (in: hFile=0x450, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.248] CloseHandle (hObject=0x450) returned 1 [0264.248] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.249] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.249] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0264.249] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.249] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.249] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0264.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.250] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.250] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.251] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.251] WriteFile (in: hFile=0x450, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.307] CloseHandle (hObject=0x450) returned 1 [0264.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.351] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0264.352] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.352] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0264.352] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.352] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0264.352] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.354] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.354] WriteFile (in: hFile=0x450, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.356] CloseHandle (hObject=0x450) returned 1 [0264.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.357] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.357] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0264.576] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d6b609, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d6b609, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0264.601] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0264.602] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0264.602] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.602] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0264.702] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.703] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.704] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0264.706] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0264.706] WriteFile (in: hFile=0x450, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0264.708] CloseHandle (hObject=0x450) returned 1 [0264.708] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d6b609, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d6b609, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0264.709] SetEvent (hEvent=0x3f4) returned 1 [0264.722] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0264.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.769] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.769] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0264.770] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.770] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.770] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0264.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0264.772] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.772] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.774] CloseHandle (hObject=0x3e4) returned 1 [0264.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.774] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0264.774] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0264.774] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0264.775] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0264.775] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0264.775] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0264.775] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0264.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0264.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0264.776] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0264.776] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0264.778] CloseHandle (hObject=0x3e4) returned 1 [0264.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0264.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0264.780] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0264.780] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0264.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929260 | out: pbBuffer=0x12929260) returned 1 [0264.780] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34e90 | out: pbBuffer=0x12c34e90) returned 1 [0264.868] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c8c000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0264.868] CloseHandle (hObject=0x3e4) returned 1 [0264.868] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0264.870] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0264.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0264.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929280 | out: pbBuffer=0x12929280) returned 1 [0264.870] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ea0 | out: pbBuffer=0x12c34ea0) returned 1 [0264.870] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0264.996] GetFileType (hFile=0x3e4) returned 0x1 [0264.996] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.996] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d98000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d98000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0264.996] GetFileType (hFile=0x3e4) returned 0x1 [0264.996] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0264.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0264.996] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x102 [0265.015] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0265.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0265.015] SetEvent (hEvent=0x110) returned 1 [0265.015] SetEvent (hEvent=0x104) returned 1 [0265.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0265.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0265.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34f58 | out: pbBuffer=0x12c34f58) returned 1 [0265.016] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0265.017] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0265.017] WriteFile (in: hFile=0x44c, lpBuffer=0x12db0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12db0000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0265.017] CloseHandle (hObject=0x44c) returned 1 [0265.017] CloseHandle (hObject=0x3e4) returned 1 [0265.017] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34f70 | out: pbBuffer=0x12c34f70) returned 1 [0265.018] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[4BBEDF88FDC12129]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[4bbedf88fdc12129]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0265.264] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0266.293] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412facc, ulCount=0x10, ulNumEntriesRemoved=0x3412fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412facc, ulNumEntriesRemoved=0x3412fab0) returned 0 [0266.293] SetEvent (hEvent=0x3f4) returned 1 [0266.293] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x15f7b) returned 0x0 [0266.422] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x270c) returned 0x102 [0276.498] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0276.866] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0277.239] SetEvent (hEvent=0x40c) returned 1 [0277.239] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0277.259] SetEvent (hEvent=0x1b8) returned 1 [0277.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8358 | out: pbBuffer=0x128e8358) returned 1 [0277.273] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\P30eaW83bz2S.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p30eaw83bz2s.avi"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[11DE59BEA4305C3B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[11de59bea4305c3b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.290] SwitchToThread () returned 1 [0277.380] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0277.534] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0277.539] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0277.539] SetEvent (hEvent=0x1b8) returned 1 [0277.539] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0277.581] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a5dd1c*=0x8a14, lpOverlapped=0x0) returned 1 [0277.584] GetFileType (hFile=0x44c) returned 0x1 [0277.584] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.584] WriteFile (in: hFile=0x44c, lpBuffer=0x12b7e000*, nNumberOfBytesToWrite=0x8a14, lpNumberOfBytesWritten=0x12a5dd00, lpOverlapped=0x12a5dd0c | out: lpBuffer=0x12b7e000*, lpNumberOfBytesWritten=0x12a5dd00*=0x8a14, lpOverlapped=0x12a5dd0c) returned 1 [0277.585] GetFileType (hFile=0x44c) returned 0x1 [0277.585] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x8a14, lpNewFilePointer=0x0, dwMoveMethod=0x12a5dce4 | out: lpNewFilePointer=0x0) returned 1 [0277.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0277.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0277.585] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0277.586] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0277.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hGzhgTOVuGok5gYE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hgzhgtovugok5gye.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0277.586] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a5dd0c | out: lpMode=0x12a5dd0c) returned 0 [0277.586] WriteFile (in: hFile=0x45c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a5dd0c*=0x276, lpOverlapped=0x0) returned 1 [0277.586] CloseHandle (hObject=0x45c) returned 1 [0277.587] CloseHandle (hObject=0x44c) returned 1 [0277.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0277.587] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hGzhgTOVuGok5gYE.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hgzhgtovugok5gye.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[3580593BA45A334E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[3580593ba45a334e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0277.602] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0277.668] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0277.673] SetEvent (hEvent=0x3f4) returned 1 [0277.673] SetEvent (hEvent=0x104) returned 1 [0277.732] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040, lpNumberOfBytesRecvd=0x128e6034*=0x2a, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned -1 [0277.845] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1f, buf=0x12bee000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x26, lpOverlapped=0x128e6088) returned -1 [0277.845] closesocket (s=0x1a4) returned 0 [0277.846] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x2710) returned 0x102 [0287.866] SetEvent (hEvent=0x110) returned 1 [0287.866] SetEvent (hEvent=0x1b8) returned 1 [0288.825] SetEvent (hEvent=0x1b8) returned 1 [0289.078] SetEvent (hEvent=0x3cc) returned 1 [0289.211] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0289.284] SetEvent (hEvent=0x1d0) returned 1 [0289.285] SetEvent (hEvent=0x3f4) returned 1 [0289.285] SetEvent (hEvent=0xf4) returned 1 [0289.285] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0289.328] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0289.329] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0289.330] SetEvent (hEvent=0x3f4) returned 1 [0289.330] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0289.578] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0289.580] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0289.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400)) returned 1 [0289.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0289.580] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0289.581] ReadFile (in: hFile=0x45c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a2fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0289.669] GetFileType (hFile=0x45c) returned 0x1 [0289.669] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0289.669] WriteFile (in: hFile=0x45c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12a2fd00*=0x20000, lpOverlapped=0x12a2fd0c) returned 1 [0289.670] GetFileType (hFile=0x45c) returned 0x1 [0289.670] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0289.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0289.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0289.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0289.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0289.671] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0289.672] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0289.672] WriteFile (in: hFile=0x464, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0289.674] CloseHandle (hObject=0x464) returned 1 [0289.674] CloseHandle (hObject=0x45c) returned 1 [0289.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0289.675] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\#_THIS_FILE_IS_ENCRYPTED_[E0F3AA3CB8ED158C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\#_this_file_is_encrypted_[e0f3aa3cb8ed158c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0290.363] SetEvent (hEvent=0x40c) returned 1 [0290.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\DT6iMyJba.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\dt6imyjba.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0290.364] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0290.365] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\DT6iMyJba.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\dt6imyjba.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c106f0, ftCreationTime.dwHighDateTime=0x1d81dd6, ftLastAccessTime.dwLowDateTime=0x884da520, ftLastAccessTime.dwHighDateTime=0x1d828f8, ftLastWriteTime.dwLowDateTime=0x884da520, ftLastWriteTime.dwHighDateTime=0x1d828f8, nFileSizeHigh=0x0, nFileSizeLow=0x705e)) returned 1 [0290.365] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129280a0 | out: pbBuffer=0x129280a0) returned 1 [0290.365] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810870 | out: pbBuffer=0x12810870) returned 1 [0290.365] ReadFile (in: hFile=0x45c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a2fd1c*=0x705e, lpOverlapped=0x0) returned 1 [0290.367] GetFileType (hFile=0x45c) returned 0x1 [0290.367] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0290.367] WriteFile (in: hFile=0x45c, lpBuffer=0x12a32000*, nNumberOfBytesToWrite=0x705e, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12a32000*, lpNumberOfBytesWritten=0x12a2fd00*=0x705e, lpOverlapped=0x12a2fd0c) returned 1 [0290.368] GetFileType (hFile=0x45c) returned 0x1 [0290.368] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x705e, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0290.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0290.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0290.368] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0290.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810928 | out: pbBuffer=0x12810928) returned 1 [0290.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\DT6iMyJba.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\dt6imyjba.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0290.369] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0290.369] WriteFile (in: hFile=0x468, lpBuffer=0x12c2a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2a000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0290.369] CloseHandle (hObject=0x468) returned 1 [0290.454] CloseHandle (hObject=0x45c) returned 1 [0290.692] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810940 | out: pbBuffer=0x12810940) returned 1 [0290.705] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\DT6iMyJba.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\dt6imyjba.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\#_THIS_FILE_IS_ENCRYPTED_[93A9449F403BC318]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\#_this_file_is_encrypted_[93a9449f403bc318]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0291.947] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0292.069] SwitchToThread () returned 1 [0292.071] SetEvent (hEvent=0x454) returned 1 [0292.148] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0x5d, buf=0x12a3c000*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0x5d, lpOverlapped=0x12c2e088) returned 0 [0292.148] SetEvent (hEvent=0x454) returned 1 [0292.380] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0x1ec, buf=0x12a48200*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0x1ec, lpOverlapped=0x12c2e088) returned 0 [0292.405] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0292.529] SetEvent (hEvent=0x1b8) returned 1 [0292.529] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.137] SetEvent (hEvent=0x1b8) returned 1 [0293.137] SetEvent (hEvent=0x19c) returned 1 [0293.137] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.145] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.201] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.213] SetEvent (hEvent=0x19c) returned 1 [0293.213] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\BXHo2RbAttrCH2QVm.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\bxho2rbattrch2qvm.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3edc0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x9a33b5d0, ftLastAccessTime.dwHighDateTime=0x1d82322, ftLastWriteTime.dwLowDateTime=0x9a33b5d0, ftLastWriteTime.dwHighDateTime=0x1d82322, nFileSizeHigh=0x0, nFileSizeLow=0x1641f)) returned 1 [0293.213] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.243] SetEvent (hEvent=0x19c) returned 1 [0293.243] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\r55WOM29Tnt.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\r55wom29tnt.rtf"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1ba6500, ftCreationTime.dwHighDateTime=0x1d819d7, ftLastAccessTime.dwLowDateTime=0x12a35620, ftLastAccessTime.dwHighDateTime=0x1d826b5, ftLastWriteTime.dwLowDateTime=0x12a35620, ftLastWriteTime.dwHighDateTime=0x1d826b5, nFileSizeHigh=0x0, nFileSizeLow=0x15040)) returned 1 [0293.244] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.275] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.362] SetEvent (hEvent=0xfc) returned 1 [0293.362] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.380] SetEvent (hEvent=0x19c) returned 1 [0293.380] SetEvent (hEvent=0x1d0) returned 1 [0293.380] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.658] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.689] SetEvent (hEvent=0xf4) returned 1 [0293.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0293.690] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.690] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbeff78 [0293.691] FindNextFileW (in: hFindFile=0xbeff78, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.691] FindNextFileW (in: hFindFile=0xbeff78, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0293.691] FindNextFileW (in: hFindFile=0xbeff78, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0293.691] FindNextFileW (in: hFindFile=0xbeff78, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0293.691] FindNextFileW (in: hFindFile=0xbeff78, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.691] FindClose (in: hFindFile=0xbeff78 | out: hFindFile=0xbeff78) returned 1 [0293.691] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.691] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.692] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.700] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0293.700] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0293.701] CloseHandle (hObject=0x44c) returned 1 [0293.710] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0)) returned 1 [0293.711] SetEvent (hEvent=0x454) returned 1 [0293.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0293.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.711] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0293.711] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.712] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0293.712] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.712] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0293.712] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.712] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.712] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.764] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0293.764] WriteFile (in: hFile=0x45c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0293.766] CloseHandle (hObject=0x45c) returned 1 [0293.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50)) returned 1 [0293.858] SetEvent (hEvent=0x19c) returned 1 [0293.858] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192)) returned 1 [0293.858] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\links"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0293.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\links"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.859] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0293.859] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.859] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0293.859] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0293.859] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0293.859] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.859] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0293.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.860] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.860] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.861] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0293.862] WriteFile (in: hFile=0x468, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0293.863] CloseHandle (hObject=0x468) returned 1 [0293.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207)) returned 1 [0293.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0)) returned 1 [0293.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0293.905] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.906] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0)) returned 1 [0293.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6280 | out: pbBuffer=0x12ac6280) returned 1 [0293.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8080 | out: pbBuffer=0x128e8080) returned 1 [0293.920] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0293.939] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb20, ulCount=0x10, ulNumEntriesRemoved=0x3412fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb20, ulNumEntriesRemoved=0x3412fb04) returned 0 [0293.939] SetEvent (hEvent=0x110) returned 1 [0293.939] SetEvent (hEvent=0xf4) returned 1 [0293.940] ReadFile (in: hFile=0x44c, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x12855d1c*=0x3d0, lpOverlapped=0x0) returned 1 [0293.942] GetFileType (hFile=0x44c) returned 0x1 [0293.942] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.942] WriteFile (in: hFile=0x44c, lpBuffer=0x1287e400*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1287e400*, lpNumberOfBytesWritten=0x12855d00*=0x3d0, lpOverlapped=0x12855d0c) returned 1 [0293.943] GetFileType (hFile=0x44c) returned 0x1 [0293.943] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x3d0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0293.943] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0293.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0293.944] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8298 | out: pbBuffer=0x128e8298) returned 1 [0293.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.944] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.944] WriteFile (in: hFile=0x470, lpBuffer=0x128aea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aea00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.944] CloseHandle (hObject=0x470) returned 1 [0293.945] CloseHandle (hObject=0x44c) returned 1 [0293.945] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e82b0 | out: pbBuffer=0x128e82b0) returned 1 [0293.945] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\#_THIS_FILE_IS_ENCRYPTED_[BAD52EEF5706F551]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\#_this_file_is_encrypted_[bad52eef5706f551]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.954] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.954] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0293.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6640 | out: pbBuffer=0x12ac6640) returned 1 [0293.954] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e82f8 | out: pbBuffer=0x128e82f8) returned 1 [0293.954] ReadFile (in: hFile=0x44c, lpBuffer=0x12ca4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca4000*, lpNumberOfBytesRead=0x12855d1c*=0x1f8, lpOverlapped=0x0) returned 1 [0293.955] GetFileType (hFile=0x44c) returned 0x1 [0293.955] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.956] WriteFile (in: hFile=0x44c, lpBuffer=0x12a48400*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12a48400*, lpNumberOfBytesWritten=0x12855d00*=0x1f8, lpOverlapped=0x12855d0c) returned 1 [0293.956] GetFileType (hFile=0x44c) returned 0x1 [0293.956] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1f8, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.959] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0293.960] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0293.960] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f01 | out: pbBuffer=0x12800f01) returned 1 [0293.960] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e83b0 | out: pbBuffer=0x128e83b0) returned 1 [0293.960] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.960] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.960] WriteFile (in: hFile=0x45c, lpBuffer=0x128aef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aef00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.963] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0293.968] CloseHandle (hObject=0x45c) returned 1 [0293.968] CloseHandle (hObject=0x44c) returned 1 [0293.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e83c8 | out: pbBuffer=0x128e83c8) returned 1 [0293.968] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\#_THIS_FILE_IS_ENCRYPTED_[8C95DB098DF2B8DC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\#_this_file_is_encrypted_[8c95db098df2b8dc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.970] SetEvent (hEvent=0x19c) returned 1 [0293.970] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.005] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.058] SetEvent (hEvent=0xfc) returned 1 [0294.058] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\87Y4wkljoS5G5e jTi.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\87y4wkljos5g5e jti.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5be94010, ftCreationTime.dwHighDateTime=0x1d819a9, ftLastAccessTime.dwLowDateTime=0x15024340, ftLastAccessTime.dwHighDateTime=0x1d828ae, ftLastWriteTime.dwLowDateTime=0x15024340, ftLastWriteTime.dwHighDateTime=0x1d828ae, nFileSizeHigh=0x0, nFileSizeLow=0x2b79)) returned 1 [0294.059] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.084] SwitchToThread () returned 1 [0294.131] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.387] SetEvent (hEvent=0xf4) returned 1 [0294.387] SetEvent (hEvent=0x19c) returned 1 [0294.387] SetEvent (hEvent=0x454) returned 1 [0294.387] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.513] SetEvent (hEvent=0x1b8) returned 1 [0294.513] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0294.563] SwitchToThread () returned 1 [0294.566] SetEvent (hEvent=0xf4) returned 1 [0294.566] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0294.569] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0294.573] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0294.573] SetEvent (hEvent=0x19c) returned 1 [0294.574] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0294.577] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.644] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.669] SetEvent (hEvent=0x19c) returned 1 [0294.669] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\HKJj WT.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\hkjj wt.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd90200, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x1c2c5660, ftLastAccessTime.dwHighDateTime=0x1d8281d, ftLastWriteTime.dwLowDateTime=0x1c2c5660, ftLastWriteTime.dwHighDateTime=0x1d8281d, nFileSizeHigh=0x0, nFileSizeLow=0x10b54)) returned 1 [0294.669] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.695] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.741] SetEvent (hEvent=0x19c) returned 1 [0294.741] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\O9fHKNinOZ.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\o9fhkninoz.png"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19eb5fd0, ftCreationTime.dwHighDateTime=0x1d81f45, ftLastAccessTime.dwLowDateTime=0xcc5e3650, ftLastAccessTime.dwHighDateTime=0x1d823ec, ftLastWriteTime.dwLowDateTime=0xcc5e3650, ftLastWriteTime.dwHighDateTime=0x1d823ec, nFileSizeHigh=0x0, nFileSizeLow=0x18c35)) returned 1 [0294.741] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.756] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.780] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.782] SetEvent (hEvent=0x19c) returned 1 [0294.782] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.789] SetEvent (hEvent=0x19c) returned 1 [0294.789] SetEvent (hEvent=0xf4) returned 1 [0294.789] SwitchToThread () returned 1 [0294.790] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.808] SetEvent (hEvent=0xf4) returned 1 [0294.808] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\R-vk5p4WTAFfUJEJC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\r-vk5p4wtaffujejc.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fe3830, ftCreationTime.dwHighDateTime=0x1d81c70, ftLastAccessTime.dwLowDateTime=0x7090be90, ftLastAccessTime.dwHighDateTime=0x1d82646, ftLastWriteTime.dwLowDateTime=0x7090be90, ftLastWriteTime.dwHighDateTime=0x1d82646, nFileSizeHigh=0x0, nFileSizeLow=0x186bb)) returned 1 [0294.808] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.834] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.847] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.861] SetEvent (hEvent=0xf4) returned 1 [0294.861] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\lt1XE8WJFN.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\lt1xe8wjfn.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c372530, ftCreationTime.dwHighDateTime=0x1d81a35, ftLastAccessTime.dwLowDateTime=0xda911920, ftLastAccessTime.dwHighDateTime=0x1d81b9c, ftLastWriteTime.dwLowDateTime=0xda911920, ftLastWriteTime.dwHighDateTime=0x1d81b9c, nFileSizeHigh=0x0, nFileSizeLow=0xc797)) returned 1 [0294.861] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.907] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.934] SetEvent (hEvent=0xf4) returned 1 [0294.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\zZX7A-L 6x.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\zzx7a-l 6x.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23db91e0, ftCreationTime.dwHighDateTime=0x1d82314, ftLastAccessTime.dwLowDateTime=0xe0d32230, ftLastAccessTime.dwHighDateTime=0x1d8244b, ftLastWriteTime.dwLowDateTime=0xe0d32230, ftLastWriteTime.dwHighDateTime=0x1d8244b, nFileSizeHigh=0x0, nFileSizeLow=0x5c97)) returned 1 [0294.934] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.943] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.952] SetEvent (hEvent=0xfc) returned 1 [0294.952] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.962] SetEvent (hEvent=0xfc) returned 1 [0294.962] SetEvent (hEvent=0xf4) returned 1 [0294.962] SetEvent (hEvent=0x1b8) returned 1 [0294.962] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0294.968] SwitchToThread () returned 1 [0294.972] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.042] SetEvent (hEvent=0x1d0) returned 1 [0295.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\Yc3hCY.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\yc3hcy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.043] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\Yc3hCY.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\yc3hcy.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf490c00, ftCreationTime.dwHighDateTime=0x1d8239e, ftLastAccessTime.dwLowDateTime=0x82af18b0, ftLastAccessTime.dwHighDateTime=0x1d82844, ftLastWriteTime.dwLowDateTime=0x82af18b0, ftLastWriteTime.dwHighDateTime=0x1d82844, nFileSizeHigh=0x0, nFileSizeLow=0x71eb)) returned 1 [0295.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0295.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0295.044] ReadFile (in: hFile=0x474, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12853d1c*=0x71eb, lpOverlapped=0x0) returned 1 [0295.045] GetFileType (hFile=0x474) returned 0x1 [0295.045] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.045] WriteFile (in: hFile=0x474, lpBuffer=0x12b72000*, nNumberOfBytesToWrite=0x71eb, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b72000*, lpNumberOfBytesWritten=0x12853d00*=0x71eb, lpOverlapped=0x12853d0c) returned 1 [0295.045] GetFileType (hFile=0x474) returned 0x1 [0295.046] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x71eb, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0295.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0295.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0295.046] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0295.046] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\Yc3hCY.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\yc3hcy.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.046] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.046] WriteFile (in: hFile=0x44c, lpBuffer=0x1290a500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x1290a500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.047] CloseHandle (hObject=0x44c) returned 1 [0295.047] CloseHandle (hObject=0x474) returned 1 [0295.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0295.047] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\Yc3hCY.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\yc3hcy.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[86155BA5571AFEB6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[86155ba5571afeb6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.331] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.331] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8)) returned 1 [0295.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c)) returned 1 [0295.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.332] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.333] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c)) returned 1 [0295.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129286a0 | out: pbBuffer=0x129286a0) returned 1 [0295.333] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aba8 | out: pbBuffer=0x12a9aba8) returned 1 [0295.333] ReadFile (in: hFile=0x474, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12853d1c*=0x20c, lpOverlapped=0x0) returned 1 [0295.335] GetFileType (hFile=0x474) returned 0x1 [0295.335] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.335] WriteFile (in: hFile=0x474, lpBuffer=0x12b0a6c0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b0a6c0*, lpNumberOfBytesWritten=0x12853d00*=0x20c, lpOverlapped=0x12853d0c) returned 1 [0295.335] GetFileType (hFile=0x474) returned 0x1 [0295.335] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x20c, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800601 | out: pbBuffer=0x12800601) returned 1 [0295.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800701 | out: pbBuffer=0x12800701) returned 1 [0295.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0295.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aca0 | out: pbBuffer=0x12a9aca0) returned 1 [0295.336] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.336] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.336] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.405] CloseHandle (hObject=0x44c) returned 1 [0295.405] CloseHandle (hObject=0x474) returned 1 [0295.406] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ad28 | out: pbBuffer=0x12a9ad28) returned 1 [0295.406] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\#_THIS_FILE_IS_ENCRYPTED_[86ECDA35BC5B4514]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\#_this_file_is_encrypted_[86ecda35bc5b4514]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.407] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.575] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.638] SetEvent (hEvent=0x1d0) returned 1 [0295.638] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.644] SetEvent (hEvent=0x19c) returned 1 [0295.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\yHHSos1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\yhhsos1.mkv"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x785d9110, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xc32415e0, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xc32415e0, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x7fe4)) returned 1 [0295.645] SetEvent (hEvent=0x454) returned 1 [0295.645] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0295.650] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0295.652] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0295.656] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3412fb28, ulCount=0x10, ulNumEntriesRemoved=0x3412fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3412fb28, ulNumEntriesRemoved=0x3412fb0c) returned 0 [0295.656] SetEvent (hEvent=0x19c) returned 1 [0295.656] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x1) returned 0x0 [0295.661] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\yHHSos1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\yhhsos1.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.663] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.663] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\yHHSos1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\yhhsos1.mkv"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x785d9110, ftCreationTime.dwHighDateTime=0x1d81e04, ftLastAccessTime.dwLowDateTime=0xc32415e0, ftLastAccessTime.dwHighDateTime=0x1d828c5, ftLastWriteTime.dwLowDateTime=0xc32415e0, ftLastWriteTime.dwHighDateTime=0x1d828c5, nFileSizeHigh=0x0, nFileSizeLow=0x7fe4)) returned 1 [0295.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0295.663] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0295.663] ReadFile (in: hFile=0x44c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a31d1c*=0x7fe4, lpOverlapped=0x0) returned 1 [0295.665] GetFileType (hFile=0x44c) returned 0x1 [0295.665] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.665] WriteFile (in: hFile=0x44c, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x7fe4, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12a31d00*=0x7fe4, lpOverlapped=0x12a31d0c) returned 1 [0295.665] GetFileType (hFile=0x44c) returned 0x1 [0295.665] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x7fe4, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0295.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0295.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0295.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0295.666] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\yHHSos1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\yhhsos1.mkv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0295.666] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0295.667] WriteFile (in: hFile=0x474, lpBuffer=0x12b08000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b08000*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.667] CloseHandle (hObject=0x474) returned 1 [0295.669] CloseHandle (hObject=0x44c) returned 1 [0295.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0295.709] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\yHHSos1.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\yhhsos1.mkv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\#_THIS_FILE_IS_ENCRYPTED_[D8EBFCDE80C4B98E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\#_this_file_is_encrypted_[d8ebfcde80c4b98e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.834] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.837] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.860] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0295.876] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0302.823] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0xffffffff) returned 0x0 [0305.631] SwitchToThread () returned 1 [0305.681] SwitchToThread () returned 1 [0305.733] SetEvent (hEvent=0xf4) returned 1 [0306.294] SetEvent (hEvent=0x3f8) returned 1 [0306.296] WaitForSingleObject (hHandle=0x420, dwMilliseconds=0x270d) returned 0x102 [0316.457] SetEvent (hEvent=0x110) returned 1 [0316.646] SetEvent (hEvent=0x3f8) returned 1 [0316.746] SetEvent (hEvent=0x3f8) returned 1 [0317.233] GetProcAddress (hModule=0x75600000, lpProcName="GetModuleFileNameW") returned 0x75619b00 [0317.235] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12a7e000, nSize=0x400 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe")) returned 0x62 [0317.328] GetEnvironmentVariableW (in: lpName="windir", lpBuffer=0x128b00d0, nSize=0x64 | out: lpBuffer="") returned 0xa [0317.396] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C del C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12853df0*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12853db8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C del C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe", lpProcessInformation=0x12853db8*(hProcess=0x464, hThread=0x470, dwProcessId=0xffc, dwThreadId=0x9c8)) returned 1 [0317.483] ExitProcess (uExitCode=0x0) Thread: id = 23 os_tid = 0x13e0 [0168.666] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3426ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3426ff30*=0x424) returned 1 [0168.667] VirtualQuery (in: lpAddress=0x3426ff40, lpBuffer=0x3426ff40, dwLength=0x1c | out: lpBuffer=0x3426ff40*(BaseAddress=0x3426f000, AllocationBase=0x34170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0168.667] SetEvent (hEvent=0x1d0) returned 1 [0168.667] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x19c [0168.667] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0168.672] SetEvent (hEvent=0x1d0) returned 1 [0168.672] SwitchToThread () returned 1 [0168.802] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0168.817] SetEvent (hEvent=0xfc) returned 1 [0168.817] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x408 [0168.817] GetConsoleMode (in: hConsoleHandle=0x408, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.818] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65565d76, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x88d0)) returned 1 [0168.818] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0168.818] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0168.818] ReadFile (in: hFile=0x408, lpBuffer=0x12b50000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b50000*, lpNumberOfBytesRead=0x12a67d1c*=0x88d0, lpOverlapped=0x0) returned 1 [0168.825] GetFileType (hFile=0x408) returned 0x1 [0168.825] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.825] WriteFile (in: hFile=0x408, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x88d0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12a67d00*=0x88d0, lpOverlapped=0x12a67d0c) returned 1 [0168.826] GetFileType (hFile=0x408) returned 0x1 [0168.826] SetFilePointerEx (in: hFile=0x408, liDistanceToMove=0x88d0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0168.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0168.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0168.827] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0168.827] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0168.827] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0168.828] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0168.828] WriteFile (in: hFile=0x3c4, lpBuffer=0x12af4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12af4000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0168.828] CloseHandle (hObject=0x3c4) returned 1 [0168.837] CloseHandle (hObject=0x408) returned 1 [0168.839] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0168.839] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[073B89FE46C8BA00]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[073b89fe46c8ba00]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.094] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0169.103] SetEvent (hEvent=0xfc) returned 1 [0169.103] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0169.103] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.103] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f706a3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82f706a3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65595fb2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa)) returned 1 [0169.103] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844020 | out: pbBuffer=0x12844020) returned 1 [0169.104] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849140 | out: pbBuffer=0x12849140) returned 1 [0169.117] ReadFile (in: hFile=0x41c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a67d1c*=0x7fa, lpOverlapped=0x0) returned 1 [0169.151] GetFileType (hFile=0x41c) returned 0x1 [0169.151] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.151] WriteFile (in: hFile=0x41c, lpBuffer=0x12a5e000*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a5e000*, lpNumberOfBytesWritten=0x12a67d00*=0x7fa, lpOverlapped=0x12a67d0c) returned 1 [0169.151] GetFileType (hFile=0x41c) returned 0x1 [0169.152] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x7fa, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0169.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0169.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0169.153] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128491f8 | out: pbBuffer=0x128491f8) returned 1 [0169.153] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.153] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.153] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.153] CloseHandle (hObject=0x42c) returned 1 [0169.174] CloseHandle (hObject=0x41c) returned 1 [0169.182] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849240 | out: pbBuffer=0x12849240) returned 1 [0169.182] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[07E87E6189D6760D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[07e87e6189d6760d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.327] SetEvent (hEvent=0x3f8) returned 1 [0169.327] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0169.328] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.328] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d5e483, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d5e483, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6577f134, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a)) returned 1 [0169.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0169.328] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849d10 | out: pbBuffer=0x12849d10) returned 1 [0169.328] ReadFile (in: hFile=0x41c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12a67d1c*=0x4a1a, lpOverlapped=0x0) returned 1 [0169.333] GetFileType (hFile=0x41c) returned 0x1 [0169.333] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.334] WriteFile (in: hFile=0x41c, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x4a1a, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x12a67d00*=0x4a1a, lpOverlapped=0x12a67d0c) returned 1 [0169.334] GetFileType (hFile=0x41c) returned 0x1 [0169.334] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x4a1a, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0169.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0169.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0169.334] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849e18 | out: pbBuffer=0x12849e18) returned 1 [0169.334] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.335] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.335] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.335] CloseHandle (hObject=0x42c) returned 1 [0169.342] CloseHandle (hObject=0x41c) returned 1 [0169.344] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849e50 | out: pbBuffer=0x12849e50) returned 1 [0169.345] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[B8A133BCB2B298C2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[b8a133bcb2b298c2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.547] SetEvent (hEvent=0x3f8) returned 1 [0169.547] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0169.548] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.548] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6584ce48, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x684e)) returned 1 [0169.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0169.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128489a0 | out: pbBuffer=0x128489a0) returned 1 [0169.549] ReadFile (in: hFile=0x41c, lpBuffer=0x12a16000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a16000*, lpNumberOfBytesRead=0x12a67d1c*=0x684e, lpOverlapped=0x0) returned 1 [0169.565] GetFileType (hFile=0x41c) returned 0x1 [0169.565] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.565] WriteFile (in: hFile=0x41c, lpBuffer=0x12a36000*, nNumberOfBytesToWrite=0x684e, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12a36000*, lpNumberOfBytesWritten=0x12a67d00*=0x684e, lpOverlapped=0x12a67d0c) returned 1 [0169.565] GetFileType (hFile=0x41c) returned 0x1 [0169.565] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x684e, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0169.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0169.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0169.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848a78 | out: pbBuffer=0x12848a78) returned 1 [0169.566] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.567] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.567] WriteFile (in: hFile=0x42c, lpBuffer=0x12a4c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4c000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.567] CloseHandle (hObject=0x42c) returned 1 [0169.572] CloseHandle (hObject=0x41c) returned 1 [0169.577] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848aa0 | out: pbBuffer=0x12848aa0) returned 1 [0169.578] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[493282023081651A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[493282023081651a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0169.836] SetEvent (hEvent=0x3f8) returned 1 [0169.836] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0169.836] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.836] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8297548b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8297548b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6608ac43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1301e)) returned 1 [0169.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e8e0 | out: pbBuffer=0x1280e8e0) returned 1 [0169.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848de8 | out: pbBuffer=0x12848de8) returned 1 [0169.837] ReadFile (in: hFile=0x41c, lpBuffer=0x12ce8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce8000*, lpNumberOfBytesRead=0x12a67d1c*=0x1301e, lpOverlapped=0x0) returned 1 [0169.843] GetFileType (hFile=0x41c) returned 0x1 [0169.843] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.843] WriteFile (in: hFile=0x41c, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x1301e, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12a67d00*=0x1301e, lpOverlapped=0x12a67d0c) returned 1 [0169.844] GetFileType (hFile=0x41c) returned 0x1 [0169.844] SetFilePointerEx (in: hFile=0x41c, liDistanceToMove=0x1301e, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0169.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0169.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801c81 | out: pbBuffer=0x12801c81) returned 1 [0169.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d81 | out: pbBuffer=0x12801d81) returned 1 [0169.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848f30 | out: pbBuffer=0x12848f30) returned 1 [0169.845] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0169.845] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0169.845] WriteFile (in: hFile=0x42c, lpBuffer=0x12a4cf00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4cf00*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0169.845] CloseHandle (hObject=0x42c) returned 1 [0169.851] CloseHandle (hObject=0x41c) returned 1 [0169.857] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848f68 | out: pbBuffer=0x12848f68) returned 1 [0169.857] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[CD5611B6423A2B94]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[cd5611b6423a2b94]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.314] SetEvent (hEvent=0x110) returned 1 [0170.314] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0170.387] SetEvent (hEvent=0x40c) returned 1 [0170.387] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0170.388] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0170.388] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5088032e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5088032e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9a627e13, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1b826)) returned 1 [0170.388] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0170.388] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0170.388] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a67d1c*=0x1b826, lpOverlapped=0x0) returned 1 [0170.398] GetFileType (hFile=0x42c) returned 0x1 [0170.399] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.399] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x1b826, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a67d00*=0x1b826, lpOverlapped=0x12a67d0c) returned 1 [0170.399] GetFileType (hFile=0x42c) returned 0x1 [0170.399] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x1b826, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0170.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0170.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0170.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0170.400] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0170.401] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x41c [0170.401] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0170.401] WriteFile (in: hFile=0x41c, lpBuffer=0x12b42000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b42000*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0170.401] CloseHandle (hObject=0x41c) returned 1 [0170.417] CloseHandle (hObject=0x42c) returned 1 [0170.420] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0170.420] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), lpNewFileName="C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\#_THIS_FILE_IS_ENCRYPTED_[AD7687541F5C3F6C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\#_this_file_is_encrypted_[ad7687541f5c3f6c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0170.720] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0171.918] SetEvent (hEvent=0x10c) returned 1 [0172.001] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0172.001] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml\\*", lpFindFileData=0x12925a44 | out: lpFindFileData=0x12925a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0172.042] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0172.969] SetEvent (hEvent=0x10c) returned 1 [0172.978] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0173.236] SetEvent (hEvent=0x10c) returned 1 [0173.236] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.236] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json\\*", lpFindFileData=0x12829a44 | out: lpFindFileData=0x12829a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.236] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.237] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json\\*", lpFindFileData=0x12829a44 | out: lpFindFileData=0x12829a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0173.237] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598)) returned 1 [0173.237] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.237] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.237] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0173.238] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.238] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36f2be13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x36f2be13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0173.238] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0173.238] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.238] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0173.238] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.238] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.238] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0173.240] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0173.240] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0173.241] CloseHandle (hObject=0x1a0) returned 1 [0173.242] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0173.242] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0173.242] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0173.242] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0173.242] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xe459164d, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0173.242] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0173.243] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0173.243] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0173.243] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0173.243] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0173.244] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0173.244] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0173.245] CloseHandle (hObject=0x1a0) returned 1 [0173.246] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xe459164d, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x20000)) returned 1 [0173.246] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0173.246] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0173.246] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598)) returned 1 [0173.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0173.247] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a370 | out: pbBuffer=0x12a9a370) returned 1 [0173.247] ReadFile (in: hFile=0x1a0, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12829d1c*=0x598, lpOverlapped=0x0) returned 1 [0173.651] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0173.776] GetFileType (hFile=0x1a0) returned 0x1 [0173.776] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.776] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a94000*, nNumberOfBytesToWrite=0x598, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a94000*, lpNumberOfBytesWritten=0x12829d00*=0x598, lpOverlapped=0x12829d0c) returned 1 [0173.777] GetFileType (hFile=0x1a0) returned 0x1 [0173.777] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x598, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0173.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0173.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0173.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0174.112] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810b78 | out: pbBuffer=0x12810b78) returned 1 [0174.113] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.113] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0174.113] WriteFile (in: hFile=0x15c, lpBuffer=0x1285c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x1285c000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.113] CloseHandle (hObject=0x15c) returned 1 [0174.115] CloseHandle (hObject=0x1a0) returned 1 [0174.115] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b90 | out: pbBuffer=0x12810b90) returned 1 [0174.115] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), lpNewFileName="C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\#_THIS_FILE_IS_ENCRYPTED_[4CB1EBA1218D1D66]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\#_this_file_is_encrypted_[4cb1eba1218d1d66]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.116] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.222] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0174.222] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat\\*", lpFindFileData=0x12923a44 | out: lpFindFileData=0x12923a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0174.222] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.543] SetEvent (hEvent=0x40c) returned 1 [0174.543] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.549] SetEvent (hEvent=0x40c) returned 1 [0174.549] SetEvent (hEvent=0x10c) returned 1 [0174.549] SetEvent (hEvent=0x3f8) returned 1 [0174.549] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.573] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0174.573] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.573] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12921ad0 | out: lpFileInformation=0x12921ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f6b62d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe90)) returned 1 [0174.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0174.574] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0174.574] ReadFile (in: hFile=0x428, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12921d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12921d1c*=0xe90, lpOverlapped=0x0) returned 1 [0174.595] GetFileType (hFile=0x428) returned 0x1 [0174.595] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.595] WriteFile (in: hFile=0x428, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x12921d00, lpOverlapped=0x12921d0c | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12921d00*=0xe90, lpOverlapped=0x12921d0c) returned 1 [0174.595] GetFileType (hFile=0x428) returned 0x1 [0174.595] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xe90, lpNewFilePointer=0x0, dwMoveMethod=0x12921ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0174.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0174.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0174.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0174.596] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0174.596] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12921d0c | out: lpMode=0x12921d0c) returned 0 [0174.596] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12921d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12921d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.597] CloseHandle (hObject=0x438) returned 1 [0174.598] CloseHandle (hObject=0x428) returned 1 [0174.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0174.598] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\#_THIS_FILE_IS_ENCRYPTED_[FD6C7F90C9B244CD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\#_this_file_is_encrypted_[fd6c7f90c9b244cd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.600] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.656] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0174.657] GetConsoleMode (in: hConsoleHandle=0x440, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.657] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa10504bd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x4ef)) returned 1 [0174.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444e0 | out: pbBuffer=0x128444e0) returned 1 [0174.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101d8 | out: pbBuffer=0x128101d8) returned 1 [0174.657] ReadFile (in: hFile=0x440, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12927d1c*=0x4ef, lpOverlapped=0x0) returned 1 [0174.660] GetFileType (hFile=0x440) returned 0x1 [0174.660] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.660] WriteFile (in: hFile=0x440, lpBuffer=0x12c22500*, nNumberOfBytesToWrite=0x4ef, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12c22500*, lpNumberOfBytesWritten=0x12927d00*=0x4ef, lpOverlapped=0x12927d0c) returned 1 [0174.660] GetFileType (hFile=0x440) returned 0x1 [0174.660] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x4ef, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.660] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0174.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0174.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0174.665] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102a0 | out: pbBuffer=0x128102a0) returned 1 [0174.666] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0174.666] GetConsoleMode (in: hConsoleHandle=0x444, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.666] WriteFile (in: hFile=0x444, lpBuffer=0x12c22a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.666] CloseHandle (hObject=0x444) returned 1 [0174.668] CloseHandle (hObject=0x440) returned 1 [0174.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102b8 | out: pbBuffer=0x128102b8) returned 1 [0174.669] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\#_THIS_FILE_IS_ENCRYPTED_[98DC63BA1E5E8365]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\#_this_file_is_encrypted_[98dc63ba1e5e8365]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.670] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.708] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0174.709] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.709] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0174.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844a60 | out: pbBuffer=0x12844a60) returned 1 [0174.709] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810300 | out: pbBuffer=0x12810300) returned 1 [0174.709] ReadFile (in: hFile=0x43c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12927d1c*=0x10f, lpOverlapped=0x0) returned 1 [0174.711] GetFileType (hFile=0x43c) returned 0x1 [0174.711] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.711] WriteFile (in: hFile=0x43c, lpBuffer=0x12b05b00*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12b05b00*, lpNumberOfBytesWritten=0x12927d00*=0x10f, lpOverlapped=0x12927d0c) returned 1 [0174.711] GetFileType (hFile=0x43c) returned 0x1 [0174.711] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0174.711] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0174.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0174.712] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103b8 | out: pbBuffer=0x128103b8) returned 1 [0174.712] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0174.712] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.712] WriteFile (in: hFile=0x15c, lpBuffer=0x12c22f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c22f00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.849] CloseHandle (hObject=0x15c) returned 1 [0174.850] CloseHandle (hObject=0x43c) returned 1 [0174.850] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103d0 | out: pbBuffer=0x128103d0) returned 1 [0174.851] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\#_THIS_FILE_IS_ENCRYPTED_[8B796C224B1B65BD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\#_this_file_is_encrypted_[8b796c224b1b65bd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0174.852] SetEvent (hEvent=0x3f8) returned 1 [0174.852] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0174.853] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.853] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd)) returned 1 [0174.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844ea0 | out: pbBuffer=0x12844ea0) returned 1 [0174.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810418 | out: pbBuffer=0x12810418) returned 1 [0174.853] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0174.859] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0174.859] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0174.860] SetEvent (hEvent=0x110) returned 1 [0174.860] SetEvent (hEvent=0x3f8) returned 1 [0174.860] ReadFile (in: hFile=0x43c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12927d1c*=0xcdd, lpOverlapped=0x0) returned 1 [0174.968] GetFileType (hFile=0x43c) returned 0x1 [0174.969] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.969] WriteFile (in: hFile=0x43c, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0xcdd, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12927d00*=0xcdd, lpOverlapped=0x12927d0c) returned 1 [0174.969] GetFileType (hFile=0x43c) returned 0x1 [0174.969] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xcdd, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0174.969] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0174.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0174.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0174.971] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848380 | out: pbBuffer=0x12848380) returned 1 [0174.971] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0174.972] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0174.972] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0174.972] CloseHandle (hObject=0x1a0) returned 1 [0174.974] CloseHandle (hObject=0x43c) returned 1 [0174.974] SwitchToThread () returned 1 [0175.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848398 | out: pbBuffer=0x12848398) returned 1 [0175.022] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[99E8F5D402F1218C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\#_this_file_is_encrypted_[99e8f5d402f1218c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.290] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.291] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.291] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905)) returned 1 [0175.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0175.291] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0175.291] ReadFile (in: hFile=0x428, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12927d1c*=0x905, lpOverlapped=0x0) returned 1 [0175.303] GetFileType (hFile=0x428) returned 0x1 [0175.303] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.303] WriteFile (in: hFile=0x428, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0x905, lpNumberOfBytesWritten=0x12927d00, lpOverlapped=0x12927d0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12927d00*=0x905, lpOverlapped=0x12927d0c) returned 1 [0175.304] GetFileType (hFile=0x428) returned 0x1 [0175.304] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x905, lpNewFilePointer=0x0, dwMoveMethod=0x12927ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0175.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0175.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0175.304] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848508 | out: pbBuffer=0x12848508) returned 1 [0175.304] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0175.305] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.305] WriteFile (in: hFile=0x43c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12927d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12927d0c*=0x276, lpOverlapped=0x0) returned 1 [0175.305] CloseHandle (hObject=0x43c) returned 1 [0175.308] CloseHandle (hObject=0x428) returned 1 [0175.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848520 | out: pbBuffer=0x12848520) returned 1 [0175.317] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\power_2.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[1CAAEF61E7CA162B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\#_this_file_is_encrypted_[1caaef61e7ca162b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0175.319] SetEvent (hEvent=0x40c) returned 1 [0175.319] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0175.319] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12927d0c | out: lpMode=0x12927d0c) returned 0 [0175.319] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), fInfoLevelId=0x0, lpFileInformation=0x12927ad0 | out: lpFileInformation=0x12927ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2389ec8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1988)) returned 1 [0175.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98420 | out: pbBuffer=0x12a98420) returned 1 [0175.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848568 | out: pbBuffer=0x12848568) returned 1 [0175.319] ReadFile (in: hFile=0x428, lpBuffer=0x12b8c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12927d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8c000*, lpNumberOfBytesRead=0x12927d1c*=0x1988, lpOverlapped=0x0) returned 1 [0175.331] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0175.424] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0175.919] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0175.919] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0175.919] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb)) returned 1 [0175.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928540 | out: pbBuffer=0x12928540) returned 1 [0175.919] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914868 | out: pbBuffer=0x12914868) returned 1 [0175.920] ReadFile (in: hFile=0x438, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a67d1c*=0xfcb, lpOverlapped=0x0) returned 1 [0175.988] GetFileType (hFile=0x438) returned 0x1 [0175.988] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0175.988] WriteFile (in: hFile=0x438, lpBuffer=0x12b05000*, nNumberOfBytesToWrite=0xfcb, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12b05000*, lpNumberOfBytesWritten=0x12a67d00*=0xfcb, lpOverlapped=0x12a67d0c) returned 1 [0175.988] GetFileType (hFile=0x438) returned 0x1 [0175.988] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfcb, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.010] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0176.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0176.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab01 | out: pbBuffer=0x1286ab01) returned 1 [0176.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129149b0 | out: pbBuffer=0x129149b0) returned 1 [0176.038] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0176.039] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0176.039] WriteFile (in: hFile=0x42c, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0176.039] CloseHandle (hObject=0x42c) returned 1 [0176.155] CloseHandle (hObject=0x438) returned 1 [0176.227] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0176.329] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129149c8 | out: pbBuffer=0x129149c8) returned 1 [0176.330] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[FCF4DF08E12D922B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\#_this_file_is_encrypted_[fcf4df08e12d922b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0176.331] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0176.491] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0176.492] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0176.492] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a63ad0 | out: lpFileInformation=0x12a63ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b)) returned 1 [0176.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928760 | out: pbBuffer=0x12928760) returned 1 [0176.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914a50 | out: pbBuffer=0x12914a50) returned 1 [0176.493] ReadFile (in: hFile=0x438, lpBuffer=0x12ca6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a63d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ca6000*, lpNumberOfBytesRead=0x12a63d1c*=0x21b, lpOverlapped=0x0) returned 1 [0176.495] GetFileType (hFile=0x438) returned 0x1 [0176.495] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.495] WriteFile (in: hFile=0x438, lpBuffer=0x12a8c240*, nNumberOfBytesToWrite=0x21b, lpNumberOfBytesWritten=0x12a63d00, lpOverlapped=0x12a63d0c | out: lpBuffer=0x12a8c240*, lpNumberOfBytesWritten=0x12a63d00*=0x21b, lpOverlapped=0x12a63d0c) returned 1 [0176.495] GetFileType (hFile=0x438) returned 0x1 [0176.495] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x21b, lpNewFilePointer=0x0, dwMoveMethod=0x12a63ce4 | out: lpNewFilePointer=0x0) returned 1 [0176.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0176.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0176.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0176.496] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914b28 | out: pbBuffer=0x12914b28) returned 1 [0176.496] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0176.497] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a63d0c | out: lpMode=0x12a63d0c) returned 0 [0176.497] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a63d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a63d0c*=0x276, lpOverlapped=0x0) returned 1 [0176.764] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0177.275] CloseHandle (hObject=0x42c) returned 1 [0177.433] CloseHandle (hObject=0x438) returned 1 [0177.433] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129141d8 | out: pbBuffer=0x129141d8) returned 1 [0177.759] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\#_THIS_FILE_IS_ENCRYPTED_[2037D4335D0F46D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\#_this_file_is_encrypted_[2037d4335d0f46d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0177.770] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0178.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0178.726] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x0, dwReserved1=0x0, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0178.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0178.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prov", cAlternateFileName="")) returned 1 [0178.727] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0178.727] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0179.044] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0179.045] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0179.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0180.110] SetEvent (hEvent=0x3cc) returned 1 [0180.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0180.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0180.186] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914620 | out: pbBuffer=0x12914620) returned 1 [0180.186] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0180.186] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0180.186] WriteFile (in: hFile=0x428, lpBuffer=0x12852000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12852000*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.456] CloseHandle (hObject=0x428) returned 1 [0180.458] CloseHandle (hObject=0x15c) returned 1 [0180.458] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0180.458] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\#_THIS_FILE_IS_ENCRYPTED_[7206C490C3357C59]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\#_this_file_is_encrypted_[7206c490c3357c59]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.532] SetEvent (hEvent=0x3f4) returned 1 [0180.532] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0180.533] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0180.533] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a61ad0 | out: lpFileInformation=0x12a61ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f)) returned 1 [0180.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98340 | out: pbBuffer=0x12a98340) returned 1 [0180.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848568 | out: pbBuffer=0x12848568) returned 1 [0180.543] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0180.547] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0180.575] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0180.575] SetEvent (hEvent=0x110) returned 1 [0180.576] SetEvent (hEvent=0x3f4) returned 1 [0180.586] ReadFile (in: hFile=0x15c, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a61d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a61d1c*=0x10f, lpOverlapped=0x0) returned 1 [0180.588] GetFileType (hFile=0x15c) returned 0x1 [0180.588] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.589] WriteFile (in: hFile=0x15c, lpBuffer=0x129777a0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x12a61d00, lpOverlapped=0x12a61d0c | out: lpBuffer=0x129777a0*, lpNumberOfBytesWritten=0x12a61d00*=0x10f, lpOverlapped=0x12a61d0c) returned 1 [0180.589] GetFileType (hFile=0x15c) returned 0x1 [0180.589] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x10f, lpNewFilePointer=0x0, dwMoveMethod=0x12a61ce4 | out: lpNewFilePointer=0x0) returned 1 [0180.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0180.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0180.589] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0180.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848680 | out: pbBuffer=0x12848680) returned 1 [0180.590] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0180.590] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a61d0c | out: lpMode=0x12a61d0c) returned 0 [0180.590] WriteFile (in: hFile=0x428, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a61d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a61d0c*=0x276, lpOverlapped=0x0) returned 1 [0180.595] CloseHandle (hObject=0x428) returned 1 [0180.596] CloseHandle (hObject=0x15c) returned 1 [0180.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486a8 | out: pbBuffer=0x128486a8) returned 1 [0180.597] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\#_THIS_FILE_IS_ENCRYPTED_[169B3B8CF2A64C5A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\#_this_file_is_encrypted_[169b3b8cf2a64c5a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0180.600] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0180.610] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0180.610] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0180.613] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0180.624] SetEvent (hEvent=0x1d0) returned 1 [0180.624] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0180.627] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0180.960] SetEvent (hEvent=0xf4) returned 1 [0180.985] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0180.986] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0180.986] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a)) returned 1 [0180.986] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0180.986] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0180.987] ReadFile (in: hFile=0x43c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a65d1c*=0x71a, lpOverlapped=0x0) returned 1 [0181.034] GetFileType (hFile=0x43c) returned 0x1 [0181.034] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.034] WriteFile (in: hFile=0x43c, lpBuffer=0x12a78000*, nNumberOfBytesToWrite=0x71a, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12a78000*, lpNumberOfBytesWritten=0x12a65d00*=0x71a, lpOverlapped=0x12a65d0c) returned 1 [0181.034] GetFileType (hFile=0x43c) returned 0x1 [0181.034] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x71a, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0181.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0181.034] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0181.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0181.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0181.035] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0181.036] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0181.036] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0181.036] CloseHandle (hObject=0x1a0) returned 1 [0181.038] CloseHandle (hObject=0x43c) returned 1 [0181.038] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0181.038] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\power_0.provxml"), lpNewFileName="C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\#_THIS_FILE_IS_ENCRYPTED_[C3575DF87FB9EC7F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\#_this_file_is_encrypted_[c3575df87fb9ec7f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0181.040] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0181.127] SetEvent (hEvent=0xf4) returned 1 [0181.127] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0181.137] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0181.182] SetEvent (hEvent=0x1d0) returned 1 [0181.182] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0181.190] SetEvent (hEvent=0x3f8) returned 1 [0181.190] SetEvent (hEvent=0xfc) returned 1 [0181.190] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0181.202] SetEvent (hEvent=0x1d0) returned 1 [0181.202] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0182.410] SetEvent (hEvent=0xf4) returned 1 [0182.410] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0182.417] SetEvent (hEvent=0xf4) returned 1 [0182.417] SetEvent (hEvent=0x3f8) returned 1 [0182.417] SwitchToThread () returned 1 [0182.418] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0182.604] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0182.678] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106)) returned 1 [0182.679] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0182.731] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0183.266] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0183.669] SetEvent (hEvent=0x3f8) returned 1 [0183.669] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0183.960] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0183.961] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0183.983] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0183.983] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x9d5870d9, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0183.983] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0183.983] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0183.983] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0183.984] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0183.984] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0183.984] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0184.024] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0184.024] WriteFile (in: hFile=0x428, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0184.026] CloseHandle (hObject=0x428) returned 1 [0184.027] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x9d5870d9, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272)) returned 1 [0184.041] SetEvent (hEvent=0x420) returned 1 [0184.042] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428)) returned 1 [0184.053] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0184.070] SetEvent (hEvent=0xfc) returned 1 [0184.071] SetEvent (hEvent=0x1d0) returned 1 [0184.071] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0184.075] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.076] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0184.076] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0184.076] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0184.076] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0184.076] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0184.077] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0184.077] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0184.077] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.078] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0184.078] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d66000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12d66000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0184.079] CloseHandle (hObject=0x3c4) returned 1 [0184.080] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0184.080] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.080] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x1282ba30 | out: lpFindFileData=0x1282ba30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0184.081] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0184.081] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0184.081] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x1282ba74 | out: lpFindFileData=0x1282ba74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0184.081] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0184.081] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b6f8 | out: lpFileInformation=0x1282b6f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0184.081] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0184.081] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.082] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b908 | out: lpMode=0x1282b908) returned 0 [0184.082] WriteFile (in: hFile=0x3c4, lpBuffer=0x12d67300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b908, lpOverlapped=0x0 | out: lpBuffer=0x12d67300*, lpNumberOfBytesWritten=0x1282b908*=0x118a, lpOverlapped=0x0) returned 1 [0184.084] CloseHandle (hObject=0x3c4) returned 1 [0184.085] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0184.085] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.085] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0184.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0184.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18637300, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x18637300, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x18637300, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0184.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0184.085] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0184.085] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0184.086] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0184.086] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0184.086] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0184.096] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0184.096] WriteFile (in: hFile=0x428, lpBuffer=0x12d68600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12d68600*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0184.098] CloseHandle (hObject=0x428) returned 1 [0184.098] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18637300, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x18637300, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x18637300, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x588124)) returned 1 [0184.099] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000)) returned 1 [0184.114] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0184.114] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.115] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0184.115] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0184.115] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c893534, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa7a1fb75, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0184.115] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0184.115] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0184.115] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0184.115] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0184.116] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0184.116] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0184.203] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0184.203] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0184.205] CloseHandle (hObject=0x3c4) returned 1 [0184.205] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c893534, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa7a1fb75, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e)) returned 1 [0184.219] SetEvent (hEvent=0x420) returned 1 [0184.219] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8)) returned 1 [0184.250] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0184.360] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0184.360] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0184.360] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0184.360] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaba9e611, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0184.360] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0184.360] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0184.360] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0184.361] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0184.361] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0184.361] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# SATAN CRYPTOR #.hta" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0185.134] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0185.154] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0185.155] CloseHandle (hObject=0x1a0) returned 1 [0185.327] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\vc_redist.x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8)) returned 1 [0185.638] SetEvent (hEvent=0xfc) returned 1 [0185.734] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0185.735] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0185.735] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\vc_redist.x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x12d31ad0 | out: lpFileInformation=0x12d31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8)) returned 1 [0185.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845320 | out: pbBuffer=0x12845320) returned 1 [0185.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849450 | out: pbBuffer=0x12849450) returned 1 [0185.736] ReadFile (in: hFile=0x1a0, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x12d31d1c*=0x20000, lpOverlapped=0x0) returned 1 [0185.841] GetFileType (hFile=0x1a0) returned 0x1 [0185.842] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0185.842] WriteFile (in: hFile=0x1a0, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d31d00, lpOverlapped=0x12d31d0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x12d31d00*=0x20000, lpOverlapped=0x12d31d0c) returned 1 [0185.842] GetFileType (hFile=0x1a0) returned 0x1 [0185.842] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0186.392] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0186.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0186.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0186.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0f8 | out: pbBuffer=0x12a9a0f8) returned 1 [0186.750] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\vc_redist.x64.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0186.751] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0186.751] WriteFile (in: hFile=0x438, lpBuffer=0x12a60000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a60000*, lpNumberOfBytesWritten=0x12d35d0c*=0x276, lpOverlapped=0x0) returned 1 [0186.817] CloseHandle (hObject=0x438) returned 1 [0186.967] CloseHandle (hObject=0x42c) returned 1 [0186.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810030 | out: pbBuffer=0x12810030) returned 1 [0186.968] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\vc_redist.x64.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\#_THIS_FILE_IS_ENCRYPTED_[0F5C0977847B635D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\#_this_file_is_encrypted_[0f5c0977847b635d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0186.970] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.323] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.387] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.445] SetEvent (hEvent=0x420) returned 1 [0187.445] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.446] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12b17d0c | out: lpMode=0x12b17d0c) returned 0 [0187.446] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x12b17ad0 | out: lpFileInformation=0x12b17ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eae0 | out: pbBuffer=0x1280eae0) returned 1 [0187.446] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a838 | out: pbBuffer=0x12a9a838) returned 1 [0187.446] ReadFile (in: hFile=0x428, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b17d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12b17d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.522] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0187.522] SetEvent (hEvent=0x420) returned 1 [0187.523] GetFileType (hFile=0x428) returned 0x1 [0187.523] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b17ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.523] WriteFile (in: hFile=0x428, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12b17d00, lpOverlapped=0x12b17d0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12b17d00*=0x20000, lpOverlapped=0x12b17d0c) returned 1 [0187.524] GetFileType (hFile=0x428) returned 0x1 [0187.525] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12b17ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0187.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0187.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0187.526] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a8f0 | out: pbBuffer=0x12a9a8f0) returned 1 [0187.526] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.527] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12b17d0c | out: lpMode=0x12b17d0c) returned 0 [0187.527] WriteFile (in: hFile=0x43c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b17d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12b17d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.528] CloseHandle (hObject=0x43c) returned 1 [0187.528] CloseHandle (hObject=0x428) returned 1 [0187.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a908 | out: pbBuffer=0x12a9a908) returned 1 [0187.528] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[7EB44C5D2B162ACE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[7eb44c5d2b162ace]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.531] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0187.577] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.578] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0187.578] SetEvent (hEvent=0x420) returned 1 [0187.578] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0187.645] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.646] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0187.646] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.646] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d31ad0 | out: lpFileInformation=0x12d31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xfa960e00, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418)) returned 1 [0187.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0187.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0187.647] ReadFile (in: hFile=0x428, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12d31d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.663] GetFileType (hFile=0x428) returned 0x1 [0187.663] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.663] WriteFile (in: hFile=0x428, lpBuffer=0x12d38000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d31d00, lpOverlapped=0x12d31d0c | out: lpBuffer=0x12d38000*, lpNumberOfBytesWritten=0x12d31d00*=0x20000, lpOverlapped=0x12d31d0c) returned 1 [0187.667] GetFileType (hFile=0x428) returned 0x1 [0187.667] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d31ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0187.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0187.668] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0187.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914560 | out: pbBuffer=0x12914560) returned 1 [0187.669] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.669] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d31d0c | out: lpMode=0x12d31d0c) returned 0 [0187.669] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12d31d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.684] CloseHandle (hObject=0x1a0) returned 1 [0187.684] CloseHandle (hObject=0x428) returned 1 [0187.685] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914578 | out: pbBuffer=0x12914578) returned 1 [0187.685] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[6876B37636D01A5F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[6876b37636d01a5f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.686] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.705] SetEvent (hEvent=0x3f4) returned 1 [0187.705] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.706] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.706] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xf833b400, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1)) returned 1 [0187.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0187.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129145c0 | out: pbBuffer=0x129145c0) returned 1 [0187.706] ReadFile (in: hFile=0x43c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.731] GetFileType (hFile=0x43c) returned 0x1 [0187.731] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.731] WriteFile (in: hFile=0x43c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0187.732] GetFileType (hFile=0x43c) returned 0x1 [0187.732] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0187.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0187.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0187.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914688 | out: pbBuffer=0x12914688) returned 1 [0187.733] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0187.733] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.733] WriteFile (in: hFile=0x1a0, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.783] CloseHandle (hObject=0x1a0) returned 1 [0187.783] CloseHandle (hObject=0x43c) returned 1 [0187.783] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129146a0 | out: pbBuffer=0x129146a0) returned 1 [0187.784] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\#_THIS_FILE_IS_ENCRYPTED_[CC86E4B40B718A3C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\#_this_file_is_encrypted_[cc86e4b40b718a3c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.785] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.807] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.824] SetEvent (hEvent=0x420) returned 1 [0187.824] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.836] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.837] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.837] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000)) returned 1 [0187.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928900 | out: pbBuffer=0x12928900) returned 1 [0187.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128108d8 | out: pbBuffer=0x128108d8) returned 1 [0187.837] ReadFile (in: hFile=0x43c, lpBuffer=0x12b70000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b70000*, lpNumberOfBytesRead=0x12d37d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.849] GetFileType (hFile=0x43c) returned 0x1 [0187.849] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.850] WriteFile (in: hFile=0x43c, lpBuffer=0x12bb0000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12bb0000*, lpNumberOfBytesWritten=0x12d37d00*=0x20000, lpOverlapped=0x12d37d0c) returned 1 [0187.850] GetFileType (hFile=0x43c) returned 0x1 [0187.850] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0187.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0187.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0187.851] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129147e0 | out: pbBuffer=0x129147e0) returned 1 [0187.851] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0187.852] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0187.852] WriteFile (in: hFile=0x448, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.852] CloseHandle (hObject=0x448) returned 1 [0187.852] CloseHandle (hObject=0x43c) returned 1 [0187.853] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914808 | out: pbBuffer=0x12914808) returned 1 [0187.853] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\#_THIS_FILE_IS_ENCRYPTED_[F077FE0B53DAF1A0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\#_this_file_is_encrypted_[f077fe0b53daf1a0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.854] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.872] SetEvent (hEvent=0xfc) returned 1 [0187.872] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.873] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.873] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000)) returned 1 [0187.873] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0187.873] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0187.873] ReadFile (in: hFile=0x43c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.902] GetFileType (hFile=0x43c) returned 0x1 [0187.902] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.902] WriteFile (in: hFile=0x43c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0187.903] GetFileType (hFile=0x43c) returned 0x1 [0187.903] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0187.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0187.903] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0187.904] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0187.904] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0187.904] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.904] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0187.904] WriteFile (in: hFile=0x42c, lpBuffer=0x12c24000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0187.905] CloseHandle (hObject=0x42c) returned 1 [0187.905] CloseHandle (hObject=0x43c) returned 1 [0187.905] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0187.905] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\#_THIS_FILE_IS_ENCRYPTED_[244168810307F10F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\#_this_file_is_encrypted_[244168810307f10f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.906] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.919] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.945] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0187.946] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0187.946] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080)) returned 1 [0187.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928260 | out: pbBuffer=0x12928260) returned 1 [0187.946] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0187.946] ReadFile (in: hFile=0x43c, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12d5fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0187.954] GetFileType (hFile=0x43c) returned 0x1 [0187.954] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0187.954] WriteFile (in: hFile=0x43c, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x12d5fd00*=0x20000, lpOverlapped=0x12d5fd0c) returned 1 [0187.955] GetFileType (hFile=0x43c) returned 0x1 [0187.955] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0187.955] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0187.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0187.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0187.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0187.956] CreateFileW (lpFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0187.957] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0187.957] WriteFile (in: hFile=0x42c, lpBuffer=0x12c24500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24500*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0187.977] CloseHandle (hObject=0x42c) returned 1 [0187.977] CloseHandle (hObject=0x43c) returned 1 [0187.977] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0187.978] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\#_THIS_FILE_IS_ENCRYPTED_[0670F1AB3BA6F7EF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\#_this_file_is_encrypted_[0670f1ab3ba6f7ef]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0187.979] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0187.996] SetEvent (hEvent=0x3f4) returned 1 [0187.996] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.078] SetEvent (hEvent=0x420) returned 1 [0188.078] SetEvent (hEvent=0xfc) returned 1 [0188.078] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.143] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.152] SetEvent (hEvent=0x420) returned 1 [0188.153] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.160] SetEvent (hEvent=0x420) returned 1 [0188.160] SetEvent (hEvent=0x1d0) returned 1 [0188.160] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0188.160] MoveFileExW (lpExistingFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\#_THIS_FILE_IS_ENCRYPTED_[73E4B117FE0A4753]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\#_this_file_is_encrypted_[73e4b117fe0a4753]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.161] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.162] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.162] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.001.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe2287c, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0xbae5ed1a, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0188.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0188.162] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848048 | out: pbBuffer=0x12848048) returned 1 [0188.162] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12d33d1c*=0x4000, lpOverlapped=0x0) returned 1 [0188.176] GetFileType (hFile=0x438) returned 0x1 [0188.176] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.176] WriteFile (in: hFile=0x438, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12d33d00*=0x4000, lpOverlapped=0x12d33d0c) returned 1 [0188.176] GetFileType (hFile=0x438) returned 0x1 [0188.176] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0188.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0188.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834381 | out: pbBuffer=0x12834381) returned 1 [0188.177] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483d0 | out: pbBuffer=0x128483d0) returned 1 [0188.177] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.001.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.177] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.177] WriteFile (in: hFile=0x43c, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.178] CloseHandle (hObject=0x43c) returned 1 [0188.178] CloseHandle (hObject=0x438) returned 1 [0188.178] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483e8 | out: pbBuffer=0x128483e8) returned 1 [0188.178] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.001.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[BC634C0B4B7210D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[bc634c0b4b7210d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.220] SetEvent (hEvent=0xfc) returned 1 [0188.220] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0188.221] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.221] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d33ad0 | out: lpFileInformation=0x12d33ad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0188.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0188.221] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0188.221] ReadFile (in: hFile=0x438, lpBuffer=0x12bb0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d33d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bb0000*, lpNumberOfBytesRead=0x12d33d1c*=0x2000, lpOverlapped=0x0) returned 1 [0188.225] GetFileType (hFile=0x438) returned 0x1 [0188.225] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.225] WriteFile (in: hFile=0x438, lpBuffer=0x12d2e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12d33d00, lpOverlapped=0x12d33d0c | out: lpBuffer=0x12d2e000*, lpNumberOfBytesWritten=0x12d33d00*=0x2000, lpOverlapped=0x12d33d0c) returned 1 [0188.225] GetFileType (hFile=0x438) returned 0x1 [0188.226] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12d33ce4 | out: lpNewFilePointer=0x0) returned 1 [0188.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0188.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0188.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0188.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e81d8 | out: pbBuffer=0x128e81d8) returned 1 [0188.227] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0188.227] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12d33d0c | out: lpMode=0x12d33d0c) returned 0 [0188.227] WriteFile (in: hFile=0x42c, lpBuffer=0x12c24500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d33d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c24500*, lpNumberOfBytesWritten=0x12d33d0c*=0x276, lpOverlapped=0x0) returned 1 [0188.227] CloseHandle (hObject=0x42c) returned 1 [0188.228] CloseHandle (hObject=0x438) returned 1 [0188.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e81f0 | out: pbBuffer=0x128e81f0) returned 1 [0188.231] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[B746844DB09F5CE9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[b746844db09f5ce9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.451] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.452] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.452] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0188.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0188.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848440 | out: pbBuffer=0x12848440) returned 1 [0188.452] ReadFile (in: hFile=0x448, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x12d5fd1c*=0x1000, lpOverlapped=0x0) returned 1 [0188.461] GetFileType (hFile=0x448) returned 0x1 [0188.461] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.462] WriteFile (in: hFile=0x448, lpBuffer=0x12a50000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12a50000*, lpNumberOfBytesWritten=0x12d5fd00*=0x1000, lpOverlapped=0x12d5fd0c) returned 1 [0188.462] GetFileType (hFile=0x448) returned 0x1 [0188.462] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0188.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0188.462] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0188.463] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0188.463] SetEvent (hEvent=0x3f8) returned 1 [0188.463] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848518 | out: pbBuffer=0x12848518) returned 1 [0188.463] CreateFileW (lpFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.463] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.463] WriteFile (in: hFile=0x43c, lpBuffer=0x12a58500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a58500*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0188.464] CloseHandle (hObject=0x43c) returned 1 [0188.471] CloseHandle (hObject=0x448) returned 1 [0188.523] SwitchToThread () returned 1 [0188.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8000 | out: pbBuffer=0x128e8000) returned 1 [0188.534] MoveFileExW (lpExistingFileName="C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), lpNewFileName="C:\\ProgramData\\USOShared\\Logs\\#_THIS_FILE_IS_ENCRYPTED_[014FB069451FA70F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\usoshared\\logs\\#_this_file_is_encrypted_[014fb069451fa70f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.759] SetEvent (hEvent=0x110) returned 1 [0188.759] SetEvent (hEvent=0xfc) returned 1 [0188.760] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0188.760] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.760] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), fInfoLevelId=0x0, lpFileInformation=0x12d5fad0 | out: lpFileInformation=0x12d5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x556e33d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430)) returned 1 [0188.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128444c0 | out: pbBuffer=0x128444c0) returned 1 [0188.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8f48 | out: pbBuffer=0x128e8f48) returned 1 [0188.760] ReadFile (in: hFile=0x448, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12d5fd1c*=0x430, lpOverlapped=0x0) returned 1 [0188.767] GetFileType (hFile=0x448) returned 0x1 [0188.767] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.767] WriteFile (in: hFile=0x448, lpBuffer=0x12890d80*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x12d5fd00, lpOverlapped=0x12d5fd0c | out: lpBuffer=0x12890d80*, lpNumberOfBytesWritten=0x12d5fd00*=0x430, lpOverlapped=0x12d5fd0c) returned 1 [0188.771] GetFileType (hFile=0x448) returned 0x1 [0188.771] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x430, lpNewFilePointer=0x0, dwMoveMethod=0x12d5fce4 | out: lpNewFilePointer=0x0) returned 1 [0188.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0188.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0188.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0188.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9000 | out: pbBuffer=0x128e9000) returned 1 [0188.773] CreateFileW (lpFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0188.773] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d5fd0c | out: lpMode=0x12d5fd0c) returned 0 [0188.773] WriteFile (in: hFile=0x43c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12d5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0188.774] CloseHandle (hObject=0x43c) returned 1 [0188.774] CloseHandle (hObject=0x448) returned 1 [0188.774] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9018 | out: pbBuffer=0x128e9018) returned 1 [0188.774] MoveFileExW (lpExistingFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), lpNewFileName="C:\\ProgramData\\regid.1991-06.com.microsoft\\#_THIS_FILE_IS_ENCRYPTED_[E2C0488BB832B61A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\#_this_file_is_encrypted_[e2c0488bb832b61a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0188.877] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.896] SetEvent (hEvent=0xfc) returned 1 [0188.896] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data" (normalized: "c:\\users\\default\\appdata\\local\\application data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.896] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0188.896] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History" (normalized: "c:\\users\\default\\appdata\\local\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0188.897] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x12d5fa44 | out: lpFindFileData=0x12d5fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0188.897] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0188.937] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.070] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data" (normalized: "c:\\users\\default\\application data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.070] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x12d37a44 | out: lpFindFileData=0x12d37a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.071] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies" (normalized: "c:\\users\\default\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.071] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x12d5fa44 | out: lpFindFileData=0x12d5fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.071] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.149] SetEvent (hEvent=0xfc) returned 1 [0189.149] SetEvent (hEvent=0x3f4) returned 1 [0189.149] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.163] SetEvent (hEvent=0x420) returned 1 [0189.163] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.165] SetEvent (hEvent=0x420) returned 1 [0189.165] SetEvent (hEvent=0xf4) returned 1 [0189.165] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0189.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0189.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0189.166] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NetHood" (normalized: "c:\\users\\default\\nethood"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.167] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood" (normalized: "c:\\users\\default\\nethood"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0189.167] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.167] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.167] CloseHandle (hObject=0x43c) returned 1 [0189.167] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.167] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.167] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x12d35ad0 | out: lpFileInformation=0x12d35ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0189.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98140 | out: pbBuffer=0x12a98140) returned 1 [0189.167] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810dd0 | out: pbBuffer=0x12810dd0) returned 1 [0189.168] ReadFile (in: hFile=0x43c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d35d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12d35d1c*=0x20000, lpOverlapped=0x0) returned 1 [0189.197] GetFileType (hFile=0x43c) returned 0x1 [0189.197] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.197] WriteFile (in: hFile=0x43c, lpBuffer=0x12d58000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12d35d00, lpOverlapped=0x12d35d0c | out: lpBuffer=0x12d58000*, lpNumberOfBytesWritten=0x12d35d00*=0x20000, lpOverlapped=0x12d35d0c) returned 1 [0189.198] GetFileType (hFile=0x43c) returned 0x1 [0189.198] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12d35ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0189.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0189.199] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810e80 | out: pbBuffer=0x12810e80) returned 1 [0189.199] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.200] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d35d0c | out: lpMode=0x12d35d0c) returned 0 [0189.200] WriteFile (in: hFile=0x448, lpBuffer=0x1287e400*, nNumberOfBytesToWrite=0x1ca, lpNumberOfBytesWritten=0x12d35d0c, lpOverlapped=0x0 | out: lpBuffer=0x1287e400*, lpNumberOfBytesWritten=0x12d35d0c*=0x1ca, lpOverlapped=0x0) returned 1 [0189.202] CloseHandle (hObject=0x448) returned 1 [0189.202] CloseHandle (hObject=0x43c) returned 1 [0189.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810e98 | out: pbBuffer=0x12810e98) returned 1 [0189.202] MoveFileExW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\#_THIS_FILE_IS_ENCRYPTED_[6D31209A715CDF09]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\default\\#_this_file_is_encrypted_[6d31209a715cdf09]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.203] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood" (normalized: "c:\\users\\default\\nethood"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.203] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Pictures" (normalized: "c:\\users\\default\\pictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.204] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures" (normalized: "c:\\users\\default\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.204] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0189.204] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.204] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.204] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0189.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\pictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.204] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.205] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.260] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.261] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.262] CloseHandle (hObject=0x1a0) returned 1 [0189.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\PrintHood" (normalized: "c:\\users\\default\\printhood"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.298] SetEvent (hEvent=0x110) returned 1 [0189.299] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood" (normalized: "c:\\users\\default\\printhood"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x1a0 [0189.299] GetFileInformationByHandle (in: hFile=0x1a0, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.299] GetFileInformationByHandleEx (in: hFile=0x1a0, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.299] CloseHandle (hObject=0x1a0) returned 1 [0189.299] SetEvent (hEvent=0x420) returned 1 [0189.299] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Recent" (normalized: "c:\\users\\default\\recent"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.320] CreateFileW (lpFileName="C:\\Users\\Default\\Recent" (normalized: "c:\\users\\default\\recent"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x438 [0189.320] GetFileInformationByHandle (in: hFile=0x438, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.320] GetFileInformationByHandleEx (in: hFile=0x438, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.320] CloseHandle (hObject=0x438) returned 1 [0189.320] SetEvent (hEvent=0xf4) returned 1 [0189.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Saved Games" (normalized: "c:\\users\\default\\saved games"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.325] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games" (normalized: "c:\\users\\default\\saved games"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.326] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0189.326] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.326] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.326] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0189.326] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\saved games\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.326] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\saved games\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.326] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\saved games\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.331] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.331] WriteFile (in: hFile=0x43c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.332] CloseHandle (hObject=0x43c) returned 1 [0189.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\SendTo" (normalized: "c:\\users\\default\\sendto"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.335] SetEvent (hEvent=0x110) returned 1 [0189.335] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo" (normalized: "c:\\users\\default\\sendto"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0189.335] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.336] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.336] CloseHandle (hObject=0x43c) returned 1 [0189.336] SetEvent (hEvent=0x3f4) returned 1 [0189.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Start Menu" (normalized: "c:\\users\\default\\start menu"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.336] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu" (normalized: "c:\\users\\default\\start menu"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0189.336] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.336] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.336] CloseHandle (hObject=0x43c) returned 1 [0189.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Templates" (normalized: "c:\\users\\default\\templates"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.336] CreateFileW (lpFileName="C:\\Users\\Default\\Templates" (normalized: "c:\\users\\default\\templates"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0189.337] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282bb4c | out: lpFileInformation=0x1282bb4c) returned 1 [0189.337] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282bb44, dwBufferSize=0x8 | out: lpFileInformation=0x1282bb44) returned 1 [0189.337] CloseHandle (hObject=0x43c) returned 1 [0189.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Videos" (normalized: "c:\\users\\default\\videos"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.337] CreateFileW (lpFileName="C:\\Users\\Default\\Videos" (normalized: "c:\\users\\default\\videos"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.337] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.337] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.337] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.337] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\videos\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.338] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.338] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\default\\videos\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.338] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.338] WriteFile (in: hFile=0x43c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.340] CloseHandle (hObject=0x43c) returned 1 [0189.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\Default User" (normalized: "c:\\users\\default user"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.340] CreateFileW (lpFileName="C:\\Users\\Default User" (normalized: "c:\\users\\default user"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0189.340] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282bbb0 | out: lpFileInformation=0x1282bbb0) returned 1 [0189.341] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282bba8, dwBufferSize=0x8 | out: lpFileInformation=0x1282bba8) returned 1 [0189.341] CloseHandle (hObject=0x43c) returned 1 [0189.341] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public" (normalized: "c:\\users\\public"), fInfoLevelId=0x0, lpFileInformation=0x1282bc20 | out: lpFileInformation=0x1282bc20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0189.341] CreateFileW (lpFileName="C:\\Users\\Public" (normalized: "c:\\users\\public"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.341] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x1282baf8 | out: lpFindFileData=0x1282baf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0189.341] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282bb3c | out: lpFindFileData=0x1282bb3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.342] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0189.342] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b7c0 | out: lpFileInformation=0x1282b7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.342] CreateFileW (lpFileName="C:\\Users\\Public\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.342] CreateFileW (lpFileName="C:\\Users\\Public\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.342] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b9d0 | out: lpMode=0x1282b9d0) returned 0 [0189.342] WriteFile (in: hFile=0x43c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b9d0, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b9d0*=0x118a, lpOverlapped=0x0) returned 1 [0189.344] CloseHandle (hObject=0x43c) returned 1 [0189.344] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\AccountPictures" (normalized: "c:\\users\\public\\accountpictures"), fInfoLevelId=0x0, lpFileInformation=0x1282bbbc | out: lpFileInformation=0x1282bbbc*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.344] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures" (normalized: "c:\\users\\public\\accountpictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.344] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x1282ba94 | out: lpFindFileData=0x1282ba94*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0189.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0189.344] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282bad8 | out: lpFindFileData=0x1282bad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.344] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0189.345] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\accountpictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b75c | out: lpFileInformation=0x1282b75c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0189.345] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\accountpictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0189.345] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\public\\accountpictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.345] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b96c | out: lpMode=0x1282b96c) returned 0 [0189.345] WriteFile (in: hFile=0x43c, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b96c, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b96c*=0x118a, lpOverlapped=0x0) returned 1 [0189.346] CloseHandle (hObject=0x43c) returned 1 [0189.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x1282bb58 | out: lpFileInformation=0x1282bb58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4)) returned 1 [0189.347] CreateFileW (lpFileName="C:\\Users\\Default User" (normalized: "c:\\users\\default user"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.347] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*", lpFindFileData=0x128b3a44 | out: lpFindFileData=0x128b3a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.347] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.347] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x128b3d0c | out: lpMode=0x128b3d0c) returned 0 [0189.347] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x128b3ad0 | out: lpFileInformation=0x128b3ad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4)) returned 1 [0189.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928420 | out: pbBuffer=0x12928420) returned 1 [0189.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35be8 | out: pbBuffer=0x12c35be8) returned 1 [0189.348] ReadFile (in: hFile=0x43c, lpBuffer=0x12b88000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128b3d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b88000*, lpNumberOfBytesRead=0x128b3d1c*=0xc4, lpOverlapped=0x0) returned 1 [0189.349] GetFileType (hFile=0x43c) returned 0x1 [0189.349] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128b3ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.349] WriteFile (in: hFile=0x43c, lpBuffer=0x12c2e1a0*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x128b3d00, lpOverlapped=0x128b3d0c | out: lpBuffer=0x12c2e1a0*, lpNumberOfBytesWritten=0x128b3d00*=0xc4, lpOverlapped=0x128b3d0c) returned 1 [0189.349] GetFileType (hFile=0x43c) returned 0x1 [0189.349] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xc4, lpNewFilePointer=0x0, dwMoveMethod=0x128b3ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.349] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0189.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0189.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0189.350] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35ca0 | out: pbBuffer=0x12c35ca0) returned 1 [0189.350] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.350] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x128b3d0c | out: lpMode=0x128b3d0c) returned 0 [0189.350] WriteFile (in: hFile=0x438, lpBuffer=0x12c20000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x128b3d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20000*, lpNumberOfBytesWritten=0x128b3d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.373] CloseHandle (hObject=0x438) returned 1 [0189.373] CloseHandle (hObject=0x43c) returned 1 [0189.374] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35cb8 | out: pbBuffer=0x12c35cb8) returned 1 [0189.374] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\AccountPictures\\#_THIS_FILE_IS_ENCRYPTED_[1A1D0B3BF7B4BF39]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\accountpictures\\#_this_file_is_encrypted_[1a1d0b3bf7b4bf39]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.383] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0189.409] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x12d35a44 | out: lpFindFileData=0x12d35a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.410] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.410] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0189.410] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12d37ad0 | out: lpFileInformation=0x12d37ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116)) returned 1 [0189.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928640 | out: pbBuffer=0x12928640) returned 1 [0189.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35d08 | out: pbBuffer=0x12c35d08) returned 1 [0189.411] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0189.436] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0189.436] SetEvent (hEvent=0x110) returned 1 [0189.436] SetEvent (hEvent=0xf4) returned 1 [0189.436] ReadFile (in: hFile=0x43c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12d37d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12d37d1c*=0x116, lpOverlapped=0x0) returned 1 [0189.438] GetFileType (hFile=0x43c) returned 0x1 [0189.438] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.438] WriteFile (in: hFile=0x43c, lpBuffer=0x12a6be60*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x12d37d00, lpOverlapped=0x12d37d0c | out: lpBuffer=0x12a6be60*, lpNumberOfBytesWritten=0x12d37d00*=0x116, lpOverlapped=0x12d37d0c) returned 1 [0189.439] GetFileType (hFile=0x43c) returned 0x1 [0189.439] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x116, lpNewFilePointer=0x0, dwMoveMethod=0x12d37ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0189.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0189.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0189.440] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c35dc0 | out: pbBuffer=0x12c35dc0) returned 1 [0189.440] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0189.440] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12d37d0c | out: lpMode=0x12d37d0c) returned 0 [0189.440] WriteFile (in: hFile=0x448, lpBuffer=0x12c20a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12d37d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c20a00*, lpNumberOfBytesWritten=0x12d37d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.522] CloseHandle (hObject=0x448) returned 1 [0189.522] CloseHandle (hObject=0x43c) returned 1 [0189.523] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35dd8 | out: pbBuffer=0x12c35dd8) returned 1 [0189.523] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[E019359F2BFE07A7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\documents\\#_this_file_is_encrypted_[e019359f2bfe07a7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.525] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0189.531] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.531] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0189.536] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.537] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0189.537] SetEvent (hEvent=0x3f4) returned 1 [0189.537] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0189.544] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.544] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.544] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0189.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0189.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0189.545] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a73d1c*=0xae, lpOverlapped=0x0) returned 1 [0189.546] GetFileType (hFile=0x438) returned 0x1 [0189.546] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.546] WriteFile (in: hFile=0x438, lpBuffer=0x1291c2c0*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x1291c2c0*, lpNumberOfBytesWritten=0x12a73d00*=0xae, lpOverlapped=0x12a73d0c) returned 1 [0189.547] GetFileType (hFile=0x438) returned 0x1 [0189.547] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xae, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0189.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0189.547] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0189.548] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0189.548] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0189.548] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.548] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b16500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.560] CloseHandle (hObject=0x1a0) returned 1 [0189.560] CloseHandle (hObject=0x438) returned 1 [0189.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0189.560] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Downloads\\#_THIS_FILE_IS_ENCRYPTED_[5BD64B4D1452629E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\downloads\\#_this_file_is_encrypted_[5bd64b4d1452629e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.574] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.574] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7)) returned 1 [0189.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0189.575] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a140 | out: pbBuffer=0x12a9a140) returned 1 [0189.575] ReadFile (in: hFile=0x438, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12829d1c*=0x3e7, lpOverlapped=0x0) returned 1 [0189.595] GetFileType (hFile=0x438) returned 0x1 [0189.595] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.595] WriteFile (in: hFile=0x438, lpBuffer=0x1287e400*, nNumberOfBytesToWrite=0x3e7, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x1287e400*, lpNumberOfBytesWritten=0x12829d00*=0x3e7, lpOverlapped=0x12829d0c) returned 1 [0189.595] GetFileType (hFile=0x438) returned 0x1 [0189.595] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3e7, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0189.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0189.595] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0189.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0189.596] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0189.596] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.596] WriteFile (in: hFile=0x428, lpBuffer=0x12b16a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.596] CloseHandle (hObject=0x428) returned 1 [0189.597] CloseHandle (hObject=0x438) returned 1 [0189.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a230 | out: pbBuffer=0x12a9a230) returned 1 [0189.597] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\#_THIS_FILE_IS_ENCRYPTED_[49CAD2473C4A662C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\libraries\\#_this_file_is_encrypted_[49cad2473c4a662c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.598] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.598] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c)) returned 1 [0189.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844960 | out: pbBuffer=0x12844960) returned 1 [0189.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a278 | out: pbBuffer=0x12a9a278) returned 1 [0189.598] ReadFile (in: hFile=0x438, lpBuffer=0x12d50000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d50000*, lpNumberOfBytesRead=0x12829d1c*=0x17c, lpOverlapped=0x0) returned 1 [0189.599] GetFileType (hFile=0x438) returned 0x1 [0189.599] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.600] WriteFile (in: hFile=0x438, lpBuffer=0x12926000*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12926000*, lpNumberOfBytesWritten=0x12829d00*=0x17c, lpOverlapped=0x12829d0c) returned 1 [0189.600] GetFileType (hFile=0x438) returned 0x1 [0189.600] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x17c, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0189.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0189.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0189.600] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a330 | out: pbBuffer=0x12a9a330) returned 1 [0189.600] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0189.601] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0189.601] WriteFile (in: hFile=0x428, lpBuffer=0x12b16f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.645] CloseHandle (hObject=0x428) returned 1 [0189.645] CloseHandle (hObject=0x438) returned 1 [0189.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a348 | out: pbBuffer=0x12a9a348) returned 1 [0189.645] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="C:\\Users\\Public\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[0D222992A2754DB5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\public\\videos\\#_this_file_is_encrypted_[0d222992a2754db5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.646] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.646] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.646] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xeb439aee, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xeb43ae8c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x14)) returned 1 [0189.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844e40 | out: pbBuffer=0x12844e40) returned 1 [0189.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a390 | out: pbBuffer=0x12a9a390) returned 1 [0189.647] ReadFile (in: hFile=0x438, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12a73d1c*=0x14, lpOverlapped=0x0) returned 1 [0189.648] GetFileType (hFile=0x438) returned 0x1 [0189.648] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.648] WriteFile (in: hFile=0x438, lpBuffer=0x12844ea0*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12844ea0*, lpNumberOfBytesWritten=0x12a73d00*=0x14, lpOverlapped=0x12a73d0c) returned 1 [0189.648] GetFileType (hFile=0x438) returned 0x1 [0189.648] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x14, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.648] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0189.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0189.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0189.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a448 | out: pbBuffer=0x12a9a448) returned 1 [0189.649] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0189.649] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.649] WriteFile (in: hFile=0x428, lpBuffer=0x12b17400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b17400*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0189.713] CloseHandle (hObject=0x428) returned 1 [0189.713] CloseHandle (hObject=0x438) returned 1 [0189.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a460 | out: pbBuffer=0x12a9a460) returned 1 [0189.713] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[2B3FAC9721C8C34B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\#_this_file_is_encrypted_[2b3fac9721c8c34b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0189.715] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0189.715] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.715] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000)) returned 1 [0189.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845300 | out: pbBuffer=0x12845300) returned 1 [0189.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4a8 | out: pbBuffer=0x12a9a4a8) returned 1 [0189.716] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0189.786] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.786] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0189.786] SetEvent (hEvent=0x110) returned 1 [0189.786] SetEvent (hEvent=0xf4) returned 1 [0189.786] SetEvent (hEvent=0xfc) returned 1 [0189.786] ReadFile (in: hFile=0x438, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12a73d1c*=0x20000, lpOverlapped=0x0) returned 1 [0189.820] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0189.829] GetFileType (hFile=0x438) returned 0x1 [0189.829] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.832] WriteFile (in: hFile=0x438, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x12a73d00*=0x20000, lpOverlapped=0x12a73d0c) returned 1 [0189.833] GetFileType (hFile=0x438) returned 0x1 [0189.833] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0189.833] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0189.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0189.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0189.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341c8 | out: pbBuffer=0x12c341c8) returned 1 [0189.834] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0189.834] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0189.834] WriteFile (in: hFile=0x43c, lpBuffer=0x12c2c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0190.118] CloseHandle (hObject=0x43c) returned 1 [0190.119] CloseHandle (hObject=0x438) returned 1 [0190.128] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34000 | out: pbBuffer=0x12c34000) returned 1 [0190.129] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\#_THIS_FILE_IS_ENCRYPTED_[F392B8BDC82617A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\#_this_file_is_encrypted_[f392b8bdc82617a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\store.vol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\store.vol"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.138] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\store.vol\\*", lpFindFileData=0x12a73a44 | out: lpFindFileData=0x12a73a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0190.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\tmp.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\tmp.edb"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc44b2fe5, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xc44b2fe5, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xc44e79be, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x30000)) returned 1 [0190.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\history"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\history"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x43c [0190.139] GetFileInformationByHandle (in: hFile=0x43c, lpFileInformation=0x1282ba84 | out: lpFileInformation=0x1282ba84) returned 1 [0190.139] GetFileInformationByHandleEx (in: hFile=0x43c, FileInformationClass=0x9, lpFileInformation=0x1282ba7c, dwBufferSize=0x8 | out: lpFileInformation=0x1282ba7c) returned 1 [0190.139] CloseHandle (hObject=0x43c) returned 1 [0190.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\tmp.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\tmp.edb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.139] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\tmp.edb\\*", lpFindFileData=0x12a73a44 | out: lpFindFileData=0x12a73a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0190.139] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.139] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History\\*", lpFindFileData=0x12a73a44 | out: lpFindFileData=0x12a73a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0190.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x69d588a7, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x5c6e)) returned 1 [0190.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0190.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.140] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.140] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLR_v4.0", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLR_v4.0_32", cAlternateFileName="CLR_V4~1.0_3")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x58717184, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x407cb15, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x407cb15, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4095142, ftLastAccessTime.dwHighDateTime=0x1d82a29, ftLastWriteTime.dwLowDateTime=0x4095142, ftLastWriteTime.dwHighDateTime=0x1d82a29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FORMS", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameDVR", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InstallAgent", cAlternateFileName="INSTAL~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x966d3d20, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x966d3d20, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PlayReady", cAlternateFileName="PLAYRE~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf89b6cfd, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf89b6cfd, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0190.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.141] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.142] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.142] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0190.142] WriteFile (in: hFile=0x43c, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0190.144] CloseHandle (hObject=0x43c) returned 1 [0190.144] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.144] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0190.145] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.145] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 1 [0190.145] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.145] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0190.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.145] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.146] WriteFile (in: hFile=0x43c, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.147] CloseHandle (hObject=0x43c) returned 1 [0190.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.199] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.200] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.200] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.200] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8647598c, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x110c, dwReserved0=0x0, dwReserved1=0x0, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 1 [0190.200] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f197fc, ftCreationTime.dwHighDateTime=0x1d7b059, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x15dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="sdiagnhost.exe.log", cAlternateFileName="SDIAGN~1.LOG")) returned 1 [0190.200] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.200] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.200] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.208] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.208] WriteFile (in: hFile=0x438, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.209] CloseHandle (hObject=0x438) returned 1 [0190.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8647598c, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x110c)) returned 1 [0190.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\sdiagnhost.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\sdiagnhost.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f197fc, ftCreationTime.dwHighDateTime=0x1d7b059, ftLastAccessTime.dwLowDateTime=0x70f197fc, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x70f197fc, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x15dd)) returned 1 [0190.210] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.211] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.211] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.211] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 1 [0190.211] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.211] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0190.212] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.212] WriteFile (in: hFile=0x438, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.214] CloseHandle (hObject=0x438) returned 1 [0190.214] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.265] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.266] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0190.266] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.266] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a845ef9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1078, dwReserved0=0x0, dwReserved1=0x0, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 1 [0190.266] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.266] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0190.266] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.267] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.267] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0190.267] WriteFile (in: hFile=0x43c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0190.269] CloseHandle (hObject=0x43c) returned 1 [0190.269] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a845ef9, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x1078)) returned 1 [0190.269] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x58717184, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.270] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.270] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x58717184, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.270] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x58717184, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.270] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x508b12b7, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5871986a, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x2ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DFBE70A7E5CC19A398EBF1B96859CE5D", cAlternateFileName="DFBE70~1")) returned 1 [0190.270] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.270] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.270] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.270] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0190.273] GetConsoleMode (in: hConsoleHandle=0x43c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.273] WriteFile (in: hFile=0x43c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.274] CloseHandle (hObject=0x43c) returned 1 [0190.275] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\dfbe70a7e5cc19a398ebf1b96859ce5d"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x508b12b7, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5871986a, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x2ac0)) returned 1 [0190.275] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0190.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0190.319] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0190.319] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0190.319] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a184b86, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a4e76b4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 1 [0190.319] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0190.320] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0190.320] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0190.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0190.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0190.321] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0190.321] WriteFile (in: hFile=0x428, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0190.323] CloseHandle (hObject=0x428) returned 1 [0190.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\frmcache.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a184b86, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a4e76b4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc)) returned 1 [0190.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\dfbe70a7e5cc19a398ebf1b96859ce5d"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0190.323] GetConsoleMode (in: hConsoleHandle=0x428, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0190.323] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\dfbe70a7e5cc19a398ebf1b96859ce5d"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x508b12b7, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x58717184, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x5871986a, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x2ac0)) returned 1 [0190.323] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928a00 | out: pbBuffer=0x12928a00) returned 1 [0190.324] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848330 | out: pbBuffer=0x12848330) returned 1 [0190.324] ReadFile (in: hFile=0x428, lpBuffer=0x12d50000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d50000*, lpNumberOfBytesRead=0x12829d1c*=0x2ac0, lpOverlapped=0x0) returned 1 [0190.375] GetFileType (hFile=0x428) returned 0x1 [0190.375] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.375] WriteFile (in: hFile=0x428, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x2ac0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12829d00*=0x2ac0, lpOverlapped=0x12829d0c) returned 1 [0190.376] GetFileType (hFile=0x428) returned 0x1 [0190.376] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x2ac0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0190.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0190.376] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ab81 | out: pbBuffer=0x1286ab81) returned 1 [0190.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0190.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848408 | out: pbBuffer=0x12848408) returned 1 [0190.377] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\dfbe70a7e5cc19a398ebf1b96859ce5d"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0190.377] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0190.377] WriteFile (in: hFile=0x448, lpBuffer=0x12b16000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b16000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0190.378] CloseHandle (hObject=0x448) returned 1 [0190.378] CloseHandle (hObject=0x428) returned 1 [0190.378] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848430 | out: pbBuffer=0x12848430) returned 1 [0190.378] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\dfbe70a7e5cc19a398ebf1b96859ce5d"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\#_THIS_FILE_IS_ENCRYPTED_[FF2E0A925CD5EF4D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\#_this_file_is_encrypted_[ff2e0a925cd5ef4d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0190.404] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0190.504] SwitchToThread () returned 1 [0190.516] SetEvent (hEvent=0xfc) returned 1 [0190.516] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0190.520] SetEvent (hEvent=0xfc) returned 1 [0190.520] SetEvent (hEvent=0x1d0) returned 1 [0193.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{309877BD-961C-11EC-B0BF-000FF3E16138}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\recoverystore.{309877bd-961c-11ec-b0bf-000ff3e16138}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0193.617] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{309877BD-961C-11EC-B0BF-000FF3E16138}.dat\\*", lpFindFileData=0x12a4ba44 | out: lpFindFileData=0x12a4ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0193.617] SetEvent (hEvent=0x1d0) returned 1 [0193.617] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0195.984] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0196.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0196.022] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0196.311] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848330 | out: pbBuffer=0x12848330) returned 1 [0196.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0196.312] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0196.312] WriteFile (in: hFile=0x42c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.313] CloseHandle (hObject=0x42c) returned 1 [0196.313] CloseHandle (hObject=0x448) returned 1 [0196.313] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848358 | out: pbBuffer=0x12848358) returned 1 [0196.313] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\#_THIS_FILE_IS_ENCRYPTED_[2E62ABC2218295C1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\#_this_file_is_encrypted_[2e62abc2218295c1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.314] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0196.315] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0196.315] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.315] WriteFile (in: hFile=0x448, lpBuffer=0x12b10500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b10500*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.315] CloseHandle (hObject=0x448) returned 1 [0196.315] CloseHandle (hObject=0x1a0) returned 1 [0196.316] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0196.316] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\#_THIS_FILE_IS_ENCRYPTED_[968D7D24238D2E85]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\#_this_file_is_encrypted_[968d7d24238d2e85]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.316] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0196.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0196.317] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a49d0c | out: lpMode=0x12a49d0c) returned 0 [0196.317] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b10a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a49d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b10a00*, lpNumberOfBytesWritten=0x12a49d0c*=0x276, lpOverlapped=0x0) returned 1 [0196.385] CloseHandle (hObject=0x1a0) returned 1 [0196.385] CloseHandle (hObject=0x15c) returned 1 [0196.385] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848438 | out: pbBuffer=0x12848438) returned 1 [0196.385] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\#_THIS_FILE_IS_ENCRYPTED_[FE44FDEA8E7F0A2F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\#_this_file_is_encrypted_[fe44fdea8e7f0a2f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.386] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0196.446] SetEvent (hEvent=0x40c) returned 1 [0196.446] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0196.446] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.446] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\02_music_added_in_the_last_month.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4ff)) returned 1 [0196.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e580 | out: pbBuffer=0x1280e580) returned 1 [0196.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848490 | out: pbBuffer=0x12848490) returned 1 [0196.447] ReadFile (in: hFile=0x1a0, lpBuffer=0x12c94000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c94000*, lpNumberOfBytesRead=0x12a6fd1c*=0x4ff, lpOverlapped=0x0) returned 1 [0196.511] GetFileType (hFile=0x1a0) returned 0x1 [0196.511] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.511] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b10f00*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12b10f00*, lpNumberOfBytesWritten=0x12a6fd00*=0x4ff, lpOverlapped=0x12a6fd0c) returned 1 [0196.511] GetFileType (hFile=0x1a0) returned 0x1 [0196.511] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4ff, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0196.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0196.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0196.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0196.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848548 | out: pbBuffer=0x12848548) returned 1 [0196.513] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.513] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0196.513] WriteFile (in: hFile=0x3c4, lpBuffer=0x12b11400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b11400*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.513] CloseHandle (hObject=0x3c4) returned 1 [0196.513] CloseHandle (hObject=0x1a0) returned 1 [0196.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848570 | out: pbBuffer=0x12848570) returned 1 [0196.514] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\02_music_added_in_the_last_month.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[DC105731FC32E79C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[dc105731fc32e79c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0196.515] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0196.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\03_music_rated_at_4_or_5_stars.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4f3)) returned 1 [0196.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e840 | out: pbBuffer=0x1280e840) returned 1 [0196.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485b8 | out: pbBuffer=0x128485b8) returned 1 [0196.516] ReadFile (in: hFile=0x1a0, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12a4bd1c*=0x4f3, lpOverlapped=0x0) returned 1 [0196.569] GetFileType (hFile=0x1a0) returned 0x1 [0196.569] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0196.570] WriteFile (in: hFile=0x1a0, lpBuffer=0x12b11900*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12b11900*, lpNumberOfBytesWritten=0x12a4bd00*=0x4f3, lpOverlapped=0x12a4bd0c) returned 1 [0196.570] GetFileType (hFile=0x1a0) returned 0x1 [0196.570] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4f3, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0196.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0196.570] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0196.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0196.571] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128486e0 | out: pbBuffer=0x128486e0) returned 1 [0196.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0196.571] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0196.571] WriteFile (in: hFile=0x438, lpBuffer=0x12cee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12cee000*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.572] CloseHandle (hObject=0x438) returned 1 [0196.572] CloseHandle (hObject=0x1a0) returned 1 [0196.572] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128486f8 | out: pbBuffer=0x128486f8) returned 1 [0196.572] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[057D6658F1F89DB1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[057d6658f1f89db1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0196.790] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0196.871] SetEvent (hEvent=0xfc) returned 1 [0196.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0196.872] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0196.872] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\09_music_played_the_most.wpl"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x401)) returned 1 [0196.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0196.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0196.872] ReadFile (in: hFile=0x3c4, lpBuffer=0x12a24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12a24000*, lpNumberOfBytesRead=0x12a4bd1c*=0x401, lpOverlapped=0x0) returned 1 [0196.882] GetFileType (hFile=0x3c4) returned 0x1 [0196.882] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0196.882] WriteFile (in: hFile=0x3c4, lpBuffer=0x12891200*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12891200*, lpNumberOfBytesWritten=0x12a4bd00*=0x401, lpOverlapped=0x12a4bd0c) returned 1 [0196.883] GetFileType (hFile=0x3c4) returned 0x1 [0196.883] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x401, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0196.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0196.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a901 | out: pbBuffer=0x1286a901) returned 1 [0196.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa01 | out: pbBuffer=0x1286aa01) returned 1 [0196.883] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8438 | out: pbBuffer=0x128e8438) returned 1 [0196.883] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\09_music_played_the_most.wpl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0196.884] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0196.884] WriteFile (in: hFile=0x448, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0196.884] CloseHandle (hObject=0x448) returned 1 [0196.893] CloseHandle (hObject=0x3c4) returned 1 [0196.900] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8450 | out: pbBuffer=0x128e8450) returned 1 [0196.900] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\09_music_played_the_most.wpl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\#_THIS_FILE_IS_ENCRYPTED_[42EA3D556A4A996D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\#_this_file_is_encrypted_[42ea3d556a4a996d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0197.039] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.215] SetEvent (hEvent=0x1d0) returned 1 [0197.215] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.304] SetEvent (hEvent=0xfc) returned 1 [0197.306] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0197.313] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.313] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0197.313] SetEvent (hEvent=0xfc) returned 1 [0197.313] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0197.316] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.317] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.340] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.379] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0197.400] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.043] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.051] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.102] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.127] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.210] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.251] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.316] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.350] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.425] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.558] SetEvent (hEvent=0x3f4) returned 1 [0198.558] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.578] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.586] SetEvent (hEvent=0x420) returned 1 [0198.586] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.590] SetEvent (hEvent=0x420) returned 1 [0198.590] SetEvent (hEvent=0x1d0) returned 1 [0198.590] SwitchToThread () returned 1 [0198.593] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.600] SetEvent (hEvent=0x1d0) returned 1 [0198.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\393da17c-492d-4e39-93b9-a0eb68f559ae"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0198.600] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.601] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\393da17c-492d-4e39-93b9-a0eb68f559ae"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8e2fcd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8e2fcd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8e2fcd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4a91)) returned 1 [0198.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0198.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0198.601] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a6dd1c*=0x4a91, lpOverlapped=0x0) returned 1 [0198.603] GetFileType (hFile=0x3c4) returned 0x1 [0198.603] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.603] WriteFile (in: hFile=0x3c4, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x4a91, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a6dd00*=0x4a91, lpOverlapped=0x12a6dd0c) returned 1 [0198.604] GetFileType (hFile=0x3c4) returned 0x1 [0198.604] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x4a91, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0198.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0198.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0198.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0198.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0198.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\393da17c-492d-4e39-93b9-a0eb68f559ae"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0198.605] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0198.605] WriteFile (in: hFile=0x448, lpBuffer=0x12b44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b44000*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.605] CloseHandle (hObject=0x448) returned 1 [0198.620] CloseHandle (hObject=0x3c4) returned 1 [0198.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0198.622] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\393da17c-492d-4e39-93b9-a0eb68f559ae"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[F1F78C3C74EAF73F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[f1f78c3c74eaf73f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3e543a2a-53f0-47f8-9f51-ff1b9d7890ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0198.828] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3e543a2a-53f0-47f8-9f51-ff1b9d7890ad"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba3536d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba3536d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba3536d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a3b)) returned 1 [0198.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0198.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342e0 | out: pbBuffer=0x12c342e0) returned 1 [0198.829] ReadFile (in: hFile=0x15c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a6fd1c*=0x1a3b, lpOverlapped=0x0) returned 1 [0198.833] GetFileType (hFile=0x15c) returned 0x1 [0198.833] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.834] WriteFile (in: hFile=0x15c, lpBuffer=0x12acc000*, nNumberOfBytesToWrite=0x1a3b, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12acc000*, lpNumberOfBytesWritten=0x12a6fd00*=0x1a3b, lpOverlapped=0x12a6fd0c) returned 1 [0198.834] GetFileType (hFile=0x15c) returned 0x1 [0198.834] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1a3b, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0198.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0198.834] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0198.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0198.835] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34398 | out: pbBuffer=0x12c34398) returned 1 [0198.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3e543a2a-53f0-47f8-9f51-ff1b9d7890ad"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.835] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0198.835] WriteFile (in: hFile=0x438, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.836] CloseHandle (hObject=0x438) returned 1 [0198.839] CloseHandle (hObject=0x15c) returned 1 [0198.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343b0 | out: pbBuffer=0x12c343b0) returned 1 [0198.842] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\3e543a2a-53f0-47f8-9f51-ff1b9d7890ad"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[B762BA81D365ABDA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[b762ba81d365abda]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0198.966] SetEvent (hEvent=0x110) returned 1 [0198.966] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0198.968] SetEvent (hEvent=0x3f4) returned 1 [0198.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\43f05ac3-1345-4232-9173-e5aeaf85bf98"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0198.969] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.969] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\43f05ac3-1345-4232-9173-e5aeaf85bf98"), fInfoLevelId=0x0, lpFileInformation=0x12a4bad0 | out: lpFileInformation=0x12a4bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84c0c6a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84c0c6a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84c20aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x97c)) returned 1 [0198.969] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0198.969] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34950 | out: pbBuffer=0x12c34950) returned 1 [0198.969] ReadFile (in: hFile=0x15c, lpBuffer=0x12bcc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a4bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bcc000*, lpNumberOfBytesRead=0x12a4bd1c*=0x97c, lpOverlapped=0x0) returned 1 [0198.974] GetFileType (hFile=0x15c) returned 0x1 [0198.974] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.974] WriteFile (in: hFile=0x15c, lpBuffer=0x12a74a80*, nNumberOfBytesToWrite=0x97c, lpNumberOfBytesWritten=0x12a4bd00, lpOverlapped=0x12a4bd0c | out: lpBuffer=0x12a74a80*, lpNumberOfBytesWritten=0x12a4bd00*=0x97c, lpOverlapped=0x12a4bd0c) returned 1 [0198.974] GetFileType (hFile=0x15c) returned 0x1 [0198.974] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x97c, lpNewFilePointer=0x0, dwMoveMethod=0x12a4bce4 | out: lpNewFilePointer=0x0) returned 1 [0198.974] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0198.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0198.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0198.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34a08 | out: pbBuffer=0x12c34a08) returned 1 [0198.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\43f05ac3-1345-4232-9173-e5aeaf85bf98"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0198.976] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a4bd0c | out: lpMode=0x12a4bd0c) returned 0 [0198.976] WriteFile (in: hFile=0x438, lpBuffer=0x12b12500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a4bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12b12500*, lpNumberOfBytesWritten=0x12a4bd0c*=0x276, lpOverlapped=0x0) returned 1 [0198.976] CloseHandle (hObject=0x438) returned 1 [0198.977] CloseHandle (hObject=0x15c) returned 1 [0198.980] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34a20 | out: pbBuffer=0x12c34a20) returned 1 [0198.980] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\43f05ac3-1345-4232-9173-e5aeaf85bf98"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[671E44A06AEDE6C5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[671e44a06aede6c5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.159] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0199.162] SetEvent (hEvent=0x1d0) returned 1 [0199.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f183948-a9c6-492e-8cd3-78756d7f03cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0199.163] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.163] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f183948-a9c6-492e-8cd3-78756d7f03cf"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5074490, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb5074490, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb5074490, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2171)) returned 1 [0199.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0199.163] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a008 | out: pbBuffer=0x12a9a008) returned 1 [0199.163] ReadFile (in: hFile=0x15c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a73d1c*=0x2171, lpOverlapped=0x0) returned 1 [0199.167] GetFileType (hFile=0x15c) returned 0x1 [0199.168] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.168] WriteFile (in: hFile=0x15c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x2171, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a73d00*=0x2171, lpOverlapped=0x12a73d0c) returned 1 [0199.168] GetFileType (hFile=0x15c) returned 0x1 [0199.168] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x2171, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0199.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0199.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0199.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0d0 | out: pbBuffer=0x12a9a0d0) returned 1 [0199.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f183948-a9c6-492e-8cd3-78756d7f03cf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.169] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.169] WriteFile (in: hFile=0x438, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0199.169] CloseHandle (hObject=0x438) returned 1 [0199.172] CloseHandle (hObject=0x15c) returned 1 [0199.176] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a0e8 | out: pbBuffer=0x12a9a0e8) returned 1 [0199.176] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\4f183948-a9c6-492e-8cd3-78756d7f03cf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[1DD5D0AD027870E0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[1dd5d0ad027870e0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.304] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0199.308] SetEvent (hEvent=0x1d0) returned 1 [0199.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\580df0a8-7b09-4bac-bd6b-1096e9bda073"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0199.309] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.309] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\580df0a8-7b09-4bac-bd6b-1096e9bda073"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabaab9cf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabaab9cf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabaacd7e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cab)) returned 1 [0199.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e4a0 | out: pbBuffer=0x1280e4a0) returned 1 [0199.310] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a130 | out: pbBuffer=0x12a9a130) returned 1 [0199.310] ReadFile (in: hFile=0x15c, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a6dd1c*=0x1cab, lpOverlapped=0x0) returned 1 [0199.316] GetFileType (hFile=0x15c) returned 0x1 [0199.316] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.316] WriteFile (in: hFile=0x15c, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x1cab, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x12a6dd00*=0x1cab, lpOverlapped=0x12a6dd0c) returned 1 [0199.317] GetFileType (hFile=0x15c) returned 0x1 [0199.317] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x1cab, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0199.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834581 | out: pbBuffer=0x12834581) returned 1 [0199.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0199.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0199.317] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a1f8 | out: pbBuffer=0x12a9a1f8) returned 1 [0199.317] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\580df0a8-7b09-4bac-bd6b-1096e9bda073"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.318] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0199.318] WriteFile (in: hFile=0x438, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.318] CloseHandle (hObject=0x438) returned 1 [0199.320] CloseHandle (hObject=0x15c) returned 1 [0199.322] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a210 | out: pbBuffer=0x12a9a210) returned 1 [0199.322] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\580df0a8-7b09-4bac-bd6b-1096e9bda073"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[CC6D2AABF19D0CC5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[cc6d2aabf19d0cc5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.509] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0199.514] SetEvent (hEvent=0x1d0) returned 1 [0199.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5f3382b8-afbf-4fea-8b79-20898fe63a3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0199.515] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5f3382b8-afbf-4fea-8b79-20898fe63a3d"), fInfoLevelId=0x0, lpFileInformation=0x12a6fad0 | out: lpFileInformation=0x12a6fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9fe464, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9fe464, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9fe464, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x487e)) returned 1 [0199.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284e0 | out: pbBuffer=0x129284e0) returned 1 [0199.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849490 | out: pbBuffer=0x12849490) returned 1 [0199.542] ReadFile (in: hFile=0x15c, lpBuffer=0x12b6a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b6a000*, lpNumberOfBytesRead=0x12a6fd1c*=0x487e, lpOverlapped=0x0) returned 1 [0199.545] GetFileType (hFile=0x15c) returned 0x1 [0199.545] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.545] WriteFile (in: hFile=0x15c, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0x487e, lpNumberOfBytesWritten=0x12a6fd00, lpOverlapped=0x12a6fd0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x12a6fd00*=0x487e, lpOverlapped=0x12a6fd0c) returned 1 [0199.545] GetFileType (hFile=0x15c) returned 0x1 [0199.545] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x487e, lpNewFilePointer=0x0, dwMoveMethod=0x12a6fce4 | out: lpNewFilePointer=0x0) returned 1 [0199.545] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0199.546] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0199.546] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0199.546] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849598 | out: pbBuffer=0x12849598) returned 1 [0199.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5f3382b8-afbf-4fea-8b79-20898fe63a3d"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.546] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0199.546] WriteFile (in: hFile=0x438, lpBuffer=0x128b2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2a00*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0199.547] CloseHandle (hObject=0x438) returned 1 [0199.556] CloseHandle (hObject=0x15c) returned 1 [0199.568] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128495b0 | out: pbBuffer=0x128495b0) returned 1 [0199.568] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\5f3382b8-afbf-4fea-8b79-20898fe63a3d"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[09860231FE7B6B6A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[09860231fe7b6b6a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e4ec81f-6a7b-442e-91b3-150ed476524b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0199.790] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0199.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e4ec81f-6a7b-442e-91b3-150ed476524b"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc853d4e0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc853d4e0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc85646d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xbec)) returned 1 [0199.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0199.790] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810310 | out: pbBuffer=0x12810310) returned 1 [0199.790] ReadFile (in: hFile=0x15c, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12829d1c*=0xbec, lpOverlapped=0x0) returned 1 [0199.793] GetFileType (hFile=0x15c) returned 0x1 [0199.793] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.793] WriteFile (in: hFile=0x15c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xbec, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12829d00*=0xbec, lpOverlapped=0x12829d0c) returned 1 [0199.794] GetFileType (hFile=0x15c) returned 0x1 [0199.794] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xbec, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0199.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0199.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0199.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128103c8 | out: pbBuffer=0x128103c8) returned 1 [0199.795] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e4ec81f-6a7b-442e-91b3-150ed476524b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0199.795] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0199.795] WriteFile (in: hFile=0x438, lpBuffer=0x128b2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0199.795] CloseHandle (hObject=0x438) returned 1 [0199.800] CloseHandle (hObject=0x15c) returned 1 [0199.804] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103e0 | out: pbBuffer=0x128103e0) returned 1 [0199.804] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\6e4ec81f-6a7b-442e-91b3-150ed476524b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[04564C7D253471A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[04564c7d253471a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0199.935] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9f99-ad59e8565ab6"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0199.936] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.936] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9f99-ad59e8565ab6"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b05ffa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b07378, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x60e)) returned 1 [0199.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0199.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c30 | out: pbBuffer=0x12810c30) returned 1 [0199.936] ReadFile (in: hFile=0x15c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a73d1c*=0x60e, lpOverlapped=0x0) returned 1 [0199.940] GetFileType (hFile=0x15c) returned 0x1 [0199.940] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.940] WriteFile (in: hFile=0x15c, lpBuffer=0x1290c700*, nNumberOfBytesToWrite=0x60e, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x1290c700*, lpNumberOfBytesWritten=0x12a73d00*=0x60e, lpOverlapped=0x12a73d0c) returned 1 [0199.941] GetFileType (hFile=0x15c) returned 0x1 [0199.941] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x60e, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0199.941] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0199.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0199.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0199.942] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810ce8 | out: pbBuffer=0x12810ce8) returned 1 [0199.942] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9f99-ad59e8565ab6"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0199.942] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0199.942] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b2500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0199.942] CloseHandle (hObject=0x3c4) returned 1 [0199.993] CloseHandle (hObject=0x15c) returned 1 [0199.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d00 | out: pbBuffer=0x12810d00) returned 1 [0199.996] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9f99-ad59e8565ab6"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[66E17163A9074F21]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[66e17163a9074f21]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.068] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.071] SetEvent (hEvent=0xfc) returned 1 [0200.071] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7f96d0a4-ecc8-4300-a3c4-8c2b5918bbaa"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0200.071] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7f96d0a4-ecc8-4300-a3c4-8c2b5918bbaa"), fInfoLevelId=0x0, lpFileInformation=0x12a6dad0 | out: lpFileInformation=0x12a6dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b59afa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b59afa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b59afa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x98d6)) returned 1 [0200.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0200.072] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343f0 | out: pbBuffer=0x12c343f0) returned 1 [0200.072] ReadFile (in: hFile=0x15c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a6dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a6dd1c*=0x98d6, lpOverlapped=0x0) returned 1 [0200.077] GetFileType (hFile=0x15c) returned 0x1 [0200.077] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.078] WriteFile (in: hFile=0x15c, lpBuffer=0x12ad8000*, nNumberOfBytesToWrite=0x98d6, lpNumberOfBytesWritten=0x12a6dd00, lpOverlapped=0x12a6dd0c | out: lpBuffer=0x12ad8000*, lpNumberOfBytesWritten=0x12a6dd00*=0x98d6, lpOverlapped=0x12a6dd0c) returned 1 [0200.078] GetFileType (hFile=0x15c) returned 0x1 [0200.078] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x98d6, lpNewFilePointer=0x0, dwMoveMethod=0x12a6dce4 | out: lpNewFilePointer=0x0) returned 1 [0200.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0200.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0200.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0200.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c344a8 | out: pbBuffer=0x12c344a8) returned 1 [0200.079] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7f96d0a4-ecc8-4300-a3c4-8c2b5918bbaa"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.080] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6dd0c | out: lpMode=0x12a6dd0c) returned 0 [0200.080] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a24500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a24500*, lpNumberOfBytesWritten=0x12a6dd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.080] CloseHandle (hObject=0x3c4) returned 1 [0200.083] CloseHandle (hObject=0x15c) returned 1 [0200.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c344c0 | out: pbBuffer=0x12c344c0) returned 1 [0200.085] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\7f96d0a4-ecc8-4300-a3c4-8c2b5918bbaa"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[CE629144340D23D7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[ce629144340d23d7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.382] SwitchToThread () returned 1 [0200.387] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.417] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.426] SetEvent (hEvent=0x1d0) returned 1 [0200.426] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\89953caa-1ab9-4a6e-a488-dfefc5075387"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.426] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.426] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\89953caa-1ab9-4a6e-a488-dfefc5075387"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2c9d8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2c9d8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2c9d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x17be)) returned 1 [0200.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0200.427] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0200.427] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a73d1c*=0x17be, lpOverlapped=0x0) returned 1 [0200.673] GetFileType (hFile=0x3c4) returned 0x1 [0200.673] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.673] WriteFile (in: hFile=0x3c4, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x17be, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x12a73d00*=0x17be, lpOverlapped=0x12a73d0c) returned 1 [0200.673] GetFileType (hFile=0x3c4) returned 0x1 [0200.673] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x17be, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801981 | out: pbBuffer=0x12801981) returned 1 [0200.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a81 | out: pbBuffer=0x12801a81) returned 1 [0200.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0200.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849980 | out: pbBuffer=0x12849980) returned 1 [0200.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\89953caa-1ab9-4a6e-a488-dfefc5075387"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.675] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.675] WriteFile (in: hFile=0x448, lpBuffer=0x12850a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850a00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.675] CloseHandle (hObject=0x448) returned 1 [0200.675] CloseHandle (hObject=0x3c4) returned 1 [0200.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849998 | out: pbBuffer=0x12849998) returned 1 [0200.675] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\89953caa-1ab9-4a6e-a488-dfefc5075387"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[7CEDD53FEDB50089]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[7cedd53fedb50089]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9639f732-a0f4-4a33-92a0-01330c0bb8c3"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a305e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a305e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a7fd33, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7d42)) returned 1 [0200.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\96baa0e7-ce03-46c0-a45a-8f71adb9c825"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83bbe8a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83bbe8a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83bd386, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8b)) returned 1 [0200.678] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9639f732-a0f4-4a33-92a0-01330c0bb8c3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.678] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.678] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9639f732-a0f4-4a33-92a0-01330c0bb8c3"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a305e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a305e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a7fd33, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7d42)) returned 1 [0200.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845880 | out: pbBuffer=0x12845880) returned 1 [0200.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0200.679] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a73d1c*=0x7d42, lpOverlapped=0x0) returned 1 [0200.684] GetFileType (hFile=0x3c4) returned 0x1 [0200.685] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.685] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x7d42, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a73d00*=0x7d42, lpOverlapped=0x12a73d0c) returned 1 [0200.685] GetFileType (hFile=0x3c4) returned 0x1 [0200.685] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x7d42, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0200.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801d81 | out: pbBuffer=0x12801d81) returned 1 [0200.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801e81 | out: pbBuffer=0x12801e81) returned 1 [0200.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801f81 | out: pbBuffer=0x12801f81) returned 1 [0200.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101c8 | out: pbBuffer=0x128101c8) returned 1 [0200.686] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9639f732-a0f4-4a33-92a0-01330c0bb8c3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.687] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.687] WriteFile (in: hFile=0x448, lpBuffer=0x12850f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12850f00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0200.687] CloseHandle (hObject=0x448) returned 1 [0200.687] CloseHandle (hObject=0x3c4) returned 1 [0200.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101e0 | out: pbBuffer=0x128101e0) returned 1 [0200.688] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\9639f732-a0f4-4a33-92a0-01330c0bb8c3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[4849A1AEA443CA12]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[4849a1aea443ca12]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.689] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\96baa0e7-ce03-46c0-a45a-8f71adb9c825"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.690] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\96baa0e7-ce03-46c0-a45a-8f71adb9c825"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83bbe8a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83bbe8a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83bd386, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8b)) returned 1 [0200.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845a80 | out: pbBuffer=0x12845a80) returned 1 [0200.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0200.691] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a73d1c*=0xd8b, lpOverlapped=0x0) returned 1 [0200.717] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.747] SwitchToThread () returned 1 [0200.775] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.804] SetEvent (hEvent=0x1d0) returned 1 [0200.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a2f95592-6a7f-475a-878f-c593da8bbedd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.805] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0200.805] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\a2f95592-6a7f-475a-878f-c593da8bbedd"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829ef008, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829ef008, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829ef008, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x990a)) returned 1 [0200.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e3c0 | out: pbBuffer=0x1280e3c0) returned 1 [0200.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0200.805] ReadFile (in: hFile=0x438, lpBuffer=0x12a2e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a2e000*, lpNumberOfBytesRead=0x12a73d1c*=0x990a, lpOverlapped=0x0) returned 1 [0200.832] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.868] SetEvent (hEvent=0x3f8) returned 1 [0200.868] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.878] SetEvent (hEvent=0x1d0) returned 1 [0200.878] SetEvent (hEvent=0x420) returned 1 [0200.878] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0200.892] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.892] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0200.897] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.897] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0200.897] SetEvent (hEvent=0x3f4) returned 1 [0200.897] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0200.908] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0200.908] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b20989ed-6b03-4803-add0-4360553ec384"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.909] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.909] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b20989ed-6b03-4803-add0-4360553ec384"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c666c7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8c666c7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x148c)) returned 1 [0200.909] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0200.909] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0200.909] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x129abd1c*=0x148c, lpOverlapped=0x0) returned 1 [0200.935] GetFileType (hFile=0x438) returned 0x1 [0200.935] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.935] WriteFile (in: hFile=0x438, lpBuffer=0x12902a00*, nNumberOfBytesToWrite=0x148c, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12902a00*, lpNumberOfBytesWritten=0x129abd00*=0x148c, lpOverlapped=0x129abd0c) returned 1 [0200.936] GetFileType (hFile=0x438) returned 0x1 [0200.936] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x148c, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0200.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0200.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0200.936] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0200.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b20989ed-6b03-4803-add0-4360553ec384"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0200.937] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.937] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.937] CloseHandle (hObject=0x448) returned 1 [0200.937] CloseHandle (hObject=0x438) returned 1 [0200.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0200.937] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\b20989ed-6b03-4803-add0-4360553ec384"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[9EF0066037A1B088]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[9ef0066037a1b088]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.939] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c0b5fefe-c6c1-439e-b89d-e39a2031e527"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0200.939] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.939] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c0b5fefe-c6c1-439e-b89d-e39a2031e527"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c1295, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c1295, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c1295, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3c73)) returned 1 [0200.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0200.939] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810290 | out: pbBuffer=0x12810290) returned 1 [0200.939] ReadFile (in: hFile=0x438, lpBuffer=0x12b96000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b96000*, lpNumberOfBytesRead=0x129abd1c*=0x3c73, lpOverlapped=0x0) returned 1 [0200.966] GetFileType (hFile=0x438) returned 0x1 [0200.966] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.966] WriteFile (in: hFile=0x438, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x3c73, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x129abd00*=0x3c73, lpOverlapped=0x129abd0c) returned 1 [0200.966] GetFileType (hFile=0x438) returned 0x1 [0200.966] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x3c73, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0200.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0200.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0200.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0200.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848d88 | out: pbBuffer=0x12848d88) returned 1 [0200.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c0b5fefe-c6c1-439e-b89d-e39a2031e527"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0200.967] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0200.967] WriteFile (in: hFile=0x3c4, lpBuffer=0x129b4f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x129b4f00*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0200.968] CloseHandle (hObject=0x3c4) returned 1 [0200.968] CloseHandle (hObject=0x438) returned 1 [0200.968] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848db0 | out: pbBuffer=0x12848db0) returned 1 [0200.968] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c0b5fefe-c6c1-439e-b89d-e39a2031e527"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A1CF2C5C2CAFA92A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a1cf2c5c2cafa92a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0200.972] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0201.074] SetEvent (hEvent=0x3f4) returned 1 [0201.074] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0201.077] SetEvent (hEvent=0x3f4) returned 1 [0201.077] SetEvent (hEvent=0x1d0) returned 1 [0201.077] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0201.077] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0201.077] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0201.078] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810100 | out: pbBuffer=0x12810100) returned 1 [0201.078] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c9b26f48-b9b2-452d-9e4f-bd539a769b1b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.078] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.078] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.078] CloseHandle (hObject=0x448) returned 1 [0201.078] CloseHandle (hObject=0x438) returned 1 [0201.079] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810118 | out: pbBuffer=0x12810118) returned 1 [0201.079] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\c9b26f48-b9b2-452d-9e4f-bd539a769b1b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[718EF973DDBE619B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[718ef973ddbe619b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.080] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d7f62263-4202-4285-ab58-35dfbbb7899c"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.081] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d7f62263-4202-4285-ab58-35dfbbb7899c"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e43432, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e43432, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e43432, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6f72)) returned 1 [0201.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0201.081] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0201.081] ReadFile (in: hFile=0x438, lpBuffer=0x12988000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12988000*, lpNumberOfBytesRead=0x12a71d1c*=0x6f72, lpOverlapped=0x0) returned 1 [0201.167] GetFileType (hFile=0x438) returned 0x1 [0201.167] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.167] WriteFile (in: hFile=0x438, lpBuffer=0x12a18000*, nNumberOfBytesToWrite=0x6f72, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a18000*, lpNumberOfBytesWritten=0x12a71d00*=0x6f72, lpOverlapped=0x12a71d0c) returned 1 [0201.168] GetFileType (hFile=0x438) returned 0x1 [0201.168] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x6f72, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801581 | out: pbBuffer=0x12801581) returned 1 [0201.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0201.168] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0201.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810ae0 | out: pbBuffer=0x12810ae0) returned 1 [0201.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d7f62263-4202-4285-ab58-35dfbbb7899c"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.169] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.169] WriteFile (in: hFile=0x448, lpBuffer=0x12924000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12924000*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.169] CloseHandle (hObject=0x448) returned 1 [0201.170] CloseHandle (hObject=0x438) returned 1 [0201.170] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810af8 | out: pbBuffer=0x12810af8) returned 1 [0201.170] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\d7f62263-4202-4285-ab58-35dfbbb7899c"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[0B2D7E7376922485]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[0b2d7e7376922485]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e457c019-b991-4ccc-8425-ccd48e271dfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.171] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.172] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e457c019-b991-4ccc-8425-ccd48e271dfc"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8850b3e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8850b3e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8850b3e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x38f)) returned 1 [0201.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a40 | out: pbBuffer=0x12a98a40) returned 1 [0201.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810b40 | out: pbBuffer=0x12810b40) returned 1 [0201.172] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a71d1c*=0x38f, lpOverlapped=0x0) returned 1 [0201.174] GetFileType (hFile=0x438) returned 0x1 [0201.174] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.174] WriteFile (in: hFile=0x438, lpBuffer=0x1287f800*, nNumberOfBytesToWrite=0x38f, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x1287f800*, lpNumberOfBytesWritten=0x12a71d00*=0x38f, lpOverlapped=0x12a71d0c) returned 1 [0201.175] GetFileType (hFile=0x438) returned 0x1 [0201.175] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x38f, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801981 | out: pbBuffer=0x12801981) returned 1 [0201.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a81 | out: pbBuffer=0x12801a81) returned 1 [0201.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0201.175] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810bf8 | out: pbBuffer=0x12810bf8) returned 1 [0201.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e457c019-b991-4ccc-8425-ccd48e271dfc"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.176] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.176] WriteFile (in: hFile=0x448, lpBuffer=0x12924500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12924500*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.176] CloseHandle (hObject=0x448) returned 1 [0201.181] CloseHandle (hObject=0x438) returned 1 [0201.181] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c10 | out: pbBuffer=0x12810c10) returned 1 [0201.181] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e457c019-b991-4ccc-8425-ccd48e271dfc"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[56F4A9C650B9E157]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[56f4a9c650b9e157]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e64aa1ee-3abd-40dd-9a7a-e7e891151c82"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e928f1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e928f1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e93c87, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f40)) returned 1 [0201.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e8b41e01-fe51-4f72-9829-70d724467d17"), fInfoLevelId=0x0, lpFileInformation=0x1282b89c | out: lpFileInformation=0x1282b89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bd5ee3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bd5ee3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bd85f4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3380)) returned 1 [0201.184] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e64aa1ee-3abd-40dd-9a7a-e7e891151c82"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.184] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.184] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e64aa1ee-3abd-40dd-9a7a-e7e891151c82"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e928f1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e928f1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e93c87, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f40)) returned 1 [0201.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98c40 | out: pbBuffer=0x12a98c40) returned 1 [0201.184] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128111b0 | out: pbBuffer=0x128111b0) returned 1 [0201.185] ReadFile (in: hFile=0x438, lpBuffer=0x12b72000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b72000*, lpNumberOfBytesRead=0x12a71d1c*=0x1f40, lpOverlapped=0x0) returned 1 [0201.265] GetFileType (hFile=0x438) returned 0x1 [0201.265] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.265] WriteFile (in: hFile=0x438, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a71d00*=0x1f40, lpOverlapped=0x12a71d0c) returned 1 [0201.265] GetFileType (hFile=0x438) returned 0x1 [0201.265] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x1f40, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0201.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0201.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0201.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0201.266] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e64aa1ee-3abd-40dd-9a7a-e7e891151c82"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.266] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.266] WriteFile (in: hFile=0x448, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.267] CloseHandle (hObject=0x448) returned 1 [0201.267] CloseHandle (hObject=0x438) returned 1 [0201.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0201.267] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\e64aa1ee-3abd-40dd-9a7a-e7e891151c82"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[B85DA717A9C89E84]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[b85da717a9c89e84]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.268] SetEvent (hEvent=0x3f4) returned 1 [0201.268] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f31f431a-df78-48bc-9a30-e15e83a7df3b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.268] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.268] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f31f431a-df78-48bc-9a30-e15e83a7df3b"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba00b7d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba00b7d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba00b7d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x18bd)) returned 1 [0201.268] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0201.268] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0201.269] ReadFile (in: hFile=0x438, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a71d1c*=0x18bd, lpOverlapped=0x0) returned 1 [0201.390] SetEvent (hEvent=0x110) returned 1 [0201.390] GetFileType (hFile=0x438) returned 0x1 [0201.391] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.391] WriteFile (in: hFile=0x438, lpBuffer=0x128f9980*, nNumberOfBytesToWrite=0x18bd, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x128f9980*, lpNumberOfBytesWritten=0x12a71d00*=0x18bd, lpOverlapped=0x12a71d0c) returned 1 [0201.391] GetFileType (hFile=0x438) returned 0x1 [0201.391] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x18bd, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0201.391] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0201.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0201.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128109c0 | out: pbBuffer=0x128109c0) returned 1 [0201.392] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f31f431a-df78-48bc-9a30-e15e83a7df3b"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0201.392] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.392] WriteFile (in: hFile=0x448, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.392] CloseHandle (hObject=0x448) returned 1 [0201.392] CloseHandle (hObject=0x438) returned 1 [0201.392] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109d8 | out: pbBuffer=0x128109d8) returned 1 [0201.393] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\f31f431a-df78-48bc-9a30-e15e83a7df3b"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[7F6BADBBEA63F6B8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[7f6badbbea63f6b8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.394] SetEvent (hEvent=0x1d0) returned 1 [0201.394] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\fdac0094-8c06-4be5-856f-0db7bb8f69b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.394] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.394] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\fdac0094-8c06-4be5-856f-0db7bb8f69b9"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49ec6e1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49ec6e1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49eda26, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e)) returned 1 [0201.394] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98820 | out: pbBuffer=0x12a98820) returned 1 [0201.394] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810a20 | out: pbBuffer=0x12810a20) returned 1 [0201.394] ReadFile (in: hFile=0x438, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x12a71d1c*=0x486e, lpOverlapped=0x0) returned 1 [0201.558] GetFileType (hFile=0x438) returned 0x1 [0201.558] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.558] WriteFile (in: hFile=0x438, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x486e, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12a71d00*=0x486e, lpOverlapped=0x12a71d0c) returned 1 [0201.559] GetFileType (hFile=0x438) returned 0x1 [0201.559] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x486e, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0201.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0201.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0201.559] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128101c0 | out: pbBuffer=0x128101c0) returned 1 [0201.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\fdac0094-8c06-4be5-856f-0db7bb8f69b9"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0201.560] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.560] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.560] CloseHandle (hObject=0x42c) returned 1 [0201.560] CloseHandle (hObject=0x438) returned 1 [0201.560] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101d8 | out: pbBuffer=0x128101d8) returned 1 [0201.560] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\fdac0094-8c06-4be5-856f-0db7bb8f69b9"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\#_THIS_FILE_IS_ENCRYPTED_[A75536AB0DCAD753]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\#_this_file_is_encrypted_[a75536ab0dcad753]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.561] SetEvent (hEvent=0xfc) returned 1 [0201.561] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.562] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.562] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba9333c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba9333c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6b3f26a7, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x13bd9)) returned 1 [0201.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98400 | out: pbBuffer=0x12a98400) returned 1 [0201.562] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810220 | out: pbBuffer=0x12810220) returned 1 [0201.562] ReadFile (in: hFile=0x438, lpBuffer=0x12c92000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c92000*, lpNumberOfBytesRead=0x12a71d1c*=0x13bd9, lpOverlapped=0x0) returned 1 [0201.582] GetFileType (hFile=0x438) returned 0x1 [0201.582] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.582] WriteFile (in: hFile=0x438, lpBuffer=0x12a38000*, nNumberOfBytesToWrite=0x13bd9, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a38000*, lpNumberOfBytesWritten=0x12a71d00*=0x13bd9, lpOverlapped=0x12a71d0c) returned 1 [0201.582] GetFileType (hFile=0x438) returned 0x1 [0201.582] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x13bd9, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0201.582] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801001 | out: pbBuffer=0x12801001) returned 1 [0201.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0201.583] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0201.584] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810690 | out: pbBuffer=0x12810690) returned 1 [0201.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0201.584] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.584] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0201.584] CloseHandle (hObject=0x42c) returned 1 [0201.589] CloseHandle (hObject=0x438) returned 1 [0201.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128109a8 | out: pbBuffer=0x128109a8) returned 1 [0201.597] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[B9577D8670017CB8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[b9577d8670017cb8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0201.737] SetEvent (hEvent=0x3f8) returned 1 [0201.737] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0201.737] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0201.737] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b96fdbf, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x14a91)) returned 1 [0201.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a99b80 | out: pbBuffer=0x12a99b80) returned 1 [0201.737] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810dd0 | out: pbBuffer=0x12810dd0) returned 1 [0201.737] ReadFile (in: hFile=0x438, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a71d1c*=0x14a91, lpOverlapped=0x0) returned 1 [0202.593] GetFileType (hFile=0x438) returned 0x1 [0202.593] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0202.593] WriteFile (in: hFile=0x438, lpBuffer=0x12968000*, nNumberOfBytesToWrite=0x14a91, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12968000*, lpNumberOfBytesWritten=0x12a71d00*=0x14a91, lpOverlapped=0x12a71d0c) returned 1 [0202.687] GetFileType (hFile=0x438) returned 0x1 [0202.687] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x14a91, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.075] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0203.178] SwitchToThread () returned 1 [0203.226] SetEvent (hEvent=0x3f8) returned 1 [0203.226] ReadFile (in: hFile=0x1a0, lpBuffer=0x12d06000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a87d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d06000*, lpNumberOfBytesRead=0x12a87d1c*=0x20000, lpOverlapped=0x0) returned 1 [0203.329] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0203.406] SetEvent (hEvent=0x1d0) returned 1 [0203.406] GetFileType (hFile=0x1a0) returned 0x1 [0203.406] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a87ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.406] WriteFile (in: hFile=0x1a0, lpBuffer=0x12d4e000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a87d00, lpOverlapped=0x12a87d0c | out: lpBuffer=0x12d4e000*, lpNumberOfBytesWritten=0x12a87d00*=0x20000, lpOverlapped=0x12a87d0c) returned 1 [0203.407] GetFileType (hFile=0x1a0) returned 0x1 [0203.407] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a87ce4 | out: lpNewFilePointer=0x0) returned 1 [0203.469] SetEvent (hEvent=0x1d0) returned 1 [0203.469] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0203.483] SetEvent (hEvent=0x1d0) returned 1 [0203.483] SetEvent (hEvent=0x3f8) returned 1 [0203.483] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0203.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0203.592] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0203.805] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810078 | out: pbBuffer=0x12810078) returned 1 [0203.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0203.806] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a6fd0c | out: lpMode=0x12a6fd0c) returned 0 [0203.806] WriteFile (in: hFile=0x3c4, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a6fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12a6fd0c*=0x276, lpOverlapped=0x0) returned 1 [0203.806] CloseHandle (hObject=0x3c4) returned 1 [0203.806] CloseHandle (hObject=0x15c) returned 1 [0203.806] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128100b0 | out: pbBuffer=0x128100b0) returned 1 [0203.883] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\#_THIS_FILE_IS_ENCRYPTED_[7068CDBA2E413A01]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\#_this_file_is_encrypted_[7068cdba2e413a01]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.324] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0204.343] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0204.370] SetEvent (hEvent=0x420) returned 1 [0204.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.371] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.371] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otelemediumcost.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3041919, ftCreationTime.dwHighDateTime=0x1d7b063, ftLastAccessTime.dwLowDateTime=0xa3041919, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0xa3041919, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x345)) returned 1 [0204.372] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e8e0 | out: pbBuffer=0x1280e8e0) returned 1 [0204.372] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2f0 | out: pbBuffer=0x12a9a2f0) returned 1 [0204.373] ReadFile (in: hFile=0x448, lpBuffer=0x129c6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x129c6000*, lpNumberOfBytesRead=0x12a71d1c*=0x345, lpOverlapped=0x0) returned 1 [0204.382] GetFileType (hFile=0x448) returned 0x1 [0204.382] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.382] WriteFile (in: hFile=0x448, lpBuffer=0x12a38000*, nNumberOfBytesToWrite=0x345, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a38000*, lpNumberOfBytesWritten=0x12a71d00*=0x345, lpOverlapped=0x12a71d0c) returned 1 [0204.382] GetFileType (hFile=0x448) returned 0x1 [0204.383] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x345, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0204.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0204.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0204.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a3f8 | out: pbBuffer=0x12a9a3f8) returned 1 [0204.384] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.384] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.384] WriteFile (in: hFile=0x3c4, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.384] CloseHandle (hObject=0x3c4) returned 1 [0204.386] CloseHandle (hObject=0x448) returned 1 [0204.393] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a410 | out: pbBuffer=0x12a9a410) returned 1 [0204.393] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{8C5C453E-F1E7-456C-A78B-1F97C49F7A1D} (0) - 2988 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{8c5c453e-f1e7-456c-a78b-1f97c49f7a1d} (0) - 2988 - excel.exe - otelemediumcost.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\#_THIS_FILE_IS_ENCRYPTED_[FF9BCA1DE3601594]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\#_this_file_is_encrypted_[ff9bca1de3601594]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.670] SetEvent (hEvent=0x3f8) returned 1 [0204.670] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.671] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd17d55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8cd17d55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8dfb8492, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0204.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0204.671] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0204.671] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12a71d1c*=0x123c, lpOverlapped=0x0) returned 1 [0204.677] GetFileType (hFile=0x3c4) returned 0x1 [0204.677] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.677] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12a71d00*=0x123c, lpOverlapped=0x12a71d0c) returned 1 [0204.677] GetFileType (hFile=0x3c4) returned 0x1 [0204.677] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x123c, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0204.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0204.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0204.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0204.679] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.679] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.679] WriteFile (in: hFile=0x438, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.679] CloseHandle (hObject=0x438) returned 1 [0204.679] CloseHandle (hObject=0x3c4) returned 1 [0204.679] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0204.680] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[0746BEB5C4878748]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[0746beb5c4878748]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.681] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.682] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f743688, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8f743688, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91beba26, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0204.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0204.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0204.682] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12a71d1c*=0x20000, lpOverlapped=0x0) returned 1 [0204.693] GetFileType (hFile=0x3c4) returned 0x1 [0204.693] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.693] WriteFile (in: hFile=0x3c4, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a71d00*=0x20000, lpOverlapped=0x12a71d0c) returned 1 [0204.694] GetFileType (hFile=0x3c4) returned 0x1 [0204.694] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0204.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0204.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0204.695] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0204.695] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0204.696] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.696] WriteFile (in: hFile=0x448, lpBuffer=0x12a90500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90500*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.702] CloseHandle (hObject=0x448) returned 1 [0204.703] CloseHandle (hObject=0x3c4) returned 1 [0204.703] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0204.703] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[C662B5FD94943262]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[c662b5fd94943262]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.704] SetEvent (hEvent=0x3f8) returned 1 [0204.704] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.705] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.705] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x922c670c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x922c670c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x27f2)) returned 1 [0204.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98440 | out: pbBuffer=0x12a98440) returned 1 [0204.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810298 | out: pbBuffer=0x12810298) returned 1 [0204.705] ReadFile (in: hFile=0x3c4, lpBuffer=0x12ba8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ba8000*, lpNumberOfBytesRead=0x12a71d1c*=0x27f2, lpOverlapped=0x0) returned 1 [0204.713] GetFileType (hFile=0x3c4) returned 0x1 [0204.713] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.713] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a40000*, nNumberOfBytesToWrite=0x27f2, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a40000*, lpNumberOfBytesWritten=0x12a71d00*=0x27f2, lpOverlapped=0x12a71d0c) returned 1 [0204.713] GetFileType (hFile=0x3c4) returned 0x1 [0204.713] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x27f2, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0204.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0204.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0204.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810350 | out: pbBuffer=0x12810350) returned 1 [0204.714] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.714] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.714] WriteFile (in: hFile=0x438, lpBuffer=0x12a90a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90a00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.714] CloseHandle (hObject=0x438) returned 1 [0204.715] CloseHandle (hObject=0x3c4) returned 1 [0204.715] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810368 | out: pbBuffer=0x12810368) returned 1 [0204.715] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[A270A37B3DC403D1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[a270a37b3dc403d1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.717] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.717] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.717] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92ed8427, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92ed8427, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93350a85, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x16da)) returned 1 [0204.717] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98640 | out: pbBuffer=0x12a98640) returned 1 [0204.717] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128103b0 | out: pbBuffer=0x128103b0) returned 1 [0204.718] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d28000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d28000*, lpNumberOfBytesRead=0x12a71d1c*=0x16da, lpOverlapped=0x0) returned 1 [0204.731] GetFileType (hFile=0x3c4) returned 0x1 [0204.731] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.731] WriteFile (in: hFile=0x3c4, lpBuffer=0x12afe000*, nNumberOfBytesToWrite=0x16da, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12afe000*, lpNumberOfBytesWritten=0x12a71d00*=0x16da, lpOverlapped=0x12a71d0c) returned 1 [0204.731] GetFileType (hFile=0x3c4) returned 0x1 [0204.731] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x16da, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0204.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0204.732] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0204.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810468 | out: pbBuffer=0x12810468) returned 1 [0204.734] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.734] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.734] WriteFile (in: hFile=0x438, lpBuffer=0x12a90f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a90f00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.734] CloseHandle (hObject=0x438) returned 1 [0204.734] CloseHandle (hObject=0x3c4) returned 1 [0204.735] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810480 | out: pbBuffer=0x12810480) returned 1 [0204.735] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[156668EDFC8D0B04]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[156668edfc8d0b04]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.742] SetEvent (hEvent=0x40c) returned 1 [0204.742] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.743] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.743] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93ea3eb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93ea3eb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x72c0)) returned 1 [0204.743] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98840 | out: pbBuffer=0x12a98840) returned 1 [0204.745] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128104c8 | out: pbBuffer=0x128104c8) returned 1 [0204.746] ReadFile (in: hFile=0x3c4, lpBuffer=0x12d68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesRead=0x12a71d1c*=0x72c0, lpOverlapped=0x0) returned 1 [0204.759] GetFileType (hFile=0x3c4) returned 0x1 [0204.759] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.759] WriteFile (in: hFile=0x3c4, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12a71d00*=0x72c0, lpOverlapped=0x12a71d0c) returned 1 [0204.759] GetFileType (hFile=0x3c4) returned 0x1 [0204.759] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x72c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801301 | out: pbBuffer=0x12801301) returned 1 [0204.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801401 | out: pbBuffer=0x12801401) returned 1 [0204.760] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0204.761] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810580 | out: pbBuffer=0x12810580) returned 1 [0204.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0204.762] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.762] WriteFile (in: hFile=0x438, lpBuffer=0x12a91400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a91400*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.762] CloseHandle (hObject=0x438) returned 1 [0204.762] CloseHandle (hObject=0x3c4) returned 1 [0204.762] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810598 | out: pbBuffer=0x12810598) returned 1 [0204.763] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[7AB2BC929A877388]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[7ab2bc929a877388]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.764] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0204.764] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94bc0dc5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94bc0dc5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94ebbc59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0204.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98a40 | out: pbBuffer=0x12a98a40) returned 1 [0204.764] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128105e0 | out: pbBuffer=0x128105e0) returned 1 [0204.765] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0204.769] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0204.769] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0204.770] SetEvent (hEvent=0x110) returned 1 [0204.770] SetEvent (hEvent=0x40c) returned 1 [0204.770] ReadFile (in: hFile=0x3c4, lpBuffer=0x129e6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x129e6000*, lpNumberOfBytesRead=0x12a71d1c*=0x140c0, lpOverlapped=0x0) returned 1 [0204.776] GetFileType (hFile=0x3c4) returned 0x1 [0204.776] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.776] WriteFile (in: hFile=0x3c4, lpBuffer=0x12a26000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12a26000*, lpNumberOfBytesWritten=0x12a71d00*=0x140c0, lpOverlapped=0x12a71d0c) returned 1 [0204.777] GetFileType (hFile=0x3c4) returned 0x1 [0204.777] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0204.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801681 | out: pbBuffer=0x12801681) returned 1 [0204.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801781 | out: pbBuffer=0x12801781) returned 1 [0204.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801881 | out: pbBuffer=0x12801881) returned 1 [0204.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810698 | out: pbBuffer=0x12810698) returned 1 [0204.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0204.778] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0204.778] WriteFile (in: hFile=0x1a0, lpBuffer=0x12a91900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a91900*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0204.778] CloseHandle (hObject=0x1a0) returned 1 [0204.778] CloseHandle (hObject=0x3c4) returned 1 [0204.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128106b0 | out: pbBuffer=0x128106b0) returned 1 [0204.779] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\#_THIS_FILE_IS_ENCRYPTED_[DC5ECD4CE7CAA62C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\#_this_file_is_encrypted_[dc5ecd4ce7caa62c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0204.997] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.164] SetEvent (hEvent=0xfc) returned 1 [0205.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.165] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0205.165] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8edba01f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8f89abc5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x152c0)) returned 1 [0205.165] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844760 | out: pbBuffer=0x12844760) returned 1 [0205.166] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34160 | out: pbBuffer=0x12c34160) returned 1 [0205.178] ReadFile (in: hFile=0x448, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a73d1c*=0x152c0, lpOverlapped=0x0) returned 1 [0205.204] GetFileType (hFile=0x448) returned 0x1 [0205.204] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.204] WriteFile (in: hFile=0x448, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12a73d00*=0x152c0, lpOverlapped=0x12a73d0c) returned 1 [0205.205] GetFileType (hFile=0x448) returned 0x1 [0205.205] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0205.217] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0205.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0205.222] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34218 | out: pbBuffer=0x12c34218) returned 1 [0205.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.223] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0205.223] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.223] CloseHandle (hObject=0x1a0) returned 1 [0205.224] CloseHandle (hObject=0x448) returned 1 [0205.224] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34230 | out: pbBuffer=0x12c34230) returned 1 [0205.224] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\#_THIS_FILE_IS_ENCRYPTED_[4C0A0DC6993EB1FC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\#_this_file_is_encrypted_[4c0a0dc6993eb1fc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.435] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.440] SetEvent (hEvent=0x1d0) returned 1 [0205.440] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.441] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0205.441] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a79a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90ea89ac, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0205.441] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e940 | out: pbBuffer=0x1280e940) returned 1 [0205.441] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a2e0 | out: pbBuffer=0x12a9a2e0) returned 1 [0205.442] ReadFile (in: hFile=0x448, lpBuffer=0x12bf2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bf2000*, lpNumberOfBytesRead=0x12a71d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0205.464] GetFileType (hFile=0x448) returned 0x1 [0205.464] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.464] WriteFile (in: hFile=0x448, lpBuffer=0x12d68000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12d68000*, lpNumberOfBytesWritten=0x12a71d00*=0x160c0, lpOverlapped=0x12a71d0c) returned 1 [0205.465] GetFileType (hFile=0x448) returned 0x1 [0205.465] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0205.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0205.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0205.465] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a398 | out: pbBuffer=0x12a9a398) returned 1 [0205.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.467] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0205.467] WriteFile (in: hFile=0x15c, lpBuffer=0x12980000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12980000*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.467] CloseHandle (hObject=0x15c) returned 1 [0205.468] CloseHandle (hObject=0x448) returned 1 [0205.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3b0 | out: pbBuffer=0x12a9a3b0) returned 1 [0205.468] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\#_THIS_FILE_IS_ENCRYPTED_[E9078C2767900FA3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\#_this_file_is_encrypted_[e9078c2767900fa3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.469] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.494] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.495] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0205.495] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a73ad0 | out: lpFileInformation=0x12a73ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e232ee, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952c1a4e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0205.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb40 | out: pbBuffer=0x1280eb40) returned 1 [0205.495] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3f8 | out: pbBuffer=0x12a9a3f8) returned 1 [0205.495] ReadFile (in: hFile=0x15c, lpBuffer=0x12b58000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a73d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b58000*, lpNumberOfBytesRead=0x12a73d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0205.518] GetFileType (hFile=0x15c) returned 0x1 [0205.518] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.519] WriteFile (in: hFile=0x15c, lpBuffer=0x12bb0000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12a73d00, lpOverlapped=0x12a73d0c | out: lpBuffer=0x12bb0000*, lpNumberOfBytesWritten=0x12a73d00*=0x160c0, lpOverlapped=0x12a73d0c) returned 1 [0205.519] GetFileType (hFile=0x15c) returned 0x1 [0205.519] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a73ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.519] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0205.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0205.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0205.520] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a4b0 | out: pbBuffer=0x12a9a4b0) returned 1 [0205.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.521] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12a73d0c | out: lpMode=0x12a73d0c) returned 0 [0205.521] WriteFile (in: hFile=0x1a0, lpBuffer=0x12980500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a73d0c, lpOverlapped=0x0 | out: lpBuffer=0x12980500*, lpNumberOfBytesWritten=0x12a73d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.521] CloseHandle (hObject=0x1a0) returned 1 [0205.521] CloseHandle (hObject=0x15c) returned 1 [0205.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a4c8 | out: pbBuffer=0x12a9a4c8) returned 1 [0205.521] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\#_THIS_FILE_IS_ENCRYPTED_[DC569800AEF7C065]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\#_this_file_is_encrypted_[dc569800aef7c065]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.623] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.627] SetEvent (hEvent=0x3f4) returned 1 [0205.627] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.627] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0205.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a71ad0 | out: lpFileInformation=0x12a71ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962b3645, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96647060, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0205.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280ed40 | out: pbBuffer=0x1280ed40) returned 1 [0205.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a510 | out: pbBuffer=0x12a9a510) returned 1 [0205.628] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0205.633] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.633] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0205.634] SetEvent (hEvent=0x110) returned 1 [0205.634] SetEvent (hEvent=0x3f4) returned 1 [0205.634] ReadFile (in: hFile=0x15c, lpBuffer=0x12bc8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a71d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesRead=0x12a71d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0205.643] GetFileType (hFile=0x15c) returned 0x1 [0205.643] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.643] WriteFile (in: hFile=0x15c, lpBuffer=0x12968000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x12a71d00, lpOverlapped=0x12a71d0c | out: lpBuffer=0x12968000*, lpNumberOfBytesWritten=0x12a71d00*=0x156c0, lpOverlapped=0x12a71d0c) returned 1 [0205.644] GetFileType (hFile=0x15c) returned 0x1 [0205.644] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a71ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc801 | out: pbBuffer=0x12afc801) returned 1 [0205.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0205.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0205.645] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a5c8 | out: pbBuffer=0x12a9a5c8) returned 1 [0205.645] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.645] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x12a71d0c | out: lpMode=0x12a71d0c) returned 0 [0205.645] WriteFile (in: hFile=0x448, lpBuffer=0x12980a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a71d0c, lpOverlapped=0x0 | out: lpBuffer=0x12980a00*, lpNumberOfBytesWritten=0x12a71d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.645] CloseHandle (hObject=0x448) returned 1 [0205.646] CloseHandle (hObject=0x15c) returned 1 [0205.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5e0 | out: pbBuffer=0x12a9a5e0) returned 1 [0205.646] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\#_THIS_FILE_IS_ENCRYPTED_[6259A0DD1640F3F1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\#_this_file_is_encrypted_[6259a0dd1640f3f1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.655] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0205.664] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0205.664] SetEvent (hEvent=0x1d0) returned 1 [0205.664] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0205.674] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0205.675] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0205.675] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f11a4d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97317979, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x172c0)) returned 1 [0205.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0205.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0205.675] ReadFile (in: hFile=0x15c, lpBuffer=0x12986000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12986000*, lpNumberOfBytesRead=0x12829d1c*=0x172c0, lpOverlapped=0x0) returned 1 [0205.688] GetFileType (hFile=0x15c) returned 0x1 [0205.688] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.688] WriteFile (in: hFile=0x15c, lpBuffer=0x129ae000*, nNumberOfBytesToWrite=0x172c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x129ae000*, lpNumberOfBytesWritten=0x12829d00*=0x172c0, lpOverlapped=0x12829d0c) returned 1 [0205.689] GetFileType (hFile=0x15c) returned 0x1 [0205.689] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x172c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0205.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0205.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0205.689] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0205.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810110 | out: pbBuffer=0x12810110) returned 1 [0205.690] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.690] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0205.690] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0205.690] CloseHandle (hObject=0x1a0) returned 1 [0205.690] CloseHandle (hObject=0x15c) returned 1 [0205.690] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810128 | out: pbBuffer=0x12810128) returned 1 [0205.690] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\#_THIS_FILE_IS_ENCRYPTED_[165141C0DCEF5391]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\#_this_file_is_encrypted_[165141c0dcef5391]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.691] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.736] SetEvent (hEvent=0x3f4) returned 1 [0205.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0205.736] GetConsoleMode (in: hConsoleHandle=0x448, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0205.736] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf54b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x141bf54b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14742dc7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6)) returned 1 [0205.736] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0205.736] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810170 | out: pbBuffer=0x12810170) returned 1 [0205.736] ReadFile (in: hFile=0x448, lpBuffer=0x129e6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x129e6000*, lpNumberOfBytesRead=0x1282fd1c*=0x20000, lpOverlapped=0x0) returned 1 [0205.752] GetFileType (hFile=0x448) returned 0x1 [0205.752] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.752] WriteFile (in: hFile=0x448, lpBuffer=0x12b88000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12b88000*, lpNumberOfBytesWritten=0x1282fd00*=0x20000, lpOverlapped=0x1282fd0c) returned 1 [0205.754] GetFileType (hFile=0x448) returned 0x1 [0205.754] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0205.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0205.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0205.754] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0205.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810228 | out: pbBuffer=0x12810228) returned 1 [0205.755] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0205.755] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0205.755] WriteFile (in: hFile=0x1a0, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0205.764] CloseHandle (hObject=0x1a0) returned 1 [0205.778] CloseHandle (hObject=0x448) returned 1 [0205.785] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810240 | out: pbBuffer=0x12810240) returned 1 [0205.785] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\#_THIS_FILE_IS_ENCRYPTED_[C41F81D476B7882D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\#_this_file_is_encrypted_[c41f81d476b7882d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0205.909] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.945] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.947] SetEvent (hEvent=0x10c) returned 1 [0205.947] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.950] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0205.965] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.094] SetEvent (hEvent=0x3f8) returned 1 [0206.094] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncconfig.exe"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e196bc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27eb206a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0)) returned 1 [0206.095] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.211] SetEvent (hEvent=0x3f8) returned 1 [0206.211] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14a89f12, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.211] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14a89f12, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0206.212] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14a89f12, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.212] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a89f12, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x151d75c6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.212] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.212] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0206.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.213] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.213] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.214] CloseHandle (hObject=0x42c) returned 1 [0206.214] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a89f12, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x151d75c6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.222] SetEvent (hEvent=0x3f8) returned 1 [0206.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x158d8246, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.223] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x158d8246, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0206.223] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x158d8246, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.223] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x158d8246, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15bf948f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.223] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.223] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0206.223] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.224] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.224] WriteFile (in: hFile=0x3c4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.225] CloseHandle (hObject=0x3c4) returned 1 [0206.226] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x158d8246, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15bf948f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0206.234] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.261] SetEvent (hEvent=0x420) returned 1 [0206.261] SetEvent (hEvent=0x1d0) returned 1 [0206.261] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x169161d2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0206.261] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0206.262] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x169161d2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0206.262] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x169161d2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0206.262] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169161d2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17206ef6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0206.262] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0206.262] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0206.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0206.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0206.263] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0206.263] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0206.263] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdc000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12bdc000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0206.265] CloseHandle (hObject=0x42c) returned 1 [0206.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169161d2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17206ef6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0206.266] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.293] SetEvent (hEvent=0x3f4) returned 1 [0206.293] SetEvent (hEvent=0x1d0) returned 1 [0206.293] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.358] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.640] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.656] SetEvent (hEvent=0x10c) returned 1 [0206.656] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.657] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0206.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129abad0 | out: lpFileInformation=0x129abad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0)) returned 1 [0206.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129281c0 | out: pbBuffer=0x129281c0) returned 1 [0206.657] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0206.657] ReadFile (in: hFile=0x3c4, lpBuffer=0x12b98000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129abd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b98000*, lpNumberOfBytesRead=0x129abd1c*=0x15ac0, lpOverlapped=0x0) returned 1 [0206.705] GetFileType (hFile=0x3c4) returned 0x1 [0206.705] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0206.705] WriteFile (in: hFile=0x3c4, lpBuffer=0x12bf2000*, nNumberOfBytesToWrite=0x15ac0, lpNumberOfBytesWritten=0x129abd00, lpOverlapped=0x129abd0c | out: lpBuffer=0x12bf2000*, lpNumberOfBytesWritten=0x129abd00*=0x15ac0, lpOverlapped=0x129abd0c) returned 1 [0206.706] GetFileType (hFile=0x3c4) returned 0x1 [0206.706] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x15ac0, lpNewFilePointer=0x0, dwMoveMethod=0x129abce4 | out: lpNewFilePointer=0x0) returned 1 [0206.706] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0206.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0206.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0206.707] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0206.707] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.708] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129abd0c | out: lpMode=0x129abd0c) returned 0 [0206.708] WriteFile (in: hFile=0x15c, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129abd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x129abd0c*=0x276, lpOverlapped=0x0) returned 1 [0206.708] CloseHandle (hObject=0x15c) returned 1 [0206.708] CloseHandle (hObject=0x3c4) returned 1 [0206.708] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0206.708] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\#_THIS_FILE_IS_ENCRYPTED_[06FD62B1AA553DCE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\#_this_file_is_encrypted_[06fd62b1aa553dce]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.710] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.813] SetEvent (hEvent=0x40c) returned 1 [0206.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0206.814] GetConsoleMode (in: hConsoleHandle=0x15c, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x129a7ad0 | out: lpFileInformation=0x129a7ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b4e321, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0206.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928400 | out: pbBuffer=0x12928400) returned 1 [0206.815] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34490 | out: pbBuffer=0x12c34490) returned 1 [0206.815] ReadFile (in: hFile=0x15c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129a7d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x129a7d1c*=0x10000, lpOverlapped=0x0) returned 1 [0206.871] GetFileType (hFile=0x15c) returned 0x1 [0206.871] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.871] WriteFile (in: hFile=0x15c, lpBuffer=0x12c64000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x129a7d00, lpOverlapped=0x129a7d0c | out: lpBuffer=0x12c64000*, lpNumberOfBytesWritten=0x129a7d00*=0x10000, lpOverlapped=0x129a7d0c) returned 1 [0206.872] GetFileType (hFile=0x15c) returned 0x1 [0206.872] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x129a7ce4 | out: lpNewFilePointer=0x0) returned 1 [0206.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0206.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0206.872] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0206.873] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34548 | out: pbBuffer=0x12c34548) returned 1 [0206.873] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0206.873] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x129a7d0c | out: lpMode=0x129a7d0c) returned 0 [0206.873] WriteFile (in: hFile=0x1a0, lpBuffer=0x128ae500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x129a7d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae500*, lpNumberOfBytesWritten=0x129a7d0c*=0x276, lpOverlapped=0x0) returned 1 [0206.874] CloseHandle (hObject=0x1a0) returned 1 [0206.874] CloseHandle (hObject=0x15c) returned 1 [0206.874] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34560 | out: pbBuffer=0x12c34560) returned 1 [0206.874] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\#_THIS_FILE_IS_ENCRYPTED_[68039171EC279C25]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\#_this_file_is_encrypted_[68039171ec279c25]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0206.875] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0206.986] SetEvent (hEvent=0x40c) returned 1 [0206.986] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c4 [0206.987] GetConsoleMode (in: hConsoleHandle=0x3c4, lpMode=0x129add0c | out: lpMode=0x129add0c) returned 0 [0206.987] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), fInfoLevelId=0x0, lpFileInformation=0x129adad0 | out: lpFileInformation=0x129adad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd25ab06c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd25ab06c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd29d7222, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c)) returned 1 [0206.987] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928600 | out: pbBuffer=0x12928600) returned 1 [0206.987] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c345d8 | out: pbBuffer=0x12c345d8) returned 1 [0206.988] ReadFile (in: hFile=0x3c4, lpBuffer=0x12c74000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x129add1c, lpOverlapped=0x0 | out: lpBuffer=0x12c74000*, lpNumberOfBytesRead=0x129add1c*=0x123c, lpOverlapped=0x0) returned 1 [0207.037] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0207.100] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0207.196] SetEvent (hEvent=0x10c) returned 1 [0207.196] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0207.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42ba1e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe42ba1e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7c64fd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f)) returned 1 [0207.554] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0208.434] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 0 [0208.434] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 1 [0221.691] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x3426faac, fWait=0, lpdwFlags=0x3426fabc | out: lpcbTransfer=0x3426faac, lpdwFlags=0x3426fabc) returned 1 [0221.959] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0223.536] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34348 | out: pbBuffer=0x12c34348) returned 1 [0223.536] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0223.537] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0223.537] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0223.720] CloseHandle (hObject=0x42c) returned 1 [0223.721] CloseHandle (hObject=0x438) returned 1 [0224.060] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c343a0 | out: pbBuffer=0x12c343a0) returned 1 [0224.061] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[185B21C21306DE4D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[185b21c21306de4d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.464] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0224.534] SetEvent (hEvent=0x1b8) returned 1 [0224.534] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0224.613] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.614] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0224.614] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501ed543, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x501ed543, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50390d5d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x140c0)) returned 1 [0224.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845ac0 | out: pbBuffer=0x12845ac0) returned 1 [0224.614] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849720 | out: pbBuffer=0x12849720) returned 1 [0224.616] ReadFile (in: hFile=0x42c, lpBuffer=0x129a2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x129a2000*, lpNumberOfBytesRead=0x12b05d1c*=0x140c0, lpOverlapped=0x0) returned 1 [0224.626] GetFileType (hFile=0x42c) returned 0x1 [0224.627] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.627] WriteFile (in: hFile=0x42c, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x140c0, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x12b05d00*=0x140c0, lpOverlapped=0x12b05d0c) returned 1 [0224.627] GetFileType (hFile=0x42c) returned 0x1 [0224.627] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x140c0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0224.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c81 | out: pbBuffer=0x12800c81) returned 1 [0224.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0224.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8a48 | out: pbBuffer=0x128e8a48) returned 1 [0224.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0224.629] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0224.629] WriteFile (in: hFile=0x1a0, lpBuffer=0x12cf6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf6500*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.629] CloseHandle (hObject=0x1a0) returned 1 [0224.629] CloseHandle (hObject=0x42c) returned 1 [0224.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8a70 | out: pbBuffer=0x128e8a70) returned 1 [0224.630] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[588E69808334F04F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[588e69808334f04f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.631] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0224.666] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0224.691] SetEvent (hEvent=0x3cc) returned 1 [0224.691] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.692] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.692] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505f317e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x505f317e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5082f572, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x362c0)) returned 1 [0224.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0224.693] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0224.694] ReadFile (in: hFile=0x42c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.703] GetFileType (hFile=0x42c) returned 0x1 [0224.703] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.703] WriteFile (in: hFile=0x42c, lpBuffer=0x12b22000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12b22000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0224.704] GetFileType (hFile=0x42c) returned 0x1 [0224.704] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0224.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0224.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0224.705] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0224.705] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0224.706] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.706] WriteFile (in: hFile=0x1a0, lpBuffer=0x12cf6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12cf6000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0224.706] CloseHandle (hObject=0x1a0) returned 1 [0224.719] CloseHandle (hObject=0x42c) returned 1 [0224.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0224.721] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[36C1FB48C1D99DAC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[36c1fb48c1d99dac]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0224.976] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0224.984] SetEvent (hEvent=0x420) returned 1 [0224.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0224.985] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.985] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), fInfoLevelId=0x0, lpFileInformation=0x12be9ad0 | out: lpFileInformation=0x12be9ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5103b5e0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5103b5e0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x511def4c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0)) returned 1 [0224.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0224.985] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0224.986] ReadFile (in: hFile=0x450, lpBuffer=0x12cac000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12be9d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cac000*, lpNumberOfBytesRead=0x12be9d1c*=0x20000, lpOverlapped=0x0) returned 1 [0224.991] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0224.991] SetEvent (hEvent=0x420) returned 1 [0224.993] GetFileType (hFile=0x450) returned 0x1 [0224.993] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.993] WriteFile (in: hFile=0x450, lpBuffer=0x12d2a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12be9d00, lpOverlapped=0x12be9d0c | out: lpBuffer=0x12d2a000*, lpNumberOfBytesWritten=0x12be9d00*=0x20000, lpOverlapped=0x12be9d0c) returned 1 [0224.994] GetFileType (hFile=0x450) returned 0x1 [0224.994] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12be9ce4 | out: lpNewFilePointer=0x0) returned 1 [0224.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0224.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0224.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0224.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0224.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0224.995] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12be9d0c | out: lpMode=0x12be9d0c) returned 0 [0224.996] WriteFile (in: hFile=0x42c, lpBuffer=0x12aea000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12be9d0c, lpOverlapped=0x0 | out: lpBuffer=0x12aea000*, lpNumberOfBytesWritten=0x12be9d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.001] CloseHandle (hObject=0x42c) returned 1 [0225.007] CloseHandle (hObject=0x450) returned 1 [0225.080] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0225.080] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[76E3592A915D950B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[76e3592a915d950b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.532] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0225.537] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0225.551] SetEvent (hEvent=0x3cc) returned 1 [0225.551] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0225.552] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0225.552] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ee912c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55ee912c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56931178, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0225.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0225.552] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340e8 | out: pbBuffer=0x12c340e8) returned 1 [0225.552] ReadFile (in: hFile=0x450, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12b05d1c*=0x20000, lpOverlapped=0x0) returned 1 [0225.729] GetFileType (hFile=0x450) returned 0x1 [0225.729] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.730] WriteFile (in: hFile=0x450, lpBuffer=0x12d2a000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12d2a000*, lpNumberOfBytesWritten=0x12b05d00*=0x20000, lpOverlapped=0x12b05d0c) returned 1 [0225.731] GetFileType (hFile=0x450) returned 0x1 [0225.731] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0225.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0225.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0225.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0225.731] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848518 | out: pbBuffer=0x12848518) returned 1 [0225.732] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0225.732] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0225.732] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c500*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0225.756] CloseHandle (hObject=0x42c) returned 1 [0225.756] CloseHandle (hObject=0x450) returned 1 [0225.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848530 | out: pbBuffer=0x12848530) returned 1 [0225.756] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[708D66952C375C03]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[708d66952c375c03]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0225.995] SetEvent (hEvent=0x110) returned 1 [0226.254] SetEvent (hEvent=0x3f4) returned 1 [0226.721] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0226.731] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0226.807] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x650751e8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x650751e8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6596648d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x632c0)) returned 1 [0226.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844260 | out: pbBuffer=0x12844260) returned 1 [0226.868] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848378 | out: pbBuffer=0x12848378) returned 1 [0227.075] ReadFile (in: hFile=0x438, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12b05d1c*=0x20000, lpOverlapped=0x0) returned 1 [0227.219] GetFileType (hFile=0x438) returned 0x1 [0227.219] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0227.219] WriteFile (in: hFile=0x438, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12b05d00*=0x20000, lpOverlapped=0x12b05d0c) returned 1 [0227.222] GetFileType (hFile=0x438) returned 0x1 [0227.222] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0228.232] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0228.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0228.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0228.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848440 | out: pbBuffer=0x12848440) returned 1 [0228.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0228.847] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0228.848] WriteFile (in: hFile=0x45c, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0228.894] CloseHandle (hObject=0x45c) returned 1 [0228.894] CloseHandle (hObject=0x438) returned 1 [0228.894] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848458 | out: pbBuffer=0x12848458) returned 1 [0228.895] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\#_THIS_FILE_IS_ENCRYPTED_[96B887298DD45F9E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\#_this_file_is_encrypted_[96b887298dd45f9e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0228.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.896] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.897] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0228.897] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.897] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7cb58f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0228.897] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.897] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0228.897] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.898] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0228.898] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.898] WriteFile (in: hFile=0x438, lpBuffer=0x12a46000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a46000*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.899] CloseHandle (hObject=0x438) returned 1 [0228.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7cb58f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0228.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4faa013a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0228.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0228.900] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4faa013a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0228.900] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4faa013a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0228.900] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4faa013a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0228.900] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0228.900] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0228.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0228.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0228.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0228.901] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0228.901] WriteFile (in: hFile=0x438, lpBuffer=0x12a47300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a47300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0228.903] CloseHandle (hObject=0x438) returned 1 [0228.903] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4faa013a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0228.903] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0228.904] GetConsoleMode (in: hConsoleHandle=0x438, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0228.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b05ad0 | out: lpFileInformation=0x12b05ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7cb58f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0228.904] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844500 | out: pbBuffer=0x12844500) returned 1 [0228.904] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848cf0 | out: pbBuffer=0x12848cf0) returned 1 [0229.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0229.016] SetEvent (hEvent=0x110) returned 1 [0229.016] SetEvent (hEvent=0x3f8) returned 1 [0229.035] ReadFile (in: hFile=0x438, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b05d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12b05d1c*=0xfcc0, lpOverlapped=0x0) returned 1 [0229.135] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0229.187] GetFileType (hFile=0x438) returned 0x1 [0229.187] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.187] WriteFile (in: hFile=0x438, lpBuffer=0x12d28000*, nNumberOfBytesToWrite=0xfcc0, lpNumberOfBytesWritten=0x12b05d00, lpOverlapped=0x12b05d0c | out: lpBuffer=0x12d28000*, lpNumberOfBytesWritten=0x12b05d00*=0xfcc0, lpOverlapped=0x12b05d0c) returned 1 [0229.188] GetFileType (hFile=0x438) returned 0x1 [0229.188] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x12b05ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0229.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286af81 | out: pbBuffer=0x1286af81) returned 1 [0229.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b101 | out: pbBuffer=0x1286b101) returned 1 [0229.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811468 | out: pbBuffer=0x12811468) returned 1 [0229.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0229.190] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12b05d0c | out: lpMode=0x12b05d0c) returned 0 [0229.190] WriteFile (in: hFile=0x45c, lpBuffer=0x129fca00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b05d0c, lpOverlapped=0x0 | out: lpBuffer=0x129fca00*, lpNumberOfBytesWritten=0x12b05d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.190] CloseHandle (hObject=0x45c) returned 1 [0229.190] CloseHandle (hObject=0x438) returned 1 [0229.190] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811480 | out: pbBuffer=0x12811480) returned 1 [0229.190] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\#_THIS_FILE_IS_ENCRYPTED_[8676F03DB097C200]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\#_this_file_is_encrypted_[8676f03db097c200]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.192] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0229.374] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 0 [0229.375] GetFileType (hFile=0x42c) returned 0x1 [0229.375] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.375] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x152c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12829d00*=0x152c0, lpOverlapped=0x12829d0c) returned 1 [0229.376] GetFileType (hFile=0x42c) returned 0x1 [0229.376] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x152c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0229.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0229.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0229.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0229.377] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483a0 | out: pbBuffer=0x128483a0) returned 1 [0229.377] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0229.378] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0229.378] WriteFile (in: hFile=0x458, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0229.378] CloseHandle (hObject=0x458) returned 1 [0229.378] CloseHandle (hObject=0x42c) returned 1 [0229.378] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483b8 | out: pbBuffer=0x128483b8) returned 1 [0229.379] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\#_THIS_FILE_IS_ENCRYPTED_[8524F4DEA7C1396D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\#_this_file_is_encrypted_[8524f4dea7c1396d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0229.385] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 0 [0229.385] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50e97fc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.385] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.385] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50e97fc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0229.386] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50e97fc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.386] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50e97fc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.386] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.386] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0229.386] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.386] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.388] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.388] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.390] CloseHandle (hObject=0x42c) returned 1 [0229.390] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50e97fc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0)) returned 1 [0229.391] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x510d3ed4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.391] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x510d3ed4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.391] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x510d3ed4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.391] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510d3ed4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.391] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.391] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.391] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.392] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.392] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.393] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.393] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.394] CloseHandle (hObject=0x42c) returned 1 [0229.394] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510d3ed4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.395] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x513cef43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0229.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0229.395] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x513cef43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0229.395] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x513cef43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0229.395] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x513cef43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0229.396] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0229.396] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0229.396] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0229.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.397] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0229.397] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0229.399] CloseHandle (hObject=0x42c) returned 1 [0229.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x513cef43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0)) returned 1 [0229.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0229.400] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0229.400] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510d3ed4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0229.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844540 | out: pbBuffer=0x12844540) returned 1 [0229.401] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849040 | out: pbBuffer=0x12849040) returned 1 [0229.401] ReadFile (in: hFile=0x42c, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12829d1c*=0x156c0, lpOverlapped=0x0) returned 1 [0229.419] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0229.568] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 0 [0229.568] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426facc, ulCount=0x10, ulNumEntriesRemoved=0x3426fab0, dwMilliseconds=0xffffffff, fAlertable=0 | out: lpCompletionPortEntries=0x3426facc, ulNumEntriesRemoved=0x3426fab0) returned 1 [0235.218] WSAGetOverlappedResult (in: s=0x1a4, lpOverlapped=0x128e6014, lpcbTransfer=0x3426faac, fWait=0, lpdwFlags=0x3426fabc | out: lpcbTransfer=0x3426faac, lpdwFlags=0x3426fabc) returned 1 [0235.691] SetEvent (hEvent=0xf4) returned 1 [0235.743] WSARecv (in: s=0x1a4, lpBuffers=0x128e6040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x128e6034, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014, lpCompletionRoutine=0x0 | out: lpBuffers=0x128e6040*=((len=0x18a3, buf=0x128f8000)), lpNumberOfBytesRecvd=0x128e6034*=0x129, lpFlags=0x128e6078*=0x0, lpOverlapped=0x128e6014) returned 0xffffffff [0235.984] SetEvent (hEvent=0x3cc) returned 1 [0235.984] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.066] SetEvent (hEvent=0x1d0) returned 1 [0236.066] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.077] SetEvent (hEvent=0xf4) returned 1 [0236.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178673a6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x178673a6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x124b)) returned 1 [0236.111] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.212] SetEvent (hEvent=0x420) returned 1 [0236.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdfde5d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1bdfde5d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f7a8c42, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a)) returned 1 [0236.225] SetEvent (hEvent=0xfc) returned 1 [0236.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x237ffd48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x237ffd48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x245604a7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0)) returned 1 [0236.412] SetEvent (hEvent=0x420) returned 1 [0236.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25924c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25924c48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c240c38, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0)) returned 1 [0236.438] SetEvent (hEvent=0x1d0) returned 1 [0236.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da1851d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2da1851d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3089629e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x494c0)) returned 1 [0236.479] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.551] SetEvent (hEvent=0x40c) returned 1 [0236.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328ec16f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x328ec16f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33af3cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x632c0)) returned 1 [0236.576] SetEvent (hEvent=0xfc) returned 1 [0236.576] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3949b564, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3949b564, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a77d98f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0)) returned 1 [0236.671] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.715] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.776] SetEvent (hEvent=0x40c) returned 1 [0236.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0236.777] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.777] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a67ad0 | out: lpFileInformation=0x12a67ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b11c874, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b3f84d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0)) returned 1 [0236.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98800 | out: pbBuffer=0x12a98800) returned 1 [0236.777] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128107b0 | out: pbBuffer=0x128107b0) returned 1 [0236.778] ReadFile (in: hFile=0x42c, lpBuffer=0x12980000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a67d1c, lpOverlapped=0x0 | out: lpBuffer=0x12980000*, lpNumberOfBytesRead=0x12a67d1c*=0x158c0, lpOverlapped=0x0) returned 1 [0236.922] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0236.993] GetFileType (hFile=0x42c) returned 0x1 [0236.993] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.993] WriteFile (in: hFile=0x42c, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x158c0, lpNumberOfBytesWritten=0x12a67d00, lpOverlapped=0x12a67d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12a67d00*=0x158c0, lpOverlapped=0x12a67d0c) returned 1 [0236.994] GetFileType (hFile=0x42c) returned 0x1 [0236.994] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x158c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a67ce4 | out: lpNewFilePointer=0x0) returned 1 [0236.994] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0236.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0236.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0236.995] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0236.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0236.995] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a67d0c | out: lpMode=0x12a67d0c) returned 0 [0236.996] WriteFile (in: hFile=0x458, lpBuffer=0x12d6c500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a67d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d6c500*, lpNumberOfBytesWritten=0x12a67d0c*=0x276, lpOverlapped=0x0) returned 1 [0236.996] CloseHandle (hObject=0x458) returned 1 [0236.996] CloseHandle (hObject=0x42c) returned 1 [0236.996] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0236.996] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\#_THIS_FILE_IS_ENCRYPTED_[D75697203C4FD373]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\#_this_file_is_encrypted_[d75697203c4fd373]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0236.998] SetEvent (hEvent=0x420) returned 1 [0236.998] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.097] SetEvent (hEvent=0x420) returned 1 [0237.097] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.109] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.583] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.589] SetEvent (hEvent=0x1d0) returned 1 [0237.589] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.630] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.759] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0237.910] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.100] SetEvent (hEvent=0x420) returned 1 [0238.100] SetEvent (hEvent=0x40c) returned 1 [0238.100] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0238.152] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0238.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a65ad0 | out: lpFileInformation=0x12a65ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c995f72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca2ec66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0238.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0238.152] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8018 | out: pbBuffer=0x128e8018) returned 1 [0238.152] ReadFile (in: hFile=0x44c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a65d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12a65d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0238.170] GetFileType (hFile=0x44c) returned 0x1 [0238.170] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.170] WriteFile (in: hFile=0x44c, lpBuffer=0x12cfc000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12a65d00, lpOverlapped=0x12a65d0c | out: lpBuffer=0x12cfc000*, lpNumberOfBytesWritten=0x12a65d00*=0x174c0, lpOverlapped=0x12a65d0c) returned 1 [0238.171] GetFileType (hFile=0x44c) returned 0x1 [0238.171] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12a65ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0238.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0238.171] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a401 | out: pbBuffer=0x1286a401) returned 1 [0238.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80d0 | out: pbBuffer=0x128e80d0) returned 1 [0238.172] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.172] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12a65d0c | out: lpMode=0x12a65d0c) returned 0 [0238.172] WriteFile (in: hFile=0x42c, lpBuffer=0x12b86000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a65d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b86000*, lpNumberOfBytesWritten=0x12a65d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.172] CloseHandle (hObject=0x42c) returned 1 [0238.172] CloseHandle (hObject=0x44c) returned 1 [0238.172] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80e8 | out: pbBuffer=0x128e80e8) returned 1 [0238.172] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\#_THIS_FILE_IS_ENCRYPTED_[C1F996CDB57EA7D0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\#_this_file_is_encrypted_[c1f996cdb57ea7d0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.194] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.238] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.262] SetEvent (hEvent=0x1b8) returned 1 [0238.262] SetEvent (hEvent=0xfc) returned 1 [0238.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.263] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.263] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e21b0f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0)) returned 1 [0238.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0238.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0238.263] ReadFile (in: hFile=0x42c, lpBuffer=0x12b48000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b48000*, lpNumberOfBytesRead=0x1282fd1c*=0x180c0, lpOverlapped=0x0) returned 1 [0238.277] GetFileType (hFile=0x42c) returned 0x1 [0238.277] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.277] WriteFile (in: hFile=0x42c, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0x180c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x1282fd00*=0x180c0, lpOverlapped=0x1282fd0c) returned 1 [0238.278] GetFileType (hFile=0x42c) returned 0x1 [0238.278] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x180c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0238.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0238.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0238.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0238.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0238.278] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0238.279] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0238.279] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0238.279] CloseHandle (hObject=0x450) returned 1 [0238.279] CloseHandle (hObject=0x42c) returned 1 [0238.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0238.279] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\#_THIS_FILE_IS_ENCRYPTED_[008A7F46D1ABD723]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\#_this_file_is_encrypted_[008a7f46d1abd723]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.280] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.297] SetEvent (hEvent=0xfc) returned 1 [0238.298] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0238.298] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.298] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd3f98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83126441, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0238.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0238.298] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0238.298] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0238.317] GetFileType (hFile=0x3e4) returned 0x1 [0238.318] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.318] WriteFile (in: hFile=0x3e4, lpBuffer=0x12d3c000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d3c000*, lpNumberOfBytesWritten=0x12829d00*=0x154c0, lpOverlapped=0x12829d0c) returned 1 [0238.318] GetFileType (hFile=0x3e4) returned 0x1 [0238.318] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0238.318] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0238.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e01 | out: pbBuffer=0x12800e01) returned 1 [0238.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0238.319] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.319] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0238.319] WriteFile (in: hFile=0x42c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.319] CloseHandle (hObject=0x42c) returned 1 [0238.319] CloseHandle (hObject=0x3e4) returned 1 [0238.319] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0238.320] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\#_THIS_FILE_IS_ENCRYPTED_[A1FBE6F624AF160E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\#_this_file_is_encrypted_[a1fbe6f624af160e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.444] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.547] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.579] SetEvent (hEvent=0x420) returned 1 [0238.579] SetEvent (hEvent=0xfc) returned 1 [0238.579] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.581] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b03d0c | out: lpMode=0x12b03d0c) returned 0 [0238.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b03ad0 | out: lpFileInformation=0x12b03ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84675212, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0)) returned 1 [0238.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0238.581] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0238.581] ReadFile (in: hFile=0x42c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b03d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12b03d1c*=0x150c0, lpOverlapped=0x0) returned 1 [0238.603] GetFileType (hFile=0x42c) returned 0x1 [0238.603] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b03ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.603] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x150c0, lpNumberOfBytesWritten=0x12b03d00, lpOverlapped=0x12b03d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12b03d00*=0x150c0, lpOverlapped=0x12b03d0c) returned 1 [0238.603] GetFileType (hFile=0x42c) returned 0x1 [0238.603] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x150c0, lpNewFilePointer=0x0, dwMoveMethod=0x12b03ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0238.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0238.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0238.604] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0238.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0238.605] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12b03d0c | out: lpMode=0x12b03d0c) returned 0 [0238.605] WriteFile (in: hFile=0x458, lpBuffer=0x12a66500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12b03d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a66500*, lpNumberOfBytesWritten=0x12b03d0c*=0x276, lpOverlapped=0x0) returned 1 [0238.605] CloseHandle (hObject=0x458) returned 1 [0238.605] CloseHandle (hObject=0x42c) returned 1 [0238.605] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0238.605] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\#_THIS_FILE_IS_ENCRYPTED_[C73D91E51F04E150]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\#_this_file_is_encrypted_[c73d91e51f04e150]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0238.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd47784b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.607] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd47784b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0238.607] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd47784b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.607] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd47784b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4a7342a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.607] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.607] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0238.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.608] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.608] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.608] WriteFile (in: hFile=0x42c, lpBuffer=0x12a45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a45300*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.610] CloseHandle (hObject=0x42c) returned 1 [0238.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd47784b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4a7342a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0238.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc3e4e43, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0238.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0238.611] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc3e4e43, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0238.612] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc3e4e43, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0238.612] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3e4e43, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdd9805f5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0238.612] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0238.612] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0238.612] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0238.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0238.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.614] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0238.614] WriteFile (in: hFile=0x42c, lpBuffer=0x12a46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x12a46600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0238.626] CloseHandle (hObject=0x42c) returned 1 [0238.626] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282b964 | out: lpFileInformation=0x1282b964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3e4e43, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdd9805f5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0238.626] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0238.627] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12b03d0c | out: lpMode=0x12b03d0c) returned 0 [0238.627] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12b03ad0 | out: lpFileInformation=0x12b03ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd47784b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4a7342a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0)) returned 1 [0238.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0238.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7b0 | out: pbBuffer=0x12a9a7b0) returned 1 [0238.628] ReadFile (in: hFile=0x42c, lpBuffer=0x12d3c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12b03d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d3c000*, lpNumberOfBytesRead=0x12b03d1c*=0xfcc0, lpOverlapped=0x0) returned 1 [0238.663] GetFileType (hFile=0x42c) returned 0x1 [0238.663] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12b03ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.663] WriteFile (in: hFile=0x42c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0xfcc0, lpNumberOfBytesWritten=0x12b03d00, lpOverlapped=0x12b03d0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12b03d00*=0xfcc0, lpOverlapped=0x12b03d0c) returned 1 [0238.677] GetFileType (hFile=0x42c) returned 0x1 [0238.677] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x12b03ce4 | out: lpNewFilePointer=0x0) returned 1 [0238.729] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.769] SetEvent (hEvent=0x40c) returned 1 [0238.769] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0238.790] SetEvent (hEvent=0x1b8) returned 1 [0238.790] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0239.076] SetEvent (hEvent=0x420) returned 1 [0239.076] SetEvent (hEvent=0x1d0) returned 1 [0239.076] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0239.159] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0239.541] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0239.919] SetEvent (hEvent=0x1d0) returned 1 [0239.919] SetEvent (hEvent=0x420) returned 1 [0239.919] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.082] SetEvent (hEvent=0x40c) returned 1 [0243.083] SetEvent (hEvent=0x3f8) returned 1 [0243.083] SetEvent (hEvent=0xf4) returned 1 [0243.083] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.091] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.091] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.117] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.117] SetEvent (hEvent=0x1b8) returned 1 [0243.117] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.140] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.140] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0243.140] SetEvent (hEvent=0x1b8) returned 1 [0243.140] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.147] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.147] SwitchToThread () returned 1 [0243.156] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.168] SetEvent (hEvent=0x1b8) returned 1 [0243.168] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.169] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.169] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d77b98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832177f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0)) returned 1 [0243.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0243.169] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0243.169] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x174c0, lpOverlapped=0x0) returned 1 [0243.202] GetFileType (hFile=0x42c) returned 0x1 [0243.202] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.202] WriteFile (in: hFile=0x42c, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x174c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12829d00*=0x174c0, lpOverlapped=0x12829d0c) returned 1 [0243.210] GetFileType (hFile=0x42c) returned 0x1 [0243.210] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x174c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0243.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0243.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc301 | out: pbBuffer=0x12afc301) returned 1 [0243.211] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0243.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.212] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.212] WriteFile (in: hFile=0x3e4, lpBuffer=0x12be4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.227] CloseHandle (hObject=0x3e4) returned 1 [0243.227] CloseHandle (hObject=0x42c) returned 1 [0243.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0243.258] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\#_THIS_FILE_IS_ENCRYPTED_[26386C153BAC35A2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\#_this_file_is_encrypted_[26386c153bac35a2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.286] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.289] SetEvent (hEvent=0x1d0) returned 1 [0243.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.290] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0243.290] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1298fad0 | out: lpFileInformation=0x1298fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c8687, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1207c939, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0)) returned 1 [0243.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88460 | out: pbBuffer=0x12b88460) returned 1 [0243.290] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0243.290] ReadFile (in: hFile=0x44c, lpBuffer=0x12998000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1298fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12998000*, lpNumberOfBytesRead=0x1298fd1c*=0x15ec0, lpOverlapped=0x0) returned 1 [0243.297] GetFileType (hFile=0x44c) returned 0x1 [0243.297] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.297] WriteFile (in: hFile=0x44c, lpBuffer=0x129f8000*, nNumberOfBytesToWrite=0x15ec0, lpNumberOfBytesWritten=0x1298fd00, lpOverlapped=0x1298fd0c | out: lpBuffer=0x129f8000*, lpNumberOfBytesWritten=0x1298fd00*=0x15ec0, lpOverlapped=0x1298fd0c) returned 1 [0243.306] GetFileType (hFile=0x44c) returned 0x1 [0243.306] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15ec0, lpNewFilePointer=0x0, dwMoveMethod=0x1298fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0243.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0243.306] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0243.307] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0243.307] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.307] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1298fd0c | out: lpMode=0x1298fd0c) returned 0 [0243.307] WriteFile (in: hFile=0x3e4, lpBuffer=0x12be4a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1298fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4a00*, lpNumberOfBytesWritten=0x1298fd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.322] CloseHandle (hObject=0x3e4) returned 1 [0243.322] CloseHandle (hObject=0x44c) returned 1 [0243.327] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0243.327] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\#_THIS_FILE_IS_ENCRYPTED_[809A2671470A9E2A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\#_this_file_is_encrypted_[809a2671470a9e2a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.350] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.370] SetEvent (hEvent=0x1d0) returned 1 [0243.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.371] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.371] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16423422, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1674456a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0)) returned 1 [0243.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88660 | out: pbBuffer=0x12b88660) returned 1 [0243.371] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0243.371] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.375] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.375] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0243.375] SetEvent (hEvent=0x110) returned 1 [0243.375] SetEvent (hEvent=0x1d0) returned 1 [0243.376] ReadFile (in: hFile=0x3e4, lpBuffer=0x1294c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x1294c000*, lpNumberOfBytesRead=0x12829d1c*=0x16ec0, lpOverlapped=0x0) returned 1 [0243.433] GetFileType (hFile=0x3e4) returned 0x1 [0243.434] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.434] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c44000*, nNumberOfBytesToWrite=0x16ec0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c44000*, lpNumberOfBytesWritten=0x12829d00*=0x16ec0, lpOverlapped=0x12829d0c) returned 1 [0243.434] GetFileType (hFile=0x3e4) returned 0x1 [0243.434] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x16ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd281 | out: pbBuffer=0x12afd281) returned 1 [0243.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0243.435] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd481 | out: pbBuffer=0x12afd481) returned 1 [0243.436] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c342f0 | out: pbBuffer=0x12c342f0) returned 1 [0243.437] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.437] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0243.437] WriteFile (in: hFile=0x42c, lpBuffer=0x12be4f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.441] CloseHandle (hObject=0x42c) returned 1 [0243.442] CloseHandle (hObject=0x3e4) returned 1 [0243.442] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34308 | out: pbBuffer=0x12c34308) returned 1 [0243.442] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\#_THIS_FILE_IS_ENCRYPTED_[544238C5617BEB74]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\#_this_file_is_encrypted_[544238c5617beb74]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.445] SetEvent (hEvent=0x1d0) returned 1 [0243.445] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.453] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.453] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0243.454] SetEvent (hEvent=0x1d0) returned 1 [0243.454] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0243.467] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.468] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.469] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b2c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18e9b2c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c03a060, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0)) returned 1 [0243.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e2c0 | out: pbBuffer=0x1280e2c0) returned 1 [0243.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0243.469] ReadFile (in: hFile=0x458, lpBuffer=0x12c5c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c5c000*, lpNumberOfBytesRead=0x1282fd1c*=0x156c0, lpOverlapped=0x0) returned 1 [0243.511] GetFileType (hFile=0x458) returned 0x1 [0243.511] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.511] WriteFile (in: hFile=0x458, lpBuffer=0x12c0e000*, nNumberOfBytesToWrite=0x156c0, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12c0e000*, lpNumberOfBytesWritten=0x1282fd00*=0x156c0, lpOverlapped=0x1282fd0c) returned 1 [0243.512] GetFileType (hFile=0x458) returned 0x1 [0243.512] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x156c0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0243.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0243.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0243.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0243.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0243.512] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0243.512] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0243.513] WriteFile (in: hFile=0x44c, lpBuffer=0x12be4000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4000*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0243.513] CloseHandle (hObject=0x44c) returned 1 [0243.513] CloseHandle (hObject=0x458) returned 1 [0243.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0243.513] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\#_THIS_FILE_IS_ENCRYPTED_[B24208EC0876583E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\#_this_file_is_encrypted_[b24208ec0876583e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0243.515] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.515] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12a97ad0 | out: lpFileInformation=0x12a97ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x259bd4f8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0)) returned 1 [0243.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e540 | out: pbBuffer=0x1280e540) returned 1 [0243.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848610 | out: pbBuffer=0x12848610) returned 1 [0243.515] ReadFile (in: hFile=0x458, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a97d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a97d1c*=0x17ec0, lpOverlapped=0x0) returned 1 [0243.532] GetFileType (hFile=0x458) returned 0x1 [0243.532] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.532] WriteFile (in: hFile=0x458, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x17ec0, lpNumberOfBytesWritten=0x12a97d00, lpOverlapped=0x12a97d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a97d00*=0x17ec0, lpOverlapped=0x12a97d0c) returned 1 [0243.533] GetFileType (hFile=0x458) returned 0x1 [0243.533] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x17ec0, lpNewFilePointer=0x0, dwMoveMethod=0x12a97ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b01 | out: pbBuffer=0x12800b01) returned 1 [0243.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800c01 | out: pbBuffer=0x12800c01) returned 1 [0243.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d01 | out: pbBuffer=0x12800d01) returned 1 [0243.533] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848938 | out: pbBuffer=0x12848938) returned 1 [0243.533] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.534] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12a97d0c | out: lpMode=0x12a97d0c) returned 0 [0243.534] WriteFile (in: hFile=0x3e4, lpBuffer=0x12be4500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a97d0c, lpOverlapped=0x0 | out: lpBuffer=0x12be4500*, lpNumberOfBytesWritten=0x12a97d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.534] CloseHandle (hObject=0x3e4) returned 1 [0243.534] CloseHandle (hObject=0x458) returned 1 [0243.534] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848960 | out: pbBuffer=0x12848960) returned 1 [0243.534] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\#_THIS_FILE_IS_ENCRYPTED_[0E389C68260FC95D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\#_this_file_is_encrypted_[0e389c68260fc95d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0243.582] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.817] SetEvent (hEvent=0x1b8) returned 1 [0243.817] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.824] SetEvent (hEvent=0x420) returned 1 [0243.824] SetEvent (hEvent=0xfc) returned 1 [0243.824] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.850] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.871] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.924] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0243.936] SetEvent (hEvent=0xfc) returned 1 [0243.936] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0243.937] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0243.937] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6602d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0243.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0243.937] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848448 | out: pbBuffer=0x12848448) returned 1 [0243.937] ReadFile (in: hFile=0x3e4, lpBuffer=0x12ac2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesRead=0x12857d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0243.964] GetFileType (hFile=0x3e4) returned 0x1 [0243.964] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.964] WriteFile (in: hFile=0x3e4, lpBuffer=0x129d8000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x129d8000*, lpNumberOfBytesWritten=0x12857d00*=0x154c0, lpOverlapped=0x12857d0c) returned 1 [0243.965] GetFileType (hFile=0x3e4) returned 0x1 [0243.965] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0243.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0243.965] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0243.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800781 | out: pbBuffer=0x12800781) returned 1 [0243.966] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848590 | out: pbBuffer=0x12848590) returned 1 [0243.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0243.967] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0243.967] WriteFile (in: hFile=0x42c, lpBuffer=0x12d02500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12d02500*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0243.967] CloseHandle (hObject=0x42c) returned 1 [0243.967] CloseHandle (hObject=0x3e4) returned 1 [0243.967] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128485a8 | out: pbBuffer=0x128485a8) returned 1 [0243.968] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\#_THIS_FILE_IS_ENCRYPTED_[69A0111DCD15D522]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\#_this_file_is_encrypted_[69a0111dcd15d522]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.055] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.113] SetEvent (hEvent=0x1b8) returned 1 [0244.113] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.114] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc64f47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c043349, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0)) returned 1 [0244.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0244.114] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34d30 | out: pbBuffer=0x12c34d30) returned 1 [0244.115] ReadFile (in: hFile=0x44c, lpBuffer=0x12d68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d68000*, lpNumberOfBytesRead=0x12829d1c*=0x164c0, lpOverlapped=0x0) returned 1 [0244.124] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.165] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.200] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.323] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.367] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.509] SetEvent (hEvent=0xfc) returned 1 [0244.509] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.527] SetEvent (hEvent=0xfc) returned 1 [0244.527] SetEvent (hEvent=0x1b8) returned 1 [0244.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.528] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36f7c3c3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0)) returned 1 [0244.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0244.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a018 | out: pbBuffer=0x12a9a018) returned 1 [0244.528] ReadFile (in: hFile=0x44c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12855d1c*=0x162c0, lpOverlapped=0x0) returned 1 [0244.555] GetFileType (hFile=0x44c) returned 0x1 [0244.555] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.555] WriteFile (in: hFile=0x44c, lpBuffer=0x129b6000*, nNumberOfBytesToWrite=0x162c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x129b6000*, lpNumberOfBytesWritten=0x12855d00*=0x162c0, lpOverlapped=0x12855d0c) returned 1 [0244.556] GetFileType (hFile=0x44c) returned 0x1 [0244.556] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x162c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.556] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0244.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0244.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0244.557] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a100 | out: pbBuffer=0x12a9a100) returned 1 [0244.557] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.557] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.558] WriteFile (in: hFile=0x450, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.558] CloseHandle (hObject=0x450) returned 1 [0244.558] CloseHandle (hObject=0x44c) returned 1 [0244.558] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a118 | out: pbBuffer=0x12a9a118) returned 1 [0244.558] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\#_THIS_FILE_IS_ENCRYPTED_[8CD22025CB2E0CCD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\#_this_file_is_encrypted_[8cd22025cb2e0ccd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.561] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.561] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c07d3b2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c816989, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x116c0)) returned 1 [0244.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98240 | out: pbBuffer=0x12a98240) returned 1 [0244.561] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0244.561] ReadFile (in: hFile=0x44c, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12855d1c*=0x116c0, lpOverlapped=0x0) returned 1 [0244.615] GetFileType (hFile=0x44c) returned 0x1 [0244.615] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.615] WriteFile (in: hFile=0x44c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x116c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12855d00*=0x116c0, lpOverlapped=0x12855d0c) returned 1 [0244.620] GetFileType (hFile=0x44c) returned 0x1 [0244.620] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x116c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.620] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0244.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0244.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0244.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0244.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0244.622] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.622] WriteFile (in: hFile=0x450, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.622] CloseHandle (hObject=0x450) returned 1 [0244.622] CloseHandle (hObject=0x44c) returned 1 [0244.622] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a250 | out: pbBuffer=0x12a9a250) returned 1 [0244.622] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\#_THIS_FILE_IS_ENCRYPTED_[CAEA1C46085121DA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\#_this_file_is_encrypted_[caea1c46085121da]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.624] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.642] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.767] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.779] SetEvent (hEvent=0xfc) returned 1 [0244.779] SwitchToThread () returned 1 [0244.792] SetEvent (hEvent=0x1b8) returned 1 [0244.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.794] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.794] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137d061, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x41f429f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0)) returned 1 [0244.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0244.794] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0244.794] ReadFile (in: hFile=0x458, lpBuffer=0x12d62000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d62000*, lpNumberOfBytesRead=0x12855d1c*=0x154c0, lpOverlapped=0x0) returned 1 [0244.812] GetFileType (hFile=0x458) returned 0x1 [0244.812] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.812] WriteFile (in: hFile=0x458, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x154c0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12855d00*=0x154c0, lpOverlapped=0x12855d0c) returned 1 [0244.813] GetFileType (hFile=0x458) returned 0x1 [0244.813] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x154c0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0244.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0244.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0244.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0244.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.814] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0244.814] WriteFile (in: hFile=0x44c, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.814] CloseHandle (hObject=0x44c) returned 1 [0244.814] CloseHandle (hObject=0x458) returned 1 [0244.814] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0244.815] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\#_THIS_FILE_IS_ENCRYPTED_[0469B507DFB221B9]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\#_this_file_is_encrypted_[0469b507dfb221b9]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.878] SetEvent (hEvent=0x110) returned 1 [0244.878] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0244.906] SetEvent (hEvent=0xfc) returned 1 [0244.906] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0244.907] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.907] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fb0692, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45d3fb83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0)) returned 1 [0244.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98220 | out: pbBuffer=0x12a98220) returned 1 [0244.907] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a160 | out: pbBuffer=0x12a9a160) returned 1 [0244.907] ReadFile (in: hFile=0x458, lpBuffer=0x129b0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129b0000*, lpNumberOfBytesRead=0x12829d1c*=0x160c0, lpOverlapped=0x0) returned 1 [0244.921] GetFileType (hFile=0x458) returned 0x1 [0244.922] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.922] WriteFile (in: hFile=0x458, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x160c0, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12829d00*=0x160c0, lpOverlapped=0x12829d0c) returned 1 [0244.922] GetFileType (hFile=0x458) returned 0x1 [0244.922] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x160c0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0244.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0244.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0244.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0244.923] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a238 | out: pbBuffer=0x12a9a238) returned 1 [0244.923] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0244.924] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0244.924] WriteFile (in: hFile=0x44c, lpBuffer=0x12912f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912f00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0244.924] CloseHandle (hObject=0x44c) returned 1 [0244.924] CloseHandle (hObject=0x458) returned 1 [0244.924] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a260 | out: pbBuffer=0x12a9a260) returned 1 [0244.924] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\#_THIS_FILE_IS_ENCRYPTED_[E3CA59DA9180B95F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\#_this_file_is_encrypted_[e3ca59da9180b95f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0244.956] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.037] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.056] SetEvent (hEvent=0xfc) returned 1 [0245.056] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.062] SetEvent (hEvent=0x1b8) returned 1 [0245.062] SetEvent (hEvent=0xf4) returned 1 [0245.062] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.217] SetEvent (hEvent=0xfc) returned 1 [0245.217] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.297] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.300] SetEvent (hEvent=0x1b8) returned 1 [0245.300] SetEvent (hEvent=0x3f8) returned 1 [0245.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.301] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887669e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x49aa44f0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0)) returned 1 [0245.302] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88000 | out: pbBuffer=0x12b88000) returned 1 [0245.302] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34008 | out: pbBuffer=0x12c34008) returned 1 [0245.315] ReadFile (in: hFile=0x42c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12857d1c*=0x144c0, lpOverlapped=0x0) returned 1 [0245.345] GetFileType (hFile=0x42c) returned 0x1 [0245.345] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.345] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x144c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12857d00*=0x144c0, lpOverlapped=0x12857d0c) returned 1 [0245.346] GetFileType (hFile=0x42c) returned 0x1 [0245.346] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x144c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0245.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0245.346] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0245.347] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340c0 | out: pbBuffer=0x12c340c0) returned 1 [0245.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0245.347] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.347] WriteFile (in: hFile=0x450, lpBuffer=0x12a92000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92000*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.348] CloseHandle (hObject=0x450) returned 1 [0245.348] CloseHandle (hObject=0x42c) returned 1 [0245.348] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0245.348] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\#_THIS_FILE_IS_ENCRYPTED_[0A7B29DDB16EB623]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\#_this_file_is_encrypted_[0a7b29ddb16eb623]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.350] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.350] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6c0410, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d06fe04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd2c0)) returned 1 [0245.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88220 | out: pbBuffer=0x12b88220) returned 1 [0245.351] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34120 | out: pbBuffer=0x12c34120) returned 1 [0245.351] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12857d1c*=0xd2c0, lpOverlapped=0x0) returned 1 [0245.410] GetFileType (hFile=0x42c) returned 0x1 [0245.410] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.410] WriteFile (in: hFile=0x42c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xd2c0, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12857d00*=0xd2c0, lpOverlapped=0x12857d0c) returned 1 [0245.411] GetFileType (hFile=0x42c) returned 0x1 [0245.411] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xd2c0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.411] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0245.411] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0245.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0245.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341d8 | out: pbBuffer=0x12c341d8) returned 1 [0245.412] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.412] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.412] WriteFile (in: hFile=0x44c, lpBuffer=0x12a92500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a92500*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.412] CloseHandle (hObject=0x44c) returned 1 [0245.412] CloseHandle (hObject=0x42c) returned 1 [0245.413] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341f0 | out: pbBuffer=0x12c341f0) returned 1 [0245.413] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\filesync.localizedresources.dll.mui"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\#_THIS_FILE_IS_ENCRYPTED_[37C515B80606C3CC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\#_this_file_is_encrypted_[37c515b80606c3cc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.414] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.438] SetEvent (hEvent=0x3f8) returned 1 [0245.438] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\filesync.localizedresources.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0245.439] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0245.439] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\filesync.localizedresources.dll.mui"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637d9cb5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63e1c02f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0)) returned 1 [0245.439] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0245.440] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34238 | out: pbBuffer=0x12c34238) returned 1 [0245.440] ReadFile (in: hFile=0x44c, lpBuffer=0x1296e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x1296e000*, lpNumberOfBytesRead=0x12829d1c*=0x168c0, lpOverlapped=0x0) returned 1 [0245.484] SetEvent (hEvent=0xf4) returned 1 [0245.484] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.507] SetEvent (hEvent=0xfc) returned 1 [0245.508] SetEvent (hEvent=0x420) returned 1 [0245.508] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0245.522] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.522] SetEvent (hEvent=0x420) returned 1 [0245.522] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0245.527] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.527] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0245.528] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0245.529] SetEvent (hEvent=0xf4) returned 1 [0245.529] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0245.542] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.542] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.544] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.544] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6630871f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66bb717b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x215e)) returned 1 [0245.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0245.544] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0245.544] ReadFile (in: hFile=0x42c, lpBuffer=0x1298e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x1298e000*, lpNumberOfBytesRead=0x12857d1c*=0x215e, lpOverlapped=0x0) returned 1 [0245.562] GetFileType (hFile=0x42c) returned 0x1 [0245.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.562] WriteFile (in: hFile=0x42c, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x215e, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12857d00*=0x215e, lpOverlapped=0x12857d0c) returned 1 [0245.562] GetFileType (hFile=0x42c) returned 0x1 [0245.562] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x215e, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0245.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0245.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0245.563] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0245.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0245.564] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.564] WriteFile (in: hFile=0x458, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.564] CloseHandle (hObject=0x458) returned 1 [0245.564] CloseHandle (hObject=0x42c) returned 1 [0245.564] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0245.565] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[3D5194301A5DE1FB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[3d5194301a5de1fb]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0245.567] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.567] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), fInfoLevelId=0x0, lpFileInformation=0x12857ad0 | out: lpFileInformation=0x12857ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xced0b146, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xced0b146, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x36366)) returned 1 [0245.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e480 | out: pbBuffer=0x1280e480) returned 1 [0245.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848420 | out: pbBuffer=0x12848420) returned 1 [0245.567] ReadFile (in: hFile=0x42c, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12857d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12857d1c*=0x20000, lpOverlapped=0x0) returned 1 [0245.642] GetFileType (hFile=0x42c) returned 0x1 [0245.642] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.642] WriteFile (in: hFile=0x42c, lpBuffer=0x12c84000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12857d00, lpOverlapped=0x12857d0c | out: lpBuffer=0x12c84000*, lpNumberOfBytesWritten=0x12857d00*=0x20000, lpOverlapped=0x12857d0c) returned 1 [0245.644] GetFileType (hFile=0x42c) returned 0x1 [0245.644] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12857ce4 | out: lpNewFilePointer=0x0) returned 1 [0245.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0245.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0245.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0245.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484e8 | out: pbBuffer=0x128484e8) returned 1 [0245.645] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0245.645] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857d0c | out: lpMode=0x12857d0c) returned 0 [0245.645] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a48a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12857d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a48a00*, lpNumberOfBytesWritten=0x12857d0c*=0x276, lpOverlapped=0x0) returned 1 [0245.645] CloseHandle (hObject=0x3e4) returned 1 [0245.680] CloseHandle (hObject=0x42c) returned 1 [0245.782] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340d8 | out: pbBuffer=0x12c340d8) returned 1 [0245.782] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[8D117F72D3101C26]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[8d117f72d3101c26]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0245.966] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0245.980] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0246.002] SetEvent (hEvent=0x1d0) returned 1 [0247.480] WSASend (in: s=0x1a4, lpBuffers=0x128e60b4*=((len=0x1df, buf=0x1286c5a0*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x128e60a8, dwFlags=0x0, lpOverlapped=0x128e6088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x128e60a8*=0x1df, lpOverlapped=0x128e6088) returned 0 [0247.495] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0248.512] SwitchToThread () returned 1 [0248.589] SetEvent (hEvent=0x40c) returned 1 [0248.718] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.719] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0248.739] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.739] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gliding", cAlternateFileName="")) returned 1 [0248.739] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.739] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0248.931] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.932] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.932] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0248.934] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0248.934] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0248.935] CloseHandle (hObject=0x3e4) returned 1 [0248.935] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.936] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.936] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0248.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.936] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.936] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0248.936] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.937] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0248.938] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0248.938] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0248.939] CloseHandle (hObject=0x3e4) returned 1 [0248.939] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.939] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.940] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0248.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0248.940] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.940] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0248.940] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0248.942] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0248.942] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0248.943] CloseHandle (hObject=0x3e4) returned 1 [0248.943] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.943] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.943] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0248.944] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.944] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0248.944] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.944] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0248.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0248.945] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0248.945] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0248.947] CloseHandle (hObject=0x3e4) returned 1 [0248.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.947] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\*", lpFindFileData=0x1282b8a0 | out: lpFindFileData=0x1282b8a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0248.947] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.948] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b8e4 | out: lpFindFileData=0x1282b8e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.948] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0248.948] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b568 | out: lpFileInformation=0x1282b568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.948] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.948] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0248.949] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b778 | out: lpMode=0x1282b778) returned 0 [0248.949] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1282b778*=0x118a, lpOverlapped=0x0) returned 1 [0248.951] CloseHandle (hObject=0x3e4) returned 1 [0248.951] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0248.951] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0248.951] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0248.951] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0248.951] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4BF4C442-9B8A-41A0-B380-DD4A704DDB28", cAlternateFileName="4BF4C4~1")) returned 1 [0248.951] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UserProfileRoaming", cAlternateFileName="USERPR~1")) returned 1 [0248.952] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0248.952] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0248.952] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0248.952] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0248.952] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0249.038] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0249.038] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0249.039] CloseHandle (hObject=0x3e4) returned 1 [0249.146] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0249.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0249.146] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0249.147] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0249.147] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0249.147] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0249.147] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0249.147] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0249.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0249.320] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0249.320] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0249.322] CloseHandle (hObject=0x3e4) returned 1 [0249.606] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\policy.vpol"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1b4)) returned 1 [0249.774] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming"), fInfoLevelId=0x0, lpFileInformation=0x1282ba2c | out: lpFileInformation=0x1282ba2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0249.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0249.775] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\*", lpFindFileData=0x1282b904 | out: lpFindFileData=0x1282b904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0249.775] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0249.775] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7eb68271, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Latest.dat", cAlternateFileName="")) returned 1 [0249.776] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x1282b948 | out: lpFindFileData=0x1282b948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0249.776] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0249.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b5cc | out: lpFileInformation=0x1282b5cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0250.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\policy.vpol"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0250.096] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12db5d0c | out: lpMode=0x12db5d0c) returned 0 [0250.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\policy.vpol"), fInfoLevelId=0x0, lpFileInformation=0x12db5ad0 | out: lpFileInformation=0x12db5ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1b4)) returned 1 [0250.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a980e0 | out: pbBuffer=0x12a980e0) returned 1 [0250.110] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810cf8 | out: pbBuffer=0x12810cf8) returned 1 [0250.260] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0250.262] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b7dc | out: lpMode=0x1282b7dc) returned 0 [0250.262] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b7dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x1282b7dc*=0x118a, lpOverlapped=0x0) returned 1 [0250.264] CloseHandle (hObject=0x42c) returned 1 [0250.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282b9c8 | out: lpFileInformation=0x1282b9c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7eb68271, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0250.264] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf89b6cfd, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf89b6cfd, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0250.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.264] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf89b6cfd, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf89b6cfd, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0250.277] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf89b6cfd, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf89b6cfd, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0250.277] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2423f479, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2423f479, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2423f479, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0", cAlternateFileName="")) returned 1 [0250.277] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd4d9a492, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd4d9a492, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd4d9a492, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0250.277] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37d807a2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xcf98ce72, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xcf98ce72, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionCenterCache", cAlternateFileName="ACTION~1")) returned 1 [0250.277] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f810a8a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3f810a8a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43695fb2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Application Shortcuts", cAlternateFileName="APPLIC~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81988c19, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xa0eeabde, ftLastAccessTime.dwHighDateTime=0x1d7a941, ftLastWriteTime.dwLowDateTime=0xa0eeabde, ftLastWriteTime.dwHighDateTime=0x1d7a941, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Burn", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f7a181e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd2f74aef, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xd2f74aef, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Caches", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f6df80c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xaed678f3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaed678f3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Explorer", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameExplorer", cAlternateFileName="GAMEEX~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f959ee, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f959ee, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf463a670, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf463a670, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf46651f8, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf46651f8, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatUaCache", cAlternateFileName="IECOMP~2")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf89b6cfd, ftCreationTime.dwHighDateTime=0x1d82a28, ftLastAccessTime.dwLowDateTime=0xf89b6cfd, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf89b6cfd, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEDownloadHistory", cAlternateFileName="IEDOWN~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa49dfe15, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa49dfe15, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa081e338, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xa081e338, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xafc9a821, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xafc9a821, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xafc9a821, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notifications", cAlternateFileName="NOTIFI~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47cd6d9c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47cd6d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShell", cAlternateFileName="POWERS~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x400db452, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xab1ccb9c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab1ccb9c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRICache", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ringtones", cAlternateFileName="RINGTO~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingTiles", cAlternateFileName="ROAMIN~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x9586b313, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95891577, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x95891577, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SettingSync", cAlternateFileName="SETTIN~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d1ab059, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3757c8c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shell", cAlternateFileName="")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0250.278] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f5ae5bb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe918c49a, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xe918c49a, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UPPS", cAlternateFileName="")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x3d51879a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6b1e3c5f, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6b1e3c5f, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x1c0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat", cAlternateFileName="")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d51879a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d51879a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d51879a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x7f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat.LOG1", cAlternateFileName="USRCLA~1.LOG")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d51879a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d51879a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d51879a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x79800, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat.LOG2", cAlternateFileName="USRCLA~2.LOG")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d51879a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d51879a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6345aa97, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{6c1df322-6c5b-11eb-b0a5-00053a318d5c}.TM.blf", cAlternateFileName="USRCLA~1.BLF")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d53e9ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d53e9ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{6c1df322-6c5b-11eb-b0a5-00053a318d5c}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="USRCLA~1.REG")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d564ab0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d564ab0, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6345aa97, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{6c1df322-6c5b-11eb-b0a5-00053a318d5c}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="USRCLA~2.REG")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3f28d414, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xdbf15394, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0xdbf15394, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WebCache", cAlternateFileName="")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3f28d414, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3f28d414, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3f28d414, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WebCacheLock.dat", cAlternateFileName="WEBCAC~1.DAT")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinX", cAlternateFileName="")) returned 1 [0250.279] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.279] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0250.474] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows live"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0250.474] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows live"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.474] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0250.475] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0250.475] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bici", cAlternateFileName="")) returned 1 [0250.475] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.475] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0250.475] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows sidebar"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0250.476] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows sidebar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.476] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0250.476] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0250.476] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0250.476] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0250.476] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.476] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0250.477] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge"), fInfoLevelId=0x0, lpFileInformation=0x1282baf4 | out: lpFileInformation=0x1282baf4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0250.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.477] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\*", lpFindFileData=0x1282b9cc | out: lpFindFileData=0x1282b9cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0250.477] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0250.477] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SharedCacheContainers", cAlternateFileName="SHARED~1")) returned 1 [0250.477] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x1282ba10 | out: lpFindFileData=0x1282ba10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.478] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0250.478] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b694 | out: lpFileInformation=0x1282b694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0250.478] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0250.478] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0250.479] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b8a4 | out: lpMode=0x1282b8a4) returned 0 [0250.479] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b8a4, lpOverlapped=0x0 | out: lpBuffer=0x12c2d300*, lpNumberOfBytesWritten=0x1282b8a4*=0x118a, lpOverlapped=0x0) returned 1 [0250.480] CloseHandle (hObject=0x42c) returned 1 [0250.481] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers"), fInfoLevelId=0x0, lpFileInformation=0x1282ba90 | out: lpFileInformation=0x1282ba90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x435d739, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x435d739, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0250.481] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0250.482] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\*", lpFindFileData=0x1282b968 | out: lpFindFileData=0x1282b968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x435d739, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0250.482] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x435d739, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0250.482] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge_iecompat", cAlternateFileName="MICROS~1")) returned 1 [0250.482] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge_iecompatua", cAlternateFileName="MICROS~2")) returned 1 [0250.482] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x1282b9ac | out: lpFindFileData=0x1282b9ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.482] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0250.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1282b630 | out: lpFileInformation=0x1282b630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0250.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0250.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0250.611] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282b840 | out: lpMode=0x1282b840) returned 0 [0250.611] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1282b840, lpOverlapped=0x0 | out: lpBuffer=0x12c2e600*, lpNumberOfBytesWritten=0x1282b840*=0x118a, lpOverlapped=0x0) returned 1 [0251.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0251.384] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0251.607] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.007] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0252.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0252.008] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.010] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0252.010] WriteFile (in: hFile=0x3e4, lpBuffer=0x1295e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1295e000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0252.012] CloseHandle (hObject=0x3e4) returned 1 [0252.012] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.030] SetEvent (hEvent=0x1d0) returned 1 [0252.030] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.048] SetEvent (hEvent=0x1d0) returned 1 [0252.048] SetEvent (hEvent=0x40c) returned 1 [0252.049] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\#_THIS_FILE_IS_ENCRYPTED_[0B7C4650B9907C9E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\#_this_file_is_encrypted_[0b7c4650b9907c9e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.051] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\#_THIS_FILE_IS_ENCRYPTED_[8664EC1CC5200483]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\#_this_file_is_encrypted_[8664ec1cc5200483]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.084] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\container.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.085] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0252.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\container.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282fad0 | out: lpFileInformation=0x1282fad0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88020 | out: pbBuffer=0x12b88020) returned 1 [0252.086] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34030 | out: pbBuffer=0x12c34030) returned 1 [0252.088] ReadFile (in: hFile=0x44c, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282fd1c*=0x0, lpOverlapped=0x0) returned 1 [0252.088] CloseHandle (hObject=0x44c) returned 1 [0252.088] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.134] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.402] SetEvent (hEvent=0x3f8) returned 1 [0252.402] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.402] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0252.402] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45e24a35, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45e24a35, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88040 | out: pbBuffer=0x12b88040) returned 1 [0252.403] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34040 | out: pbBuffer=0x12c34040) returned 1 [0252.403] ReadFile (in: hFile=0x42c, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12853d1c*=0x4000, lpOverlapped=0x0) returned 1 [0252.446] GetFileType (hFile=0x42c) returned 0x1 [0252.447] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.447] WriteFile (in: hFile=0x42c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12853d00*=0x4000, lpOverlapped=0x12853d0c) returned 1 [0252.447] GetFileType (hFile=0x42c) returned 0x1 [0252.447] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0252.447] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0252.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0252.448] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340f8 | out: pbBuffer=0x12c340f8) returned 1 [0252.448] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.448] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0252.448] WriteFile (in: hFile=0x44c, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.449] CloseHandle (hObject=0x44c) returned 1 [0252.449] CloseHandle (hObject=0x42c) returned 1 [0252.449] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34110 | out: pbBuffer=0x12c34110) returned 1 [0252.449] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[5EC21CCBC2D0A266]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[5ec21ccbc2d0a266]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.451] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.451] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0252.451] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0252.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88240 | out: pbBuffer=0x12b88240) returned 1 [0252.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34158 | out: pbBuffer=0x12c34158) returned 1 [0252.452] ReadFile (in: hFile=0x42c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12853d1c*=0x2000, lpOverlapped=0x0) returned 1 [0252.486] GetFileType (hFile=0x42c) returned 0x1 [0252.486] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.486] WriteFile (in: hFile=0x42c, lpBuffer=0x12a48000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a48000*, lpNumberOfBytesWritten=0x12853d00*=0x2000, lpOverlapped=0x12853d0c) returned 1 [0252.486] GetFileType (hFile=0x42c) returned 0x1 [0252.486] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.486] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0252.486] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834a81 | out: pbBuffer=0x12834a81) returned 1 [0252.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0252.487] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34210 | out: pbBuffer=0x12c34210) returned 1 [0252.487] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0252.487] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0252.487] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.487] CloseHandle (hObject=0x3e4) returned 1 [0252.487] CloseHandle (hObject=0x42c) returned 1 [0252.488] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34228 | out: pbBuffer=0x12c34228) returned 1 [0252.488] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[65274B60751E0776]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[65274b60751e0776]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.495] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.541] SetEvent (hEvent=0x3f8) returned 1 [0252.541] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.542] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.542] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54936dab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54936dab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0252.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88600 | out: pbBuffer=0x12b88600) returned 1 [0252.542] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34270 | out: pbBuffer=0x12c34270) returned 1 [0252.543] ReadFile (in: hFile=0x42c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12829d1c*=0x4000, lpOverlapped=0x0) returned 1 [0252.553] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.565] GetFileType (hFile=0x42c) returned 0x1 [0252.565] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.565] WriteFile (in: hFile=0x42c, lpBuffer=0x12d84000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d84000*, lpNumberOfBytesWritten=0x12829d00*=0x4000, lpOverlapped=0x12829d0c) returned 1 [0252.566] GetFileType (hFile=0x42c) returned 0x1 [0252.566] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0252.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d01 | out: pbBuffer=0x12834d01) returned 1 [0252.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0252.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0252.566] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34328 | out: pbBuffer=0x12c34328) returned 1 [0252.567] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0252.567] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0252.567] WriteFile (in: hFile=0x44c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0252.567] CloseHandle (hObject=0x44c) returned 1 [0252.567] CloseHandle (hObject=0x42c) returned 1 [0252.567] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34340 | out: pbBuffer=0x12c34340) returned 1 [0252.567] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[382B74A1161862C8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[382b74a1161862c8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0252.569] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.679] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0252.680] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0252.680] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9037b75e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9037b75e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9037b75e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0252.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0252.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0252.680] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0252.680] CloseHandle (hObject=0x42c) returned 1 [0252.680] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0252.969] SetEvent (hEvent=0xf4) returned 1 [0252.970] SetEvent (hEvent=0x3f4) returned 1 [0252.970] SetEvent (hEvent=0x3f8) returned 1 [0252.970] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.185] SetEvent (hEvent=0x420) returned 1 [0254.200] SetEvent (hEvent=0x40c) returned 1 [0254.200] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0254.253] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.253] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0254.257] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.257] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0254.257] SetEvent (hEvent=0xf4) returned 1 [0254.257] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0254.271] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834181 | out: pbBuffer=0x12834181) returned 1 [0254.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834281 | out: pbBuffer=0x12834281) returned 1 [0254.271] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34030 | out: pbBuffer=0x12c34030) returned 1 [0254.272] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.272] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128b1d0c | out: lpMode=0x128b1d0c) returned 0 [0254.272] WriteFile (in: hFile=0x42c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x128b1d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x128b1d0c*=0x276, lpOverlapped=0x0) returned 1 [0254.272] CloseHandle (hObject=0x42c) returned 1 [0254.273] CloseHandle (hObject=0x3e4) returned 1 [0254.273] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34048 | out: pbBuffer=0x12c34048) returned 1 [0254.273] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[D543B70A12F712B3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[d543b70a12f712b3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.279] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.381] SetEvent (hEvent=0x1d0) returned 1 [0254.381] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.382] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.382] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f1e4a00, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f1e4a00, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88340 | out: pbBuffer=0x12b88340) returned 1 [0254.382] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34090 | out: pbBuffer=0x12c34090) returned 1 [0254.382] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.498] GetFileType (hFile=0x42c) returned 0x1 [0254.498] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.498] WriteFile (in: hFile=0x42c, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0254.499] GetFileType (hFile=0x42c) returned 0x1 [0254.499] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0254.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834481 | out: pbBuffer=0x12834481) returned 1 [0254.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834981 | out: pbBuffer=0x12834981) returned 1 [0254.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b01 | out: pbBuffer=0x12834b01) returned 1 [0254.500] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34258 | out: pbBuffer=0x12c34258) returned 1 [0254.500] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0254.500] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0254.500] WriteFile (in: hFile=0x458, lpBuffer=0x12ac8a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac8a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0254.501] CloseHandle (hObject=0x458) returned 1 [0254.501] CloseHandle (hObject=0x42c) returned 1 [0254.501] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34270 | out: pbBuffer=0x12c34270) returned 1 [0254.501] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[002257C7D34F3AD4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[002257c7d34f3ad4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0254.503] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.504] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.504] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88540 | out: pbBuffer=0x12b88540) returned 1 [0254.505] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342b8 | out: pbBuffer=0x12c342b8) returned 1 [0254.505] ReadFile (in: hFile=0x42c, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.505] CloseHandle (hObject=0x42c) returned 1 [0254.505] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.562] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.657] SetEvent (hEvent=0x1d0) returned 1 [0254.657] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.664] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.665] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat\\*", lpFindFileData=0x12851a44 | out: lpFindFileData=0x12851a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0254.665] SetEvent (hEvent=0x3f4) returned 1 [0254.665] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.721] SwitchToThread () returned 1 [0254.726] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0254.754] SetEvent (hEvent=0x3f4) returned 1 [0254.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.755] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.755] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0254.755] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0254.755] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c64000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c64000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.755] CloseHandle (hObject=0x3e4) returned 1 [0254.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.756] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0254.756] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0254.756] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810048 | out: pbBuffer=0x12810048) returned 1 [0254.757] ReadFile (in: hFile=0x3e4, lpBuffer=0x12baa000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12baa000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0254.757] CloseHandle (hObject=0x3e4) returned 1 [0254.757] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.757] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.757] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.757] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.757] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.758] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.758] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.758] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.758] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.760] CloseHandle (hObject=0x3e4) returned 1 [0254.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.760] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.760] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0254.760] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.760] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.760] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0254.760] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.761] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.761] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.763] CloseHandle (hObject=0x3e4) returned 1 [0254.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.763] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.763] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.783] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.783] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0254.784] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.784] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.787] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0254.787] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0254.788] CloseHandle (hObject=0x3e4) returned 1 [0254.788] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.794] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.796] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.796] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0254.797] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0254.797] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0254.797] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0254.797] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.797] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.798] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.800] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.800] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.801] CloseHandle (hObject=0x3e4) returned 1 [0254.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.803] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0254.804] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.804] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.804] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0254.804] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.805] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.805] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2d300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.806] CloseHandle (hObject=0x3e4) returned 1 [0254.806] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.811] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.811] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0254.811] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.811] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.811] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0254.811] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.813] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.813] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2e600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.814] CloseHandle (hObject=0x3e4) returned 1 [0254.814] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.814] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.815] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.815] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.815] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.815] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.815] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.815] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.816] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.816] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2f900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2f900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.818] CloseHandle (hObject=0x3e4) returned 1 [0254.821] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.821] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.822] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.822] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.822] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.822] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.823] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.823] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c30c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c30c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.825] CloseHandle (hObject=0x3e4) returned 1 [0254.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.825] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0254.826] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.826] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.826] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0254.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.827] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.827] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b12000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b12000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.829] CloseHandle (hObject=0x3e4) returned 1 [0254.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.834] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.834] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.834] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.835] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.835] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.835] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.837] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.837] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b13300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b13300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.839] CloseHandle (hObject=0x3e4) returned 1 [0254.840] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.840] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0254.841] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.841] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.841] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0254.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.842] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.843] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b14600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b14600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.844] CloseHandle (hObject=0x3e4) returned 1 [0254.844] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.844] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0254.844] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.844] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0254.845] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.845] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0254.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.846] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.846] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b15900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12b15900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.847] CloseHandle (hObject=0x3e4) returned 1 [0254.847] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.848] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.848] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3e9b04, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3e9b04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0254.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0254.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0254.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.856] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.860] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0254.860] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b16c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12b16c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0254.861] CloseHandle (hObject=0x3e4) returned 1 [0254.861] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3e9b04, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3e9b04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0254.863] SetEvent (hEvent=0x3f4) returned 1 [0254.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0254.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.863] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.863] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.863] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0254.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.864] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.864] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0254.864] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0254.865] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.865] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.866] CloseHandle (hObject=0x3e4) returned 1 [0254.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0254.867] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0254.867] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0254.867] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0254.867] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0254.867] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0254.867] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0254.867] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0254.868] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0254.970] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.972] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0254.972] WriteFile (in: hFile=0x42c, lpBuffer=0x12a67300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a67300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0254.973] CloseHandle (hObject=0x42c) returned 1 [0254.973] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.974] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.974] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.974] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0254.974] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0254.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929280 | out: pbBuffer=0x12929280) returned 1 [0254.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811050 | out: pbBuffer=0x12811050) returned 1 [0254.975] ReadFile (in: hFile=0x42c, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x128afd1c*=0x0, lpOverlapped=0x0) returned 1 [0254.975] CloseHandle (hObject=0x42c) returned 1 [0254.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0254.975] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0254.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0254.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129292a0 | out: pbBuffer=0x129292a0) returned 1 [0254.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811060 | out: pbBuffer=0x12811060) returned 1 [0254.976] ReadFile (in: hFile=0x42c, lpBuffer=0x129b6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x129b6000*, lpNumberOfBytesRead=0x128afd1c*=0x2000, lpOverlapped=0x0) returned 1 [0254.980] GetFileType (hFile=0x42c) returned 0x1 [0254.980] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0254.980] WriteFile (in: hFile=0x42c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x128afd00, lpOverlapped=0x128afd0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x128afd00*=0x2000, lpOverlapped=0x128afd0c) returned 1 [0254.980] GetFileType (hFile=0x42c) returned 0x1 [0254.980] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x128afce4 | out: lpNewFilePointer=0x0) returned 1 [0254.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835081 | out: pbBuffer=0x12835081) returned 1 [0254.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835181 | out: pbBuffer=0x12835181) returned 1 [0254.992] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835281 | out: pbBuffer=0x12835281) returned 1 [0255.004] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811118 | out: pbBuffer=0x12811118) returned 1 [0255.004] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0255.005] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0255.005] WriteFile (in: hFile=0x44c, lpBuffer=0x12c1e000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x128afd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c1e000*, lpNumberOfBytesWritten=0x128afd0c*=0x276, lpOverlapped=0x0) returned 1 [0255.016] CloseHandle (hObject=0x44c) returned 1 [0255.016] CloseHandle (hObject=0x42c) returned 1 [0255.016] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811130 | out: pbBuffer=0x12811130) returned 1 [0255.038] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[85294D84DE8B01BF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[85294d84de8b01bf]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0255.781] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0255.825] SetEvent (hEvent=0xf4) returned 1 [0255.825] SetEvent (hEvent=0x420) returned 1 [0255.838] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.839] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.839] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0255.839] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.840] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.840] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0255.840] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0255.842] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0255.842] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0255.843] CloseHandle (hObject=0x42c) returned 1 [0255.843] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.844] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0255.844] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.844] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.844] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0255.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0255.846] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0255.846] WriteFile (in: hFile=0x42c, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0255.848] CloseHandle (hObject=0x42c) returned 1 [0255.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.870] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0255.919] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0255.920] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0255.920] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0255.920] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0255.920] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.920] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0255.921] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.922] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0255.924] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0255.924] WriteFile (in: hFile=0x42c, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0255.925] CloseHandle (hObject=0x42c) returned 1 [0255.926] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.947] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336668c0 [0255.952] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.953] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0255.953] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0255.953] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0255.953] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0255.953] FindNextFileW (in: hFindFile=0x336668c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.953] FindClose (in: hFindFile=0x336668c0 | out: hFindFile=0x336668c0) returned 1 [0255.954] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.955] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.956] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.960] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0255.960] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0255.962] CloseHandle (hObject=0x3e4) returned 1 [0255.962] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.966] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.967] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0255.967] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.967] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.967] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0255.967] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.968] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.969] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0255.969] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0255.970] CloseHandle (hObject=0x3e4) returned 1 [0255.970] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.977] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.977] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0255.977] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.977] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.977] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0255.977] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.977] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.980] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0255.980] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0255.982] CloseHandle (hObject=0x3e4) returned 1 [0255.982] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.982] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.982] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0255.982] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.982] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.983] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0255.983] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.983] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.984] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0255.984] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0255.986] CloseHandle (hObject=0x3e4) returned 1 [0255.987] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.987] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.987] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0255.987] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.987] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.987] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0255.987] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.988] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.988] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.989] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0255.989] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0255.990] CloseHandle (hObject=0x3e4) returned 1 [0255.990] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0255.991] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0255.991] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0255.991] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0255.991] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0255.991] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0255.991] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0255.991] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0255.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0255.992] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0255.992] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0255.994] CloseHandle (hObject=0x3e4) returned 1 [0255.994] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.000] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.000] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.000] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.000] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.000] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.000] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.001] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.010] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.010] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.014] CloseHandle (hObject=0x3e4) returned 1 [0256.014] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.015] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.015] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.015] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.015] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.017] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.017] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.019] CloseHandle (hObject=0x3e4) returned 1 [0256.019] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.019] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.019] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.019] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0256.020] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.020] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.020] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.021] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.021] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.023] CloseHandle (hObject=0x3e4) returned 1 [0256.023] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.023] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.023] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.034] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.034] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26e4617, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2d005a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2d005a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0256.034] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0256.034] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0256.034] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.034] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.041] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0256.041] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a90000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a90000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0256.042] CloseHandle (hObject=0x3e4) returned 1 [0256.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26e4617, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2d005a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2d005a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0256.043] SetEvent (hEvent=0xf4) returned 1 [0256.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0256.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.044] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.044] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.044] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.044] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.044] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.046] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.046] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a91300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a91300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.047] CloseHandle (hObject=0x3e4) returned 1 [0256.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0256.048] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0256.048] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0256.048] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0256.048] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0256.048] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.048] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0256.049] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0256.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0256.049] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.050] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0256.050] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a92600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a92600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0256.052] CloseHandle (hObject=0x3e4) returned 1 [0256.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.053] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.053] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.054] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89440 | out: pbBuffer=0x12b89440) returned 1 [0256.054] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811050 | out: pbBuffer=0x12811050) returned 1 [0256.054] ReadFile (in: hFile=0x3e4, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12855d1c*=0x0, lpOverlapped=0x0) returned 1 [0256.054] CloseHandle (hObject=0x3e4) returned 1 [0256.054] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0256.055] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.055] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0256.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89460 | out: pbBuffer=0x12b89460) returned 1 [0256.055] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811060 | out: pbBuffer=0x12811060) returned 1 [0256.056] ReadFile (in: hFile=0x3e4, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0256.120] GetFileType (hFile=0x3e4) returned 0x1 [0256.120] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.120] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0256.120] GetFileType (hFile=0x3e4) returned 0x1 [0256.121] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0256.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834e01 | out: pbBuffer=0x12834e01) returned 1 [0256.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834f01 | out: pbBuffer=0x12834f01) returned 1 [0256.121] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835001 | out: pbBuffer=0x12835001) returned 1 [0256.122] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12811118 | out: pbBuffer=0x12811118) returned 1 [0256.122] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.122] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0256.122] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0256.122] CloseHandle (hObject=0x458) returned 1 [0256.123] CloseHandle (hObject=0x3e4) returned 1 [0256.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811140 | out: pbBuffer=0x12811140) returned 1 [0256.123] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[4279403D6011976B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[4279403d6011976b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0256.330] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0256.475] SetEvent (hEvent=0x420) returned 1 [0256.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0256.476] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128afd0c | out: lpMode=0x128afd0c) returned 0 [0256.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x128afad0 | out: lpFileInformation=0x128afad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6289529c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6289529c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0256.476] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928440 | out: pbBuffer=0x12928440) returned 1 [0256.476] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34400 | out: pbBuffer=0x12c34400) returned 1 [0256.477] ReadFile (in: hFile=0x458, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x128afd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x128afd1c*=0x4000, lpOverlapped=0x0) returned 1 [0256.505] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0256.518] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0258.231] SetEvent (hEvent=0x420) returned 1 [0258.231] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0258.486] SwitchToThread () returned 1 [0258.596] GetFileType (hFile=0x44c) returned 0x1 [0258.596] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0258.596] WriteFile (in: hFile=0x44c, lpBuffer=0x12ce4000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ce4000*, lpNumberOfBytesWritten=0x1282bd00*=0x1000, lpOverlapped=0x1282bd0c) returned 1 [0258.596] GetFileType (hFile=0x44c) returned 0x1 [0258.596] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0258.596] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0258.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0258.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0258.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340b0 | out: pbBuffer=0x12c340b0) returned 1 [0258.597] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\messagingbackgroundtasklog.etl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0258.598] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0258.598] WriteFile (in: hFile=0x460, lpBuffer=0x12ce8000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ce8000*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0258.598] CloseHandle (hObject=0x460) returned 1 [0258.598] CloseHandle (hObject=0x44c) returned 1 [0258.598] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340c8 | out: pbBuffer=0x12c340c8) returned 1 [0258.599] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\messagingbackgroundtasklog.etl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\#_THIS_FILE_IS_ENCRYPTED_[E589244C77BC33ED]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\#_this_file_is_encrypted_[e589244c77bc33ed]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.601] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage-ecs.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage-ecs.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.601] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage-ecs.data\\*", lpFindFileData=0x1282ba44 | out: lpFindFileData=0x1282ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0258.602] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage.data"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af42386, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0xc38b667c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x300c18)) returned 1 [0258.602] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0258.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0258.603] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0258.603] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x261a25ce, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 1 [0258.603] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0258.603] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0258.604] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0258.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0258.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0258.605] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0258.605] WriteFile (in: hFile=0x44c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0258.607] CloseHandle (hObject=0x44c) returned 1 [0258.607] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x261a25ce, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x4b)) returned 1 [0258.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0258.608] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0258.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage.data"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af42386, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0xc38b667c, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x300c18)) returned 1 [0258.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0258.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34780 | out: pbBuffer=0x12c34780) returned 1 [0258.609] ReadFile (in: hFile=0x44c, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0258.636] GetFileType (hFile=0x44c) returned 0x1 [0258.636] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0258.636] WriteFile (in: hFile=0x44c, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0258.637] GetFileType (hFile=0x44c) returned 0x1 [0258.637] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0258.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac81 | out: pbBuffer=0x1286ac81) returned 1 [0258.637] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad81 | out: pbBuffer=0x1286ad81) returned 1 [0258.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae81 | out: pbBuffer=0x1286ae81) returned 1 [0258.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34838 | out: pbBuffer=0x12c34838) returned 1 [0258.638] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage.data"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0258.638] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0258.638] WriteFile (in: hFile=0x458, lpBuffer=0x12ce8500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ce8500*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0258.675] CloseHandle (hObject=0x458) returned 1 [0258.675] CloseHandle (hObject=0x44c) returned 1 [0258.676] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34850 | out: pbBuffer=0x12c34850) returned 1 [0258.676] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\offline-storage.data"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\#_THIS_FILE_IS_ENCRYPTED_[B990758992A09719]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\#_this_file_is_encrypted_[b990758992a09719]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0258.677] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a6a07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x43a6a07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c4690c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x31)) returned 1 [0258.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928480 | out: pbBuffer=0x12928480) returned 1 [0258.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34898 | out: pbBuffer=0x12c34898) returned 1 [0258.678] ReadFile (in: hFile=0x44c, lpBuffer=0x12d4e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d4e000*, lpNumberOfBytesRead=0x12855d1c*=0x31, lpOverlapped=0x0) returned 1 [0258.679] GetFileType (hFile=0x44c) returned 0x1 [0258.679] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.680] WriteFile (in: hFile=0x44c, lpBuffer=0x1283c780*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x1283c780*, lpNumberOfBytesWritten=0x12855d00*=0x31, lpOverlapped=0x12855d0c) returned 1 [0258.680] GetFileType (hFile=0x44c) returned 0x1 [0258.680] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x31, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0258.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b181 | out: pbBuffer=0x1286b181) returned 1 [0258.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b281 | out: pbBuffer=0x1286b281) returned 1 [0258.680] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b381 | out: pbBuffer=0x1286b381) returned 1 [0258.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34950 | out: pbBuffer=0x12c34950) returned 1 [0258.681] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0258.681] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0258.681] WriteFile (in: hFile=0x458, lpBuffer=0x12ce8a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ce8a00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0258.681] CloseHandle (hObject=0x458) returned 1 [0258.681] CloseHandle (hObject=0x44c) returned 1 [0258.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34968 | out: pbBuffer=0x12c34968) returned 1 [0258.681] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\#_THIS_FILE_IS_ENCRYPTED_[CB88DC8DDE827123]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\#_this_file_is_encrypted_[cb88dc8dde827123]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0258.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf426a58a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x6aff3de4, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6aff3de4, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0258.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0258.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0258.685] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0258.729] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1\\*", lpFindFileData=0x12855a44 | out: lpFindFileData=0x12855a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0258.729] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.360] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\spartan.edb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.360] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.379] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0259.379] SetEvent (hEvent=0xf4) returned 1 [0259.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\spartan.edb"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x48e101d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x200000)) returned 1 [0259.390] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e240 | out: pbBuffer=0x1280e240) returned 1 [0259.390] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0259.390] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x1282bd1c*=0x20000, lpOverlapped=0x0) returned 1 [0259.401] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.419] SetEvent (hEvent=0x40c) returned 1 [0259.419] GetFileType (hFile=0x42c) returned 0x1 [0259.419] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0259.419] WriteFile (in: hFile=0x42c, lpBuffer=0x12996000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12996000*, lpNumberOfBytesWritten=0x1282bd00*=0x20000, lpOverlapped=0x1282bd0c) returned 1 [0259.420] GetFileType (hFile=0x42c) returned 0x1 [0259.420] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0259.420] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0259.420] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0259.420] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0259.420] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341e8 | out: pbBuffer=0x12c341e8) returned 1 [0259.420] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\spartan.edb"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.421] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0259.421] WriteFile (in: hFile=0x458, lpBuffer=0x12913400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913400*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.456] CloseHandle (hObject=0x458) returned 1 [0259.462] CloseHandle (hObject=0x42c) returned 1 [0259.515] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848020 | out: pbBuffer=0x12848020) returned 1 [0259.515] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\spartan.edb"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\#_THIS_FILE_IS_ENCRYPTED_[C0267168CDECB6E4]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\#_this_file_is_encrypted_[c0267168cdecb6e4]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.601] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.619] SetEvent (hEvent=0x40c) returned 1 [0259.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.620] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x88a4ee47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0259.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88460 | out: pbBuffer=0x12b88460) returned 1 [0259.621] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a9f0 | out: pbBuffer=0x12a9a9f0) returned 1 [0259.621] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12855d1c*=0x10000, lpOverlapped=0x0) returned 1 [0259.638] GetFileType (hFile=0x458) returned 0x1 [0259.638] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.638] WriteFile (in: hFile=0x458, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12855d00*=0x10000, lpOverlapped=0x12855d0c) returned 1 [0259.639] GetFileType (hFile=0x458) returned 0x1 [0259.639] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0259.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0259.639] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd101 | out: pbBuffer=0x12afd101) returned 1 [0259.640] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9aaa8 | out: pbBuffer=0x12a9aaa8) returned 1 [0259.640] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0259.640] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0259.640] WriteFile (in: hFile=0x44c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.640] CloseHandle (hObject=0x44c) returned 1 [0259.640] CloseHandle (hObject=0x458) returned 1 [0259.641] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aac0 | out: pbBuffer=0x12a9aac0) returned 1 [0259.641] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[03D7BCF0E8DFD5AB]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[03d7bcf0e8dfd5ab]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.642] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.643] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.643] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88660 | out: pbBuffer=0x12b88660) returned 1 [0259.643] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ab08 | out: pbBuffer=0x12a9ab08) returned 1 [0259.644] ReadFile (in: hFile=0x458, lpBuffer=0x129be000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129be000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0259.644] CloseHandle (hObject=0x458) returned 1 [0259.644] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.661] SetEvent (hEvent=0x3f4) returned 1 [0259.661] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.664] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0259.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12a5fad0 | out: lpFileInformation=0x12a5fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x70956fc, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x70956fc, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.664] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929e20 | out: pbBuffer=0x12929e20) returned 1 [0259.664] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35610 | out: pbBuffer=0x12c35610) returned 1 [0259.664] ReadFile (in: hFile=0x458, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a5fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12a5fd1c*=0x2000, lpOverlapped=0x0) returned 1 [0259.669] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.673] GetFileType (hFile=0x458) returned 0x1 [0259.673] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.673] WriteFile (in: hFile=0x458, lpBuffer=0x12a3e000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12a5fd00, lpOverlapped=0x12a5fd0c | out: lpBuffer=0x12a3e000*, lpNumberOfBytesWritten=0x12a5fd00*=0x2000, lpOverlapped=0x12a5fd0c) returned 1 [0259.673] GetFileType (hFile=0x458) returned 0x1 [0259.673] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12a5fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.673] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd281 | out: pbBuffer=0x12afd281) returned 1 [0259.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd381 | out: pbBuffer=0x12afd381) returned 1 [0259.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd481 | out: pbBuffer=0x12afd481) returned 1 [0259.674] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9abc0 | out: pbBuffer=0x12a9abc0) returned 1 [0259.674] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0259.674] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a5fd0c | out: lpMode=0x12a5fd0c) returned 0 [0259.675] WriteFile (in: hFile=0x44c, lpBuffer=0x12994000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a5fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12994000*, lpNumberOfBytesWritten=0x12a5fd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.675] CloseHandle (hObject=0x44c) returned 1 [0259.675] CloseHandle (hObject=0x458) returned 1 [0259.675] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9abd8 | out: pbBuffer=0x12a9abd8) returned 1 [0259.675] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[1A6FB2F634076B08]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[1a6fb2f634076b08]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.707] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0259.711] SetEvent (hEvent=0x3f4) returned 1 [0259.711] SetEvent (hEvent=0x3f8) returned 1 [0259.712] GetFileType (hFile=0x42c) returned 0x1 [0259.712] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.712] WriteFile (in: hFile=0x42c, lpBuffer=0x12baa000*, nNumberOfBytesToWrite=0xf000, lpNumberOfBytesWritten=0x1282fd00, lpOverlapped=0x1282fd0c | out: lpBuffer=0x12baa000*, lpNumberOfBytesWritten=0x1282fd00*=0xf000, lpOverlapped=0x1282fd0c) returned 1 [0259.713] GetFileType (hFile=0x42c) returned 0x1 [0259.713] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xf000, lpNewFilePointer=0x0, dwMoveMethod=0x1282fce4 | out: lpNewFilePointer=0x0) returned 1 [0259.713] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0259.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0259.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0259.714] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a0f0 | out: pbBuffer=0x12a9a0f0) returned 1 [0259.714] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.714] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282fd0c | out: lpMode=0x1282fd0c) returned 0 [0259.714] WriteFile (in: hFile=0x458, lpBuffer=0x12994500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12994500*, lpNumberOfBytesWritten=0x1282fd0c*=0x276, lpOverlapped=0x0) returned 1 [0259.715] CloseHandle (hObject=0x458) returned 1 [0259.716] CloseHandle (hObject=0x42c) returned 1 [0259.716] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a108 | out: pbBuffer=0x12a9a108) returned 1 [0259.716] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[091257520E1F45B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\#_this_file_is_encrypted_[091257520e1f45b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.718] GetFileType (hFile=0x3e4) returned 0x1 [0259.718] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.718] WriteFile (in: hFile=0x3e4, lpBuffer=0x1288c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x1288c000*, lpNumberOfBytesWritten=0x12851d00*=0x2000, lpOverlapped=0x12851d0c) returned 1 [0259.719] GetFileType (hFile=0x3e4) returned 0x1 [0259.719] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc381 | out: pbBuffer=0x12afc381) returned 1 [0259.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0259.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0259.719] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a208 | out: pbBuffer=0x12a9a208) returned 1 [0259.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0259.720] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.720] WriteFile (in: hFile=0x42c, lpBuffer=0x12994a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12994a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.720] CloseHandle (hObject=0x42c) returned 1 [0259.720] CloseHandle (hObject=0x3e4) returned 1 [0259.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a230 | out: pbBuffer=0x12a9a230) returned 1 [0259.721] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[B7908DF3EB07B1E8]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[b7908df3eb07b1e8]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0259.722] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.723] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.723] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.723] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.724] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.724] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.724] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.725] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.725] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.728] CloseHandle (hObject=0x3e4) returned 1 [0259.728] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.728] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.729] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.729] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.729] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.729] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.729] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.729] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.730] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.730] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.730] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.732] CloseHandle (hObject=0x3e4) returned 1 [0259.732] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.738] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0259.747] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.747] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0259.747] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0259.748] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.748] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.749] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.750] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.752] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0259.752] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0259.753] CloseHandle (hObject=0x3e4) returned 1 [0259.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.757] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0259.762] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.763] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.764] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.768] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.768] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.769] CloseHandle (hObject=0x3e4) returned 1 [0259.769] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.771] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.772] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.772] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.772] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.772] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.773] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.773] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.774] CloseHandle (hObject=0x3e4) returned 1 [0259.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.775] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.775] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.775] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.775] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.776] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.777] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.777] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.778] CloseHandle (hObject=0x3e4) returned 1 [0259.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.779] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0259.779] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.779] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.779] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.780] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.780] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.781] CloseHandle (hObject=0x3e4) returned 1 [0259.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.782] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0259.782] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.782] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.782] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0259.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.783] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.783] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.783] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2e000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c2e000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.785] CloseHandle (hObject=0x3e4) returned 1 [0259.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.785] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.785] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0259.785] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.785] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.785] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0259.786] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.787] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.787] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c2f300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c2f300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.788] CloseHandle (hObject=0x3e4) returned 1 [0259.788] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.795] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.796] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0259.796] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.796] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.796] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0259.796] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.796] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.800] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.800] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c30600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c30600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.801] CloseHandle (hObject=0x3e4) returned 1 [0259.801] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.802] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.802] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.802] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.802] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.802] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.802] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.803] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.803] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c31900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c31900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.805] CloseHandle (hObject=0x3e4) returned 1 [0259.805] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.805] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0259.806] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.806] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0259.806] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.806] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0259.806] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.811] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.812] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c32c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c32c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.819] CloseHandle (hObject=0x3e4) returned 1 [0259.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68a38fd5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.820] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0259.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68f23fcc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68f23fcc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0259.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0259.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0259.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.825] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0259.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.829] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0259.829] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0259.830] CloseHandle (hObject=0x3e4) returned 1 [0259.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68f23fcc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68f23fcc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0259.834] SetEvent (hEvent=0x3f8) returned 1 [0259.834] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0259.834] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.836] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.836] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0259.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.836] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.837] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0259.837] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.837] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.838] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.838] WriteFile (in: hFile=0x3e4, lpBuffer=0x12ae9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12ae9300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.840] CloseHandle (hObject=0x3e4) returned 1 [0259.840] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0259.841] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0259.841] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0259.841] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0259.841] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0259.841] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0259.841] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0259.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0259.842] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0259.842] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.843] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0259.843] WriteFile (in: hFile=0x3e4, lpBuffer=0x12aea600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aea600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0259.845] CloseHandle (hObject=0x3e4) returned 1 [0259.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.846] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.847] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.847] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0259.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b897e0 | out: pbBuffer=0x12b897e0) returned 1 [0259.847] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b390 | out: pbBuffer=0x12a9b390) returned 1 [0259.847] ReadFile (in: hFile=0x3e4, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12851d1c*=0x0, lpOverlapped=0x0) returned 1 [0259.847] CloseHandle (hObject=0x3e4) returned 1 [0259.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0259.848] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.848] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0259.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b89800 | out: pbBuffer=0x12b89800) returned 1 [0259.848] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b3a0 | out: pbBuffer=0x12a9b3a0) returned 1 [0259.848] ReadFile (in: hFile=0x3e4, lpBuffer=0x12a1e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12a1e000*, lpNumberOfBytesRead=0x12851d1c*=0x2000, lpOverlapped=0x0) returned 1 [0259.859] GetFileType (hFile=0x3e4) returned 0x1 [0259.859] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.860] WriteFile (in: hFile=0x3e4, lpBuffer=0x12b0a000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b0a000*, lpNumberOfBytesWritten=0x12851d00*=0x2000, lpOverlapped=0x12851d0c) returned 1 [0259.860] GetFileType (hFile=0x3e4) returned 0x1 [0259.860] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0259.860] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afde81 | out: pbBuffer=0x12afde81) returned 1 [0259.860] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afdf81 | out: pbBuffer=0x12afdf81) returned 1 [0259.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800501 | out: pbBuffer=0x12800501) returned 1 [0259.861] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b458 | out: pbBuffer=0x12a9b458) returned 1 [0259.861] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0259.861] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0259.861] WriteFile (in: hFile=0x458, lpBuffer=0x12994f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12994f00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0259.862] CloseHandle (hObject=0x458) returned 1 [0259.862] CloseHandle (hObject=0x3e4) returned 1 [0259.862] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b470 | out: pbBuffer=0x12a9b470) returned 1 [0259.862] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[A50CEF01918B43FF]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[a50cef01918b43ff]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0260.271] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.272] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.282] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.282] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.282] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.300] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.302] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.303] WriteFile (in: hFile=0x42c, lpBuffer=0x12aeb900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aeb900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.304] CloseHandle (hObject=0x42c) returned 1 [0260.304] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.307] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.307] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.307] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.307] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.308] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.309] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.309] WriteFile (in: hFile=0x42c, lpBuffer=0x12aecc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12aecc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.311] CloseHandle (hObject=0x42c) returned 1 [0260.311] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.315] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.315] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0260.318] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0260.319] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.319] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0260.328] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.331] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0260.331] WriteFile (in: hFile=0x42c, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0260.332] CloseHandle (hObject=0x42c) returned 1 [0260.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.337] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0260.340] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.340] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0260.343] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.344] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.345] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.345] WriteFile (in: hFile=0x42c, lpBuffer=0x12923300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12923300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.346] CloseHandle (hObject=0x42c) returned 1 [0260.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.349] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.349] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666980 [0260.350] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.350] FindNextFileW (in: hFindFile=0x33666980, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.350] FindClose (in: hFindFile=0x33666980 | out: hFindFile=0x33666980) returned 1 [0260.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.350] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.352] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.352] WriteFile (in: hFile=0x42c, lpBuffer=0x12924600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12924600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.354] CloseHandle (hObject=0x42c) returned 1 [0260.354] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.362] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.363] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.363] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.363] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.365] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.366] WriteFile (in: hFile=0x42c, lpBuffer=0x12925900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12925900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.368] CloseHandle (hObject=0x42c) returned 1 [0260.369] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.369] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0260.369] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.370] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.370] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0260.370] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.370] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.371] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.371] WriteFile (in: hFile=0x42c, lpBuffer=0x12926c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12926c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.374] CloseHandle (hObject=0x42c) returned 1 [0260.374] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.375] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.375] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.375] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.375] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.375] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.375] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.376] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.376] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.377] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.377] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1c000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12c1c000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.379] CloseHandle (hObject=0x42c) returned 1 [0260.379] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.381] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.381] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.381] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.382] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.382] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.382] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.384] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.384] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1d300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c1d300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.386] CloseHandle (hObject=0x42c) returned 1 [0260.387] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.387] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.387] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0260.388] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.388] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.388] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0260.388] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.388] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.390] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.390] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1e600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c1e600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.398] CloseHandle (hObject=0x42c) returned 1 [0260.398] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.398] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.398] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0260.398] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.399] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.399] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0260.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.401] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.401] WriteFile (in: hFile=0x42c, lpBuffer=0x12c1f900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c1f900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.403] CloseHandle (hObject=0x42c) returned 1 [0260.403] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.403] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.404] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.404] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.404] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.404] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.404] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.405] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.405] WriteFile (in: hFile=0x42c, lpBuffer=0x12c20c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c20c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.407] CloseHandle (hObject=0x42c) returned 1 [0260.407] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.407] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.407] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8046aa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0260.414] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.415] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.417] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.417] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.419] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.419] WriteFile (in: hFile=0x42c, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.420] CloseHandle (hObject=0x42c) returned 1 [0260.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.421] SetEvent (hEvent=0x3f8) returned 1 [0260.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8046aa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.428] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0260.461] SetEvent (hEvent=0x420) returned 1 [0260.461] SetEvent (hEvent=0x3f8) returned 1 [0260.461] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.462] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.462] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0260.462] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.462] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.462] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0260.463] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.464] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.464] WriteFile (in: hFile=0x42c, lpBuffer=0x12bc9300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bc9300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.466] CloseHandle (hObject=0x42c) returned 1 [0260.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.467] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666640 [0260.467] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.467] FindNextFileW (in: hFindFile=0x33666640, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.467] FindClose (in: hFindFile=0x33666640 | out: hFindFile=0x33666640) returned 1 [0260.467] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.469] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.469] WriteFile (in: hFile=0x42c, lpBuffer=0x12bca600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bca600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.470] CloseHandle (hObject=0x42c) returned 1 [0260.471] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.477] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.481] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0260.498] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0260.499] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0260.499] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.499] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.501] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.501] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0260.502] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0260.502] WriteFile (in: hFile=0x42c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0260.504] CloseHandle (hObject=0x42c) returned 1 [0260.504] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.516] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.516] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0260.519] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.519] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.522] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.525] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.525] WriteFile (in: hFile=0x458, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.527] CloseHandle (hObject=0x458) returned 1 [0260.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.570] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.570] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.571] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.571] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.571] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.571] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.571] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.574] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.574] WriteFile (in: hFile=0x458, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.576] CloseHandle (hObject=0x458) returned 1 [0260.576] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.577] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0260.577] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.577] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.577] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0260.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.577] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.579] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.579] WriteFile (in: hFile=0x458, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.580] CloseHandle (hObject=0x458) returned 1 [0260.580] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.581] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666940 [0260.581] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.581] FindNextFileW (in: hFindFile=0x33666940, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.581] FindClose (in: hFindFile=0x33666940 | out: hFindFile=0x33666940) returned 1 [0260.581] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.582] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.583] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.583] WriteFile (in: hFile=0x458, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.585] CloseHandle (hObject=0x458) returned 1 [0260.585] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.590] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.590] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0260.591] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.591] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.591] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0260.591] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.593] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.593] WriteFile (in: hFile=0x458, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.594] CloseHandle (hObject=0x458) returned 1 [0260.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.595] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.595] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.595] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.595] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.595] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.596] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.596] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.597] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.597] WriteFile (in: hFile=0x458, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.599] CloseHandle (hObject=0x458) returned 1 [0260.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.599] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.599] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.599] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.600] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.600] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.600] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.601] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.602] WriteFile (in: hFile=0x458, lpBuffer=0x12bc8000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bc8000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.603] CloseHandle (hObject=0x458) returned 1 [0260.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.604] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.604] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0260.604] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.604] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.605] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0260.605] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.605] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.606] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.606] WriteFile (in: hFile=0x458, lpBuffer=0x12bcb900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bcb900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.608] CloseHandle (hObject=0x458) returned 1 [0260.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.611] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.611] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.611] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.611] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.613] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.613] WriteFile (in: hFile=0x458, lpBuffer=0x12bccc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bccc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.615] CloseHandle (hObject=0x458) returned 1 [0260.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.616] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.616] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ebddfa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0260.620] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.620] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0260.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.625] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.626] WriteFile (in: hFile=0x458, lpBuffer=0x12976000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.628] CloseHandle (hObject=0x458) returned 1 [0260.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.628] SetEvent (hEvent=0x40c) returned 1 [0260.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ebddfa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.628] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.629] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.629] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.630] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.630] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0260.630] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.630] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.630] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0260.630] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.630] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.631] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.633] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.633] WriteFile (in: hFile=0x458, lpBuffer=0x12977300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12977300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.635] CloseHandle (hObject=0x458) returned 1 [0260.635] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.635] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.636] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.636] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.636] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.636] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.637] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.637] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.638] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.638] WriteFile (in: hFile=0x458, lpBuffer=0x12978600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12978600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.640] CloseHandle (hObject=0x458) returned 1 [0260.641] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.641] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.641] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0260.664] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.664] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.668] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.669] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0260.669] WriteFile (in: hFile=0x458, lpBuffer=0x12979900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12979900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0260.671] CloseHandle (hObject=0x458) returned 1 [0260.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.779] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.779] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0260.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0260.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0260.818] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0260.819] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.819] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.823] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.823] WriteFile (in: hFile=0x458, lpBuffer=0x12920000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12920000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.825] CloseHandle (hObject=0x458) returned 1 [0260.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.829] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.829] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.830] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.830] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.830] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.830] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.830] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.833] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.833] WriteFile (in: hFile=0x458, lpBuffer=0x12921300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12921300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.835] CloseHandle (hObject=0x458) returned 1 [0260.835] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.835] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.835] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.836] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.836] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.836] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.836] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.838] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.838] WriteFile (in: hFile=0x458, lpBuffer=0x12922600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12922600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.839] CloseHandle (hObject=0x458) returned 1 [0260.840] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.840] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.840] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0260.841] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.841] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.841] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0260.841] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.841] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.842] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.843] WriteFile (in: hFile=0x458, lpBuffer=0x12923900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12923900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.845] CloseHandle (hObject=0x458) returned 1 [0260.845] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.845] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.846] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.846] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.846] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.846] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.847] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.848] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0260.848] WriteFile (in: hFile=0x458, lpBuffer=0x12924c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12924c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0260.850] CloseHandle (hObject=0x458) returned 1 [0260.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.851] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0260.851] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.852] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.852] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0260.852] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.852] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.853] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.853] WriteFile (in: hFile=0x458, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.855] CloseHandle (hObject=0x458) returned 1 [0260.855] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.855] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.856] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.856] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.856] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.856] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.883] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.883] WriteFile (in: hFile=0x458, lpBuffer=0x12a45300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a45300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.885] CloseHandle (hObject=0x458) returned 1 [0260.885] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.886] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.886] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0260.886] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.886] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.886] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0260.887] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.887] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.887] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.889] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.889] WriteFile (in: hFile=0x458, lpBuffer=0x12a46600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a46600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.891] CloseHandle (hObject=0x458) returned 1 [0260.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.891] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.892] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0260.892] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.892] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.892] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0260.892] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.892] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.894] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.894] WriteFile (in: hFile=0x458, lpBuffer=0x12a47900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a47900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.896] CloseHandle (hObject=0x458) returned 1 [0260.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.897] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.897] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666900 [0260.911] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.911] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0260.911] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7a50d3c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0260.913] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0260.913] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0260.913] FindNextFileW (in: hFindFile=0x33666900, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.913] FindClose (in: hFindFile=0x33666900 | out: hFindFile=0x33666900) returned 1 [0260.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.917] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.917] WriteFile (in: hFile=0x458, lpBuffer=0x12a48c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a48c00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.919] CloseHandle (hObject=0x458) returned 1 [0260.919] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.919] SetEvent (hEvent=0x3f8) returned 1 [0260.920] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7a50d3c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.923] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0260.923] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.924] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.924] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.924] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.925] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.925] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.925] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.927] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.927] WriteFile (in: hFile=0x458, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.929] CloseHandle (hObject=0x458) returned 1 [0260.929] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.929] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.929] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.930] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.930] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.930] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.930] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0260.931] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0260.931] WriteFile (in: hFile=0x458, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0260.934] CloseHandle (hObject=0x458) returned 1 [0260.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.962] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.962] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0260.969] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0260.982] SetEvent (hEvent=0x40c) returned 1 [0260.982] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0260.982] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0260.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0260.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0260.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0260.985] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0260.986] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0260.986] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0260.986] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0260.986] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0260.986] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0260.986] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0260.987] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0260.988] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0260.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0260.990] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0260.990] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0260.992] CloseHandle (hObject=0x3e4) returned 1 [0260.992] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0260.994] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0260.994] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0261.002] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.002] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.004] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.009] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.013] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.013] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.015] CloseHandle (hObject=0x3e4) returned 1 [0261.015] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.019] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.019] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.020] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.020] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.020] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.020] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.021] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.021] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.023] CloseHandle (hObject=0x3e4) returned 1 [0261.023] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.023] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.023] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.023] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.023] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.024] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.025] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.025] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.026] CloseHandle (hObject=0x3e4) returned 1 [0261.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.027] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.027] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.027] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.028] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.028] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.030] CloseHandle (hObject=0x3e4) returned 1 [0261.030] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.030] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.030] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.031] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.031] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.031] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.031] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.033] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.034] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.035] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.036] CloseHandle (hObject=0x3e4) returned 1 [0261.036] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.044] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.044] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.044] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.045] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.045] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.046] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.046] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.047] CloseHandle (hObject=0x3e4) returned 1 [0261.047] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.048] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0261.048] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.048] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.048] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0261.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.049] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.049] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c36000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c36000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.051] CloseHandle (hObject=0x3e4) returned 1 [0261.051] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.051] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.051] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.051] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.051] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.052] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.052] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.054] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.054] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c37300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c37300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.055] CloseHandle (hObject=0x3e4) returned 1 [0261.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.060] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.060] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.060] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.061] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.061] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.062] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.062] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c38600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c38600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.063] CloseHandle (hObject=0x3e4) returned 1 [0261.063] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.064] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.064] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b508d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0261.067] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.067] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0261.068] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.071] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.071] WriteFile (in: hFile=0x3e4, lpBuffer=0x12c39900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c39900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.073] CloseHandle (hObject=0x3e4) returned 1 [0261.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.073] SetEvent (hEvent=0x420) returned 1 [0261.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b508d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.081] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.082] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.082] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.082] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.082] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.083] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.083] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.083] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.083] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.084] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.084] WriteFile (in: hFile=0x42c, lpBuffer=0x12c3ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12c3ac00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.085] CloseHandle (hObject=0x42c) returned 1 [0261.085] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.086] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0261.086] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.086] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.095] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0261.095] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.095] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.096] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.096] WriteFile (in: hFile=0x42c, lpBuffer=0x128ac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ac000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.097] CloseHandle (hObject=0x42c) returned 1 [0261.097] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.106] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0261.110] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.110] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0261.112] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.115] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0261.115] WriteFile (in: hFile=0x42c, lpBuffer=0x128ad300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x128ad300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0261.117] CloseHandle (hObject=0x42c) returned 1 [0261.117] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.120] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.120] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0261.127] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.127] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.128] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.131] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.131] WriteFile (in: hFile=0x42c, lpBuffer=0x128ae600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x128ae600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.133] CloseHandle (hObject=0x42c) returned 1 [0261.133] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.134] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.134] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.134] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.134] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.136] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.136] WriteFile (in: hFile=0x42c, lpBuffer=0x128af900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128af900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.137] CloseHandle (hObject=0x42c) returned 1 [0261.137] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.137] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.138] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0261.138] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.138] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.138] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0261.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.139] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.139] WriteFile (in: hFile=0x42c, lpBuffer=0x128b0c00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x128b0c00*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.141] CloseHandle (hObject=0x42c) returned 1 [0261.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.141] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.141] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.141] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.145] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.147] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.147] WriteFile (in: hFile=0x42c, lpBuffer=0x12bca000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.148] CloseHandle (hObject=0x42c) returned 1 [0261.149] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.153] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.153] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.154] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.154] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.154] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.156] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.156] WriteFile (in: hFile=0x42c, lpBuffer=0x12bcb300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12bcb300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.158] CloseHandle (hObject=0x42c) returned 1 [0261.158] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.158] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.158] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.158] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.159] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.159] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.159] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.160] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.160] WriteFile (in: hFile=0x42c, lpBuffer=0x12bcc600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bcc600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.161] CloseHandle (hObject=0x42c) returned 1 [0261.162] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.162] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.162] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.162] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.162] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.162] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.162] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.164] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.167] WriteFile (in: hFile=0x42c, lpBuffer=0x12bcd900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bcd900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.169] CloseHandle (hObject=0x42c) returned 1 [0261.169] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.170] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.170] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.170] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.170] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.170] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.171] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.172] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.172] WriteFile (in: hFile=0x42c, lpBuffer=0x12bcec00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12bcec00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.174] CloseHandle (hObject=0x42c) returned 1 [0261.174] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.174] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0261.175] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.175] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0261.175] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.175] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0261.175] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.176] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.177] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.177] WriteFile (in: hFile=0x42c, lpBuffer=0x12858000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12858000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.179] CloseHandle (hObject=0x42c) returned 1 [0261.179] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65513f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.181] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.182] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x658cda37, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x658cda37, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0261.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0261.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0261.184] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.184] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.185] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.200] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.200] WriteFile (in: hFile=0x42c, lpBuffer=0x12859300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12859300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.203] CloseHandle (hObject=0x42c) returned 1 [0261.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x658cda37, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x658cda37, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0261.203] SetEvent (hEvent=0x40c) returned 1 [0261.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.205] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0261.205] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.206] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.206] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0261.206] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.207] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.207] WriteFile (in: hFile=0x42c, lpBuffer=0x1285a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285a600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.209] CloseHandle (hObject=0x42c) returned 1 [0261.209] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.210] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336666c0 [0261.222] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.223] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0261.223] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0261.223] FindNextFileW (in: hFindFile=0x336666c0, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.223] FindClose (in: hFindFile=0x336666c0 | out: hFindFile=0x336666c0) returned 1 [0261.223] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.225] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.225] WriteFile (in: hFile=0x42c, lpBuffer=0x1285b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1285b900*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.227] CloseHandle (hObject=0x42c) returned 1 [0261.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.227] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.228] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.228] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b889c0 | out: pbBuffer=0x12b889c0) returned 1 [0261.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128101f0 | out: pbBuffer=0x128101f0) returned 1 [0261.229] ReadFile (in: hFile=0x42c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0261.229] CloseHandle (hObject=0x42c) returned 1 [0261.229] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0261.230] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.230] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b889e0 | out: pbBuffer=0x12b889e0) returned 1 [0261.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810200 | out: pbBuffer=0x12810200) returned 1 [0261.230] ReadFile (in: hFile=0x42c, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0261.596] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0261.627] SetEvent (hEvent=0x40c) returned 1 [0261.627] GetFileType (hFile=0x42c) returned 0x1 [0261.627] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.627] WriteFile (in: hFile=0x42c, lpBuffer=0x12c12000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c12000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0261.628] GetFileType (hFile=0x42c) returned 0x1 [0261.628] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0261.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0261.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0261.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128102c8 | out: pbBuffer=0x128102c8) returned 1 [0261.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.629] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.629] WriteFile (in: hFile=0x458, lpBuffer=0x12da6000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da6000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0261.630] CloseHandle (hObject=0x458) returned 1 [0261.630] CloseHandle (hObject=0x42c) returned 1 [0261.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128102e0 | out: pbBuffer=0x128102e0) returned 1 [0261.630] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[27ADFA478760841C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[27adfa478760841c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.642] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.642] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AC", cAlternateFileName="")) returned 1 [0261.642] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0261.642] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings", cAlternateFileName="")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0261.643] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.643] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.650] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0261.650] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0261.652] CloseHandle (hObject=0x3e4) returned 1 [0261.652] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.743] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.743] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0261.748] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.748] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.753] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.753] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.754] CloseHandle (hObject=0x3e4) returned 1 [0261.754] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.755] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.755] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.755] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.755] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.755] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.756] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.756] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.759] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.759] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a55900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a55900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.761] CloseHandle (hObject=0x3e4) returned 1 [0261.761] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.761] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.762] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336667c0 [0261.762] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.762] FindNextFileW (in: hFindFile=0x336667c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.762] FindClose (in: hFindFile=0x336667c0 | out: hFindFile=0x336667c0) returned 1 [0261.762] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.764] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.764] WriteFile (in: hFile=0x3e4, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.765] CloseHandle (hObject=0x3e4) returned 1 [0261.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.766] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666880 [0261.766] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.766] FindNextFileW (in: hFindFile=0x33666880, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.766] FindClose (in: hFindFile=0x33666880 | out: hFindFile=0x33666880) returned 1 [0261.766] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.767] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.768] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.768] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.770] CloseHandle (hObject=0x3e4) returned 1 [0261.770] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.770] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.771] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x336669c0 [0261.771] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.771] FindNextFileW (in: hFindFile=0x336669c0, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.771] FindClose (in: hFindFile=0x336669c0 | out: hFindFile=0x336669c0) returned 1 [0261.771] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.771] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.774] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.774] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.775] CloseHandle (hObject=0x3e4) returned 1 [0261.775] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.776] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.776] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.776] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.776] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.776] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.778] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.778] WriteFile (in: hFile=0x3e4, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.779] CloseHandle (hObject=0x3e4) returned 1 [0261.779] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.780] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.780] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.782] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.782] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.782] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.782] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.784] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.784] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a66000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a66000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.785] CloseHandle (hObject=0x3e4) returned 1 [0261.785] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.786] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.786] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.786] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.786] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.786] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.786] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.787] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.788] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.788] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a67300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a67300*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.790] CloseHandle (hObject=0x3e4) returned 1 [0261.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.792] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666600 [0261.793] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.793] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0261.793] FindNextFileW (in: hFindFile=0x33666600, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.793] FindClose (in: hFindFile=0x33666600 | out: hFindFile=0x33666600) returned 1 [0261.793] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.793] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.803] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.803] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a68600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a68600*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.805] CloseHandle (hObject=0x3e4) returned 1 [0261.805] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.806] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x128578a0 | out: lpFindFileData=0x128578a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666a80 [0261.809] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.809] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61efc6ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x622b61f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x622b61f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0261.809] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0261.809] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0261.809] FindNextFileW (in: hFindFile=0x33666a80, lpFindFileData=0x128578e4 | out: lpFindFileData=0x128578e4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.809] FindClose (in: hFindFile=0x33666a80 | out: hFindFile=0x33666a80) returned 1 [0261.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857568 | out: lpFileInformation=0x12857568*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.812] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.813] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12857778 | out: lpMode=0x12857778) returned 0 [0261.813] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a69900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857778, lpOverlapped=0x0 | out: lpBuffer=0x12a69900*, lpNumberOfBytesWritten=0x12857778*=0x118a, lpOverlapped=0x0) returned 1 [0261.815] CloseHandle (hObject=0x3e4) returned 1 [0261.815] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61efc6ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x622b61f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x622b61f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000)) returned 1 [0261.819] SetEvent (hEvent=0x3f8) returned 1 [0261.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857964 | out: lpFileInformation=0x12857964*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.821] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.821] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666800 [0261.821] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.821] FindNextFileW (in: hFindFile=0x33666800, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.821] FindClose (in: hFindFile=0x33666800 | out: hFindFile=0x33666800) returned 1 [0261.821] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.823] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.823] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a6ac00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12a6ac00*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.825] CloseHandle (hObject=0x3e4) returned 1 [0261.825] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x619065e1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.825] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0261.825] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x33666740 [0261.825] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0261.826] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0261.826] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0261.826] FindNextFileW (in: hFindFile=0x33666740, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0261.826] FindClose (in: hFindFile=0x33666740 | out: hFindFile=0x33666740) returned 1 [0261.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0261.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0261.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.827] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0261.827] WriteFile (in: hFile=0x3e4, lpBuffer=0x12dac000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12dac000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0261.829] CloseHandle (hObject=0x3e4) returned 1 [0261.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.830] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.830] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.831] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0261.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929240 | out: pbBuffer=0x12929240) returned 1 [0261.831] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34f10 | out: pbBuffer=0x12c34f10) returned 1 [0261.831] ReadFile (in: hFile=0x3e4, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0261.831] CloseHandle (hObject=0x3e4) returned 1 [0261.831] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0261.832] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.832] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0261.832] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929260 | out: pbBuffer=0x12929260) returned 1 [0261.832] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34f20 | out: pbBuffer=0x12c34f20) returned 1 [0261.833] ReadFile (in: hFile=0x3e4, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12829d1c*=0x2000, lpOverlapped=0x0) returned 1 [0261.842] GetFileType (hFile=0x3e4) returned 0x1 [0261.842] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.842] WriteFile (in: hFile=0x3e4, lpBuffer=0x12a8c000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12a8c000*, lpNumberOfBytesWritten=0x12829d00*=0x2000, lpOverlapped=0x12829d0c) returned 1 [0261.842] GetFileType (hFile=0x3e4) returned 0x1 [0261.842] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0261.842] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0261.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0261.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0261.843] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34fd8 | out: pbBuffer=0x12c34fd8) returned 1 [0261.843] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0261.843] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0261.843] WriteFile (in: hFile=0x458, lpBuffer=0x12da6500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12da6500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0261.844] CloseHandle (hObject=0x458) returned 1 [0261.844] CloseHandle (hObject=0x3e4) returned 1 [0261.844] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34ff0 | out: pbBuffer=0x12c34ff0) returned 1 [0261.844] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[0B8C68D4156E5FCD]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[0b8c68d4156e5fcd]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0261.914] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0262.030] SetEvent (hEvent=0x420) returned 1 [0262.030] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0262.031] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0262.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0262.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929460 | out: pbBuffer=0x12929460) returned 1 [0262.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c35038 | out: pbBuffer=0x12c35038) returned 1 [0262.031] ReadFile (in: hFile=0x3e4, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12851d1c*=0x6000, lpOverlapped=0x0) returned 1 [0262.040] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0262.066] SetEvent (hEvent=0x40c) returned 1 [0262.066] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0262.321] SetEvent (hEvent=0x420) returned 1 [0262.321] SetEvent (hEvent=0x3f8) returned 1 [0262.321] SetEvent (hEvent=0x3f4) returned 1 [0262.321] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.058] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.086] SetEvent (hEvent=0x3f8) returned 1 [0263.086] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\roaming.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.087] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.087] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\roaming.lock" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\roaming.lock"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f8c0 | out: pbBuffer=0x1280f8c0) returned 1 [0263.087] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849c70 | out: pbBuffer=0x12849c70) returned 1 [0263.087] ReadFile (in: hFile=0x3e4, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x1282bd1c*=0x0, lpOverlapped=0x0) returned 1 [0263.088] CloseHandle (hObject=0x3e4) returned 1 [0263.088] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.089] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0263.089] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cef5ca8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1cef5ca8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f8e0 | out: pbBuffer=0x1280f8e0) returned 1 [0263.089] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849c80 | out: pbBuffer=0x12849c80) returned 1 [0263.090] ReadFile (in: hFile=0x3e4, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12855d1c*=0x2000, lpOverlapped=0x0) returned 1 [0263.135] GetFileType (hFile=0x3e4) returned 0x1 [0263.135] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.135] WriteFile (in: hFile=0x3e4, lpBuffer=0x12922000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12922000*, lpNumberOfBytesWritten=0x12855d00*=0x2000, lpOverlapped=0x12855d0c) returned 1 [0263.135] GetFileType (hFile=0x3e4) returned 0x1 [0263.136] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0263.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834601 | out: pbBuffer=0x12834601) returned 1 [0263.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0263.136] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0263.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.137] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0263.137] WriteFile (in: hFile=0x42c, lpBuffer=0x12c2e500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2e500*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.137] CloseHandle (hObject=0x42c) returned 1 [0263.137] CloseHandle (hObject=0x3e4) returned 1 [0263.137] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0263.137] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[2339A6C4C69B52D0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\#_this_file_is_encrypted_[2339a6c4c69b52d0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.219] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.398] SetEvent (hEvent=0x3f4) returned 1 [0263.398] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.399] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.399] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c551adc, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c551adc, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12845d60 | out: pbBuffer=0x12845d60) returned 1 [0263.399] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9460 | out: pbBuffer=0x128e9460) returned 1 [0263.400] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0263.402] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.402] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0263.402] SetEvent (hEvent=0x110) returned 1 [0263.402] SetEvent (hEvent=0x3f4) returned 1 [0263.402] SetEvent (hEvent=0x420) returned 1 [0263.403] ReadFile (in: hFile=0x458, lpBuffer=0x129d6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x129d6000*, lpNumberOfBytesRead=0x12829d1c*=0x4000, lpOverlapped=0x0) returned 1 [0263.409] GetFileType (hFile=0x458) returned 0x1 [0263.409] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.409] WriteFile (in: hFile=0x458, lpBuffer=0x12c16000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12c16000*, lpNumberOfBytesWritten=0x12829d00*=0x4000, lpOverlapped=0x12829d0c) returned 1 [0263.409] GetFileType (hFile=0x458) returned 0x1 [0263.409] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0263.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0263.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0263.410] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9518 | out: pbBuffer=0x128e9518) returned 1 [0263.410] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0263.411] GetConsoleMode (in: hConsoleHandle=0x3e4, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.411] WriteFile (in: hFile=0x3e4, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.411] CloseHandle (hObject=0x3e4) returned 1 [0263.411] CloseHandle (hObject=0x458) returned 1 [0263.411] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e9530 | out: pbBuffer=0x128e9530) returned 1 [0263.411] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[F06F4C4D8F32F048]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[f06f4c4d8f32f048]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.414] SetEvent (hEvent=0x420) returned 1 [0263.414] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0263.421] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.422] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0263.422] SetEvent (hEvent=0x420) returned 1 [0263.422] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0263.470] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.471] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.472] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0263.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34018 | out: pbBuffer=0x12c34018) returned 1 [0263.472] ReadFile (in: hFile=0x458, lpBuffer=0x12bee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bee000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.473] CloseHandle (hObject=0x458) returned 1 [0263.473] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.528] SetEvent (hEvent=0x40c) returned 1 [0263.528] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0263.529] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.530] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0263.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928020 | out: pbBuffer=0x12928020) returned 1 [0263.530] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34028 | out: pbBuffer=0x12c34028) returned 1 [0263.559] ReadFile (in: hFile=0x458, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x1282bd1c*=0x2000, lpOverlapped=0x0) returned 1 [0263.607] GetFileType (hFile=0x458) returned 0x1 [0263.607] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0263.608] WriteFile (in: hFile=0x458, lpBuffer=0x12ae2000*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12ae2000*, lpNumberOfBytesWritten=0x1282bd00*=0x2000, lpOverlapped=0x1282bd0c) returned 1 [0263.608] GetFileType (hFile=0x458) returned 0x1 [0263.608] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0263.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0263.608] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0263.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0263.609] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c340e0 | out: pbBuffer=0x12c340e0) returned 1 [0263.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.609] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0263.609] WriteFile (in: hFile=0x42c, lpBuffer=0x12bdea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdea00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0263.610] CloseHandle (hObject=0x42c) returned 1 [0263.610] CloseHandle (hObject=0x458) returned 1 [0263.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c340f8 | out: pbBuffer=0x12c340f8) returned 1 [0263.610] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat.log1"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\#_THIS_FILE_IS_ENCRYPTED_[0BC4F00D6A69E3CC]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\#_this_file_is_encrypted_[0bc4f00d6a69e3cc]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.612] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.827] SetEvent (hEvent=0x40c) returned 1 [0263.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.828] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.828] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9da2e714, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9da2e714, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0263.828] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928220 | out: pbBuffer=0x12928220) returned 1 [0263.829] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34140 | out: pbBuffer=0x12c34140) returned 1 [0263.829] ReadFile (in: hFile=0x42c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12853d1c*=0x4000, lpOverlapped=0x0) returned 1 [0263.835] GetFileType (hFile=0x42c) returned 0x1 [0263.835] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.835] WriteFile (in: hFile=0x42c, lpBuffer=0x12af8000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12af8000*, lpNumberOfBytesWritten=0x12853d00*=0x4000, lpOverlapped=0x12853d0c) returned 1 [0263.836] GetFileType (hFile=0x42c) returned 0x1 [0263.836] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0263.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0263.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0263.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0263.836] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c341f8 | out: pbBuffer=0x12c341f8) returned 1 [0263.836] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0263.836] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0263.837] WriteFile (in: hFile=0x44c, lpBuffer=0x12bdef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12bdef00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0263.837] CloseHandle (hObject=0x44c) returned 1 [0263.837] CloseHandle (hObject=0x42c) returned 1 [0263.837] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34210 | out: pbBuffer=0x12c34210) returned 1 [0263.837] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), lpNewFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\#_THIS_FILE_IS_ENCRYPTED_[1F00EC1766BBC43B]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\#_this_file_is_encrypted_[1f00ec1766bbc43b]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0263.839] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0263.844] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0263.844] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928460 | out: pbBuffer=0x12928460) returned 1 [0263.845] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34258 | out: pbBuffer=0x12c34258) returned 1 [0263.845] ReadFile (in: hFile=0x42c, lpBuffer=0x12ce6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12ce6000*, lpNumberOfBytesRead=0x12829d1c*=0x0, lpOverlapped=0x0) returned 1 [0263.845] CloseHandle (hObject=0x42c) returned 1 [0263.845] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0263.940] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.259] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.390] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.436] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.437] SetEvent (hEvent=0x104) returned 1 [0267.437] SwitchToThread () returned 1 [0267.445] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.449] SetEvent (hEvent=0xfc) returned 1 [0267.449] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\INIfYxN6if.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\inifyxn6if.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0267.450] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.450] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\INIfYxN6if.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\inifyxn6if.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ada6c0, ftCreationTime.dwHighDateTime=0x1d81aa0, ftLastAccessTime.dwLowDateTime=0x8cd36f60, ftLastAccessTime.dwHighDateTime=0x1d81fb8, ftLastWriteTime.dwLowDateTime=0x8cd36f60, ftLastWriteTime.dwHighDateTime=0x1d81fb8, nFileSizeHigh=0x0, nFileSizeLow=0xc02b)) returned 1 [0267.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928000 | out: pbBuffer=0x12928000) returned 1 [0267.451] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848028 | out: pbBuffer=0x12848028) returned 1 [0267.451] ReadFile (in: hFile=0x458, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12853d1c*=0xc02b, lpOverlapped=0x0) returned 1 [0267.453] GetFileType (hFile=0x458) returned 0x1 [0267.453] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.453] WriteFile (in: hFile=0x458, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xc02b, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12853d00*=0xc02b, lpOverlapped=0x12853d0c) returned 1 [0267.453] GetFileType (hFile=0x458) returned 0x1 [0267.454] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xc02b, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0267.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0267.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0267.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0267.454] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128483b0 | out: pbBuffer=0x128483b0) returned 1 [0267.454] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\INIfYxN6if.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\inifyxn6if.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0267.454] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0267.454] WriteFile (in: hFile=0x44c, lpBuffer=0x128b0000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x128b0000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0267.455] CloseHandle (hObject=0x44c) returned 1 [0267.456] CloseHandle (hObject=0x458) returned 1 [0267.459] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483c8 | out: pbBuffer=0x128483c8) returned 1 [0267.459] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\INIfYxN6if.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\inifyxn6if.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\#_THIS_FILE_IS_ENCRYPTED_[56F5F34B5926C547]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\#_this_file_is_encrypted_[56f5f34b5926c547]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0267.559] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.617] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.642] SetEvent (hEvent=0x40c) returned 1 [0267.642] SetEvent (hEvent=0x1b8) returned 1 [0267.642] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.779] SetEvent (hEvent=0xfc) returned 1 [0267.780] SetEvent (hEvent=0xf4) returned 1 [0267.780] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0267.791] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.791] SetEvent (hEvent=0xf4) returned 1 [0267.791] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0267.793] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.793] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0267.797] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.797] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0267.797] SetEvent (hEvent=0xfc) returned 1 [0267.797] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0267.801] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0267.801] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0270.141] SetEvent (hEvent=0x104) returned 1 [0270.141] SetEvent (hEvent=0x40c) returned 1 [0270.141] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0270.648] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0270.649] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0270.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2af524cd, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1e74)) returned 1 [0270.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98e00 | out: pbBuffer=0x12a98e00) returned 1 [0270.649] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e93d0 | out: pbBuffer=0x128e93d0) returned 1 [0270.649] ReadFile (in: hFile=0x450, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x1282bd1c*=0x1e74, lpOverlapped=0x0) returned 1 [0270.657] GetFileType (hFile=0x450) returned 0x1 [0270.657] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0270.658] WriteFile (in: hFile=0x450, lpBuffer=0x1285e000*, nNumberOfBytesToWrite=0x1e74, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x1285e000*, lpNumberOfBytesWritten=0x1282bd00*=0x1e74, lpOverlapped=0x1282bd0c) returned 1 [0270.697] GetFileType (hFile=0x450) returned 0x1 [0270.697] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x1e74, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0270.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834701 | out: pbBuffer=0x12834701) returned 1 [0270.697] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834801 | out: pbBuffer=0x12834801) returned 1 [0270.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834901 | out: pbBuffer=0x12834901) returned 1 [0270.698] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e9550 | out: pbBuffer=0x128e9550) returned 1 [0270.698] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0270.698] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0270.698] WriteFile (in: hFile=0x42c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0270.724] CloseHandle (hObject=0x42c) returned 1 [0270.724] CloseHandle (hObject=0x450) returned 1 [0270.733] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e95e8 | out: pbBuffer=0x128e95e8) returned 1 [0270.734] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\fb0d848f74f70bb2eaa93746d24d9749"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\#_THIS_FILE_IS_ENCRYPTED_[DA059B7C4EBB1D73]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\#_this_file_is_encrypted_[da059b7c4ebb1d73]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.230] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0271.240] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0271.242] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0271.243] SetEvent (hEvent=0x1b8) returned 1 [0271.243] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0271.249] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0271.250] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LTG-ijW6S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ltg-ijw6s.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0271.251] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0271.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LTG-ijW6S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ltg-ijw6s.ots"), fInfoLevelId=0x0, lpFileInformation=0x1282bad0 | out: lpFileInformation=0x1282bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cfd5c60, ftCreationTime.dwHighDateTime=0x1d8248a, ftLastAccessTime.dwLowDateTime=0x5e404c20, ftLastAccessTime.dwHighDateTime=0x1d829d3, ftLastWriteTime.dwLowDateTime=0x5e404c20, ftLastWriteTime.dwHighDateTime=0x1d829d3, nFileSizeHigh=0x0, nFileSizeLow=0x12baa)) returned 1 [0271.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0271.251] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0271.251] ReadFile (in: hFile=0x450, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x1282bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x1282bd1c*=0x12baa, lpOverlapped=0x0) returned 1 [0271.253] GetFileType (hFile=0x450) returned 0x1 [0271.254] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0271.254] WriteFile (in: hFile=0x450, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x12baa, lpNumberOfBytesWritten=0x1282bd00, lpOverlapped=0x1282bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x1282bd00*=0x12baa, lpOverlapped=0x1282bd0c) returned 1 [0271.255] GetFileType (hFile=0x450) returned 0x1 [0271.255] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x12baa, lpNewFilePointer=0x0, dwMoveMethod=0x1282bce4 | out: lpNewFilePointer=0x0) returned 1 [0271.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0271.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0271.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0271.255] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0271.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LTG-ijW6S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ltg-ijw6s.ots"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0271.256] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x1282bd0c | out: lpMode=0x1282bd0c) returned 0 [0271.256] WriteFile (in: hFile=0x458, lpBuffer=0x12912a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x1282bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12912a00*, lpNumberOfBytesWritten=0x1282bd0c*=0x276, lpOverlapped=0x0) returned 1 [0271.256] CloseHandle (hObject=0x458) returned 1 [0271.260] CloseHandle (hObject=0x450) returned 1 [0271.264] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0271.264] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\LTG-ijW6S.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ltg-ijw6s.ots"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\#_THIS_FILE_IS_ENCRYPTED_[03D85B3A4B96CCA7]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\#_this_file_is_encrypted_[03d85b3a4b96cca7]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0271.787] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0271.794] SetEvent (hEvent=0xf4) returned 1 [0271.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0271.795] GetConsoleMode (in: hConsoleHandle=0x458, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0271.795] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839)) returned 1 [0271.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928180 | out: pbBuffer=0x12928180) returned 1 [0271.795] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a7c8 | out: pbBuffer=0x12a9a7c8) returned 1 [0271.796] ReadFile (in: hFile=0x458, lpBuffer=0x12b8a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b8a000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0271.955] GetFileType (hFile=0x458) returned 0x1 [0271.955] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.955] WriteFile (in: hFile=0x458, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0271.956] GetFileType (hFile=0x458) returned 0x1 [0271.956] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0271.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0271.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0271.956] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0271.957] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848440 | out: pbBuffer=0x12848440) returned 1 [0271.957] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0271.957] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0271.957] WriteFile (in: hFile=0x44c, lpBuffer=0x12a4a000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a4a000*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0271.967] CloseHandle (hObject=0x44c) returned 1 [0272.210] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.229] CloseHandle (hObject=0x458) returned 1 [0272.229] SetEvent (hEvent=0x40c) returned 1 [0272.229] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.303] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.335] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0272.336] GetConsoleMode (in: hConsoleHandle=0x42c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0272.336] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132)) returned 1 [0272.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98040 | out: pbBuffer=0x12a98040) returned 1 [0272.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0272.337] ReadFile (in: hFile=0x42c, lpBuffer=0x12b68000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b68000*, lpNumberOfBytesRead=0x12851d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.466] GetFileType (hFile=0x42c) returned 0x1 [0272.466] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.466] WriteFile (in: hFile=0x42c, lpBuffer=0x12936000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12936000*, lpNumberOfBytesWritten=0x12851d00*=0x20000, lpOverlapped=0x12851d0c) returned 1 [0272.467] GetFileType (hFile=0x42c) returned 0x1 [0272.467] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0272.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0272.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0272.469] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0272.469] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0272.469] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0272.469] WriteFile (in: hFile=0x44c, lpBuffer=0x12c2c000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2c000*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.483] CloseHandle (hObject=0x44c) returned 1 [0272.490] CloseHandle (hObject=0x42c) returned 1 [0272.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0272.493] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[19A990099FA474B0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[19a990099fa474b0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.598] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.609] SetEvent (hEvent=0x1d0) returned 1 [0272.609] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0272.610] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256)) returned 1 [0272.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12b88420 | out: pbBuffer=0x12b88420) returned 1 [0272.610] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849060 | out: pbBuffer=0x12849060) returned 1 [0272.610] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0272.612] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.612] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb20, ulCount=0x10, ulNumEntriesRemoved=0x3426fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb20, ulNumEntriesRemoved=0x3426fb04) returned 0 [0272.612] SetEvent (hEvent=0x110) returned 1 [0272.612] SetEvent (hEvent=0x1d0) returned 1 [0272.613] ReadFile (in: hFile=0x460, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12853d1c*=0x20000, lpOverlapped=0x0) returned 1 [0272.626] GetFileType (hFile=0x460) returned 0x1 [0272.626] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.627] WriteFile (in: hFile=0x460, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12853d00*=0x20000, lpOverlapped=0x12853d0c) returned 1 [0272.628] GetFileType (hFile=0x460) returned 0x1 [0272.628] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0272.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0272.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0272.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0272.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849128 | out: pbBuffer=0x12849128) returned 1 [0272.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0272.629] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0272.629] WriteFile (in: hFile=0x45c, lpBuffer=0x12913900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12913900*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0272.662] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0272.672] CloseHandle (hObject=0x45c) returned 1 [0272.672] CloseHandle (hObject=0x460) returned 1 [0272.672] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8558 | out: pbBuffer=0x128e8558) returned 1 [0272.672] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\#_THIS_FILE_IS_ENCRYPTED_[0BDD5E763160EA74]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\#_this_file_is_encrypted_[0bdd5e763160ea74]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0272.674] SetEvent (hEvent=0x104) returned 1 [0272.674] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.029] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.084] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.130] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.157] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.163] SetEvent (hEvent=0x1b8) returned 1 [0273.163] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.183] SetEvent (hEvent=0x1b8) returned 1 [0273.183] SetEvent (hEvent=0x40c) returned 1 [0273.183] SetEvent (hEvent=0xfc) returned 1 [0273.183] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.368] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.450] SetEvent (hEvent=0x40c) returned 1 [0273.450] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.451] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.451] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9826b304, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9826b304, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x70d51000, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x893c1)) returned 1 [0273.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0273.452] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c341b0 | out: pbBuffer=0x12c341b0) returned 1 [0273.452] ReadFile (in: hFile=0x44c, lpBuffer=0x12bca000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bca000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.463] GetFileType (hFile=0x44c) returned 0x1 [0273.463] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.463] WriteFile (in: hFile=0x44c, lpBuffer=0x12d04000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d04000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0273.468] GetFileType (hFile=0x44c) returned 0x1 [0273.468] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc481 | out: pbBuffer=0x12afc481) returned 1 [0273.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc601 | out: pbBuffer=0x12afc601) returned 1 [0273.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc781 | out: pbBuffer=0x12afc781) returned 1 [0273.468] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34268 | out: pbBuffer=0x12c34268) returned 1 [0273.468] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0273.469] GetConsoleMode (in: hConsoleHandle=0x450, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.469] WriteFile (in: hFile=0x450, lpBuffer=0x12a94500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94500*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.473] CloseHandle (hObject=0x450) returned 1 [0273.473] CloseHandle (hObject=0x44c) returned 1 [0273.473] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c34280 | out: pbBuffer=0x12c34280) returned 1 [0273.473] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\#_THIS_FILE_IS_ENCRYPTED_[DECDBFDA920F8F66]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\#_this_file_is_encrypted_[decdbfda920f8f66]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0273.475] SetEvent (hEvent=0x40c) returned 1 [0273.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0273.476] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.476] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), fInfoLevelId=0x0, lpFileInformation=0x12829ad0 | out: lpFileInformation=0x12829ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984f5d1e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984f5d1e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa299a700, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x192bb1)) returned 1 [0273.476] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844900 | out: pbBuffer=0x12844900) returned 1 [0273.476] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12c342c8 | out: pbBuffer=0x12c342c8) returned 1 [0273.476] ReadFile (in: hFile=0x44c, lpBuffer=0x12d24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12829d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d24000*, lpNumberOfBytesRead=0x12829d1c*=0x20000, lpOverlapped=0x0) returned 1 [0273.491] GetFileType (hFile=0x44c) returned 0x1 [0273.491] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.491] WriteFile (in: hFile=0x44c, lpBuffer=0x12d64000*, nNumberOfBytesToWrite=0x20000, lpNumberOfBytesWritten=0x12829d00, lpOverlapped=0x12829d0c | out: lpBuffer=0x12d64000*, lpNumberOfBytesWritten=0x12829d00*=0x20000, lpOverlapped=0x12829d0c) returned 1 [0273.492] GetFileType (hFile=0x44c) returned 0x1 [0273.492] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x20000, lpNewFilePointer=0x0, dwMoveMethod=0x12829ce4 | out: lpNewFilePointer=0x0) returned 1 [0273.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0273.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0273.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0273.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12c34380 | out: pbBuffer=0x12c34380) returned 1 [0273.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0273.493] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12829d0c | out: lpMode=0x12829d0c) returned 0 [0273.493] WriteFile (in: hFile=0x460, lpBuffer=0x12a94a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12829d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a94a00*, lpNumberOfBytesWritten=0x12829d0c*=0x276, lpOverlapped=0x0) returned 1 [0273.500] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0273.522] CloseHandle (hObject=0x460) returned 1 [0273.522] CloseHandle (hObject=0x44c) returned 1 [0273.522] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.244] SetEvent (hEvent=0xf4) returned 1 [0274.244] SetEvent (hEvent=0x1b8) returned 1 [0274.244] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.250] SetEvent (hEvent=0xf4) returned 1 [0274.250] SetEvent (hEvent=0x1b8) returned 1 [0274.250] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.261] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.342] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.404] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.457] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.551] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.597] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.644] SetEvent (hEvent=0x40c) returned 1 [0274.644] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.650] SetEvent (hEvent=0xf4) returned 1 [0274.650] SetEvent (hEvent=0x3f8) returned 1 [0274.650] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0274.661] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.661] SetEvent (hEvent=0x3f8) returned 1 [0274.661] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0274.663] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0274.664] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0274.664] SetEvent (hEvent=0xf4) returned 1 [0274.664] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0274.667] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.667] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.858] SetEvent (hEvent=0x40c) returned 1 [0274.858] SetEvent (hEvent=0x104) returned 1 [0274.858] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.907] SwitchToThread () returned 1 [0274.915] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.935] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0274.982] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.011] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.045] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.150] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.176] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.209] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.254] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.296] SetEvent (hEvent=0xf4) returned 1 [0275.296] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.303] SetEvent (hEvent=0x1d0) returned 1 [0275.304] SetEvent (hEvent=0x40c) returned 1 [0275.304] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0275.310] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.310] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0275.313] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.313] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0275.313] SetEvent (hEvent=0x1d0) returned 1 [0275.313] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0275.315] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.315] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.502] SetEvent (hEvent=0x1d0) returned 1 [0275.503] SetEvent (hEvent=0x40c) returned 1 [0275.503] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.549] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.562] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.582] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.633] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.672] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.896] SetEvent (hEvent=0xf4) returned 1 [0275.897] SwitchToThread () returned 1 [0275.903] SetEvent (hEvent=0xf4) returned 1 [0275.903] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0275.959] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0275.959] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0276.049] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0276.049] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0276.102] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0276.103] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0276.118] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0276.118] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0276.118] SetEvent (hEvent=0x110) returned 1 [0276.118] SetEvent (hEvent=0x104) returned 1 [0276.118] SetEvent (hEvent=0x1b8) returned 1 [0276.118] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0276.159] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0276.159] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0276.217] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.004] SetEvent (hEvent=0x3f8) returned 1 [0278.004] SetEvent (hEvent=0xf4) returned 1 [0278.004] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0278.007] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.007] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0278.010] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.010] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0278.010] SetEvent (hEvent=0x104) returned 1 [0278.010] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0278.014] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.041] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.062] SetEvent (hEvent=0xf4) returned 1 [0278.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\SPY-r5V.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\spy-r5v.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe002b270, ftCreationTime.dwHighDateTime=0x1d81f1f, ftLastAccessTime.dwLowDateTime=0xfc6fcd70, ftLastAccessTime.dwHighDateTime=0x1d8298e, ftLastWriteTime.dwLowDateTime=0xfc6fcd70, ftLastWriteTime.dwHighDateTime=0x1d8298e, nFileSizeHigh=0x0, nFileSizeLow=0xc169)) returned 1 [0278.062] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.082] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.215] SetEvent (hEvent=0xf4) returned 1 [0278.215] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\ggbWGBU.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\ggbwgbu.ppt"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62eebdf0, ftCreationTime.dwHighDateTime=0x1d8209c, ftLastAccessTime.dwLowDateTime=0xbe8588c0, ftLastAccessTime.dwHighDateTime=0x1d820c8, ftLastWriteTime.dwLowDateTime=0xbe8588c0, ftLastWriteTime.dwHighDateTime=0x1d820c8, nFileSizeHigh=0x0, nFileSizeLow=0x1749b)) returned 1 [0278.216] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.267] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.355] SetEvent (hEvent=0xf4) returned 1 [0278.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\3XptwoMUL4HB0GHi\\s3ncmMpPmS0muoyMLo.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\3xptwomul4hb0ghi\\s3ncmmppms0muoymlo.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe507e5d0, ftCreationTime.dwHighDateTime=0x1d81df6, ftLastAccessTime.dwLowDateTime=0x77993980, ftLastAccessTime.dwHighDateTime=0x1d81f1e, ftLastWriteTime.dwLowDateTime=0x77993980, ftLastWriteTime.dwHighDateTime=0x1d81f1e, nFileSizeHigh=0x0, nFileSizeLow=0x14b99)) returned 1 [0278.355] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.496] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.551] SetEvent (hEvent=0xf4) returned 1 [0278.551] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4oMFooZPReWD1.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4omfoozprewd1.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca45fda0, ftCreationTime.dwHighDateTime=0x1d824fd, ftLastAccessTime.dwLowDateTime=0x390e3380, ftLastAccessTime.dwHighDateTime=0x1d82989, ftLastWriteTime.dwLowDateTime=0x390e3380, ftLastWriteTime.dwHighDateTime=0x1d82989, nFileSizeHigh=0x0, nFileSizeLow=0x13a77)) returned 1 [0278.551] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.598] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.844] SetEvent (hEvent=0xf4) returned 1 [0278.844] SetEvent (hEvent=0x3f8) returned 1 [0278.844] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.848] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.874] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.897] SetEvent (hEvent=0x3f8) returned 1 [0278.897] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\YJa5crqa6E.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yja5crqa6e.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e12f570, ftCreationTime.dwHighDateTime=0x1d81f84, ftLastAccessTime.dwLowDateTime=0xbb26ae80, ftLastAccessTime.dwHighDateTime=0x1d827e8, ftLastWriteTime.dwLowDateTime=0xbb26ae80, ftLastWriteTime.dwHighDateTime=0x1d827e8, nFileSizeHigh=0x0, nFileSizeLow=0x15308)) returned 1 [0278.897] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0278.943] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0279.117] SetEvent (hEvent=0x3f8) returned 1 [0279.117] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Z2qPX6.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z2qpx6.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff09880, ftCreationTime.dwHighDateTime=0x1d81f43, ftLastAccessTime.dwLowDateTime=0xa062dd90, ftLastAccessTime.dwHighDateTime=0x1d82396, ftLastWriteTime.dwLowDateTime=0xa062dd90, ftLastWriteTime.dwHighDateTime=0x1d82396, nFileSizeHigh=0x0, nFileSizeLow=0xc20f)) returned 1 [0279.117] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0279.151] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0279.189] SetEvent (hEvent=0x3f8) returned 1 [0279.189] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516f4b00, ftCreationTime.dwHighDateTime=0x1d85709, ftLastAccessTime.dwLowDateTime=0x516f4b00, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x9cca2f00, ftLastWriteTime.dwHighDateTime=0x1d856f2, nFileSizeHigh=0x0, nFileSizeLow=0x1cbc00)) returned 1 [0279.189] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0280.205] SetEvent (hEvent=0x104) returned 1 [0280.205] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0280.217] SetEvent (hEvent=0x104) returned 1 [0280.217] SetEvent (hEvent=0x1b8) returned 1 [0280.217] SetEvent (hEvent=0x3f4) returned 1 [0280.217] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0280.395] SetEvent (hEvent=0x104) returned 1 [0280.395] SetEvent (hEvent=0x1d0) returned 1 [0280.395] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0281.656] SetEvent (hEvent=0xf4) returned 1 [0281.974] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iFdAmmAFYX4CdXqN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ifdammafyx4cdxqn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0281.991] GetConsoleMode (in: hConsoleHandle=0x1a4, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0282.156] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iFdAmmAFYX4CdXqN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ifdammafyx4cdxqn.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90ec7a0, ftCreationTime.dwHighDateTime=0x1d81bff, ftLastAccessTime.dwLowDateTime=0x7574d0, ftLastAccessTime.dwHighDateTime=0x1d82208, ftLastWriteTime.dwLowDateTime=0x7574d0, ftLastWriteTime.dwHighDateTime=0x1d82208, nFileSizeHigh=0x0, nFileSizeLow=0x8bd4)) returned 1 [0282.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98560 | out: pbBuffer=0x12a98560) returned 1 [0282.156] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a1a0 | out: pbBuffer=0x12a9a1a0) returned 1 [0282.157] ReadFile (in: hFile=0x1a4, lpBuffer=0x12d04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d04000*, lpNumberOfBytesRead=0x12851d1c*=0x8bd4, lpOverlapped=0x0) returned 1 [0282.297] GetFileType (hFile=0x1a4) returned 0x1 [0282.297] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0282.297] WriteFile (in: hFile=0x1a4, lpBuffer=0x12e64000*, nNumberOfBytesToWrite=0x8bd4, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12e64000*, lpNumberOfBytesWritten=0x12851d00*=0x8bd4, lpOverlapped=0x12851d0c) returned 1 [0282.298] GetFileType (hFile=0x1a4) returned 0x1 [0282.298] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x8bd4, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0283.287] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0283.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0283.369] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a781 | out: pbBuffer=0x1286a781) returned 1 [0283.471] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a258 | out: pbBuffer=0x12a9a258) returned 1 [0283.666] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a270 | out: pbBuffer=0x12a9a270) returned 1 [0283.666] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\uDGO5JU.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\udgo5ju.mp4"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0283.667] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0283.667] WriteFile (in: hFile=0x460, lpBuffer=0x12c38000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c38000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0283.667] CloseHandle (hObject=0x460) returned 1 [0283.785] CloseHandle (hObject=0x44c) returned 1 [0283.811] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0283.960] SetEvent (hEvent=0x1b8) returned 1 [0283.960] SwitchToThread () returned 1 [0283.988] SetEvent (hEvent=0x110) returned 1 [0283.988] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\BJWSz.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjwsz.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bd037b0, ftCreationTime.dwHighDateTime=0x1d8006c, ftLastAccessTime.dwLowDateTime=0x754a60e0, ftLastAccessTime.dwHighDateTime=0x1d82979, ftLastWriteTime.dwLowDateTime=0x754a60e0, ftLastWriteTime.dwHighDateTime=0x1d82979, nFileSizeHigh=0x0, nFileSizeLow=0xc4fe)) returned 1 [0283.988] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0284.412] SetEvent (hEvent=0x104) returned 1 [0284.412] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\H0wX0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h0wx0.doc"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1c3d650, ftCreationTime.dwHighDateTime=0x1d828af, ftLastAccessTime.dwLowDateTime=0x2cc07500, ftLastAccessTime.dwHighDateTime=0x1d82981, ftLastWriteTime.dwLowDateTime=0x2cc07500, ftLastWriteTime.dwHighDateTime=0x1d82981, nFileSizeHigh=0x0, nFileSizeLow=0xa400)) returned 1 [0284.413] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0284.413] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\my music"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x460 [0284.414] GetFileInformationByHandle (in: hFile=0x460, lpFileInformation=0x12857ae8 | out: lpFileInformation=0x12857ae8) returned 1 [0284.414] GetFileInformationByHandleEx (in: hFile=0x460, FileInformationClass=0x9, lpFileInformation=0x12857ae0, dwBufferSize=0x8 | out: lpFileInformation=0x12857ae0) returned 1 [0284.414] CloseHandle (hObject=0x460) returned 1 [0284.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\H0wX0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h0wx0.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0284.415] GetConsoleMode (in: hConsoleHandle=0x460, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0284.429] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\H0wX0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\h0wx0.doc"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1c3d650, ftCreationTime.dwHighDateTime=0x1d828af, ftLastAccessTime.dwLowDateTime=0x2cc07500, ftLastAccessTime.dwHighDateTime=0x1d82981, ftLastWriteTime.dwLowDateTime=0x2cc07500, ftLastWriteTime.dwHighDateTime=0x1d82981, nFileSizeHigh=0x0, nFileSizeLow=0xa400)) returned 1 [0284.429] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844420 | out: pbBuffer=0x12844420) returned 1 [0284.430] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915300 | out: pbBuffer=0x12915300) returned 1 [0284.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\BJWSz.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjwsz.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0284.528] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0284.528] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\BJWSz.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjwsz.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bd037b0, ftCreationTime.dwHighDateTime=0x1d8006c, ftLastAccessTime.dwLowDateTime=0x754a60e0, ftLastAccessTime.dwHighDateTime=0x1d82979, ftLastWriteTime.dwLowDateTime=0x754a60e0, ftLastWriteTime.dwHighDateTime=0x1d82979, nFileSizeHigh=0x0, nFileSizeLow=0xc4fe)) returned 1 [0284.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844440 | out: pbBuffer=0x12844440) returned 1 [0284.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915310 | out: pbBuffer=0x12915310) returned 1 [0284.540] ReadFile (in: hFile=0x44c, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12851d1c*=0xc4fe, lpOverlapped=0x0) returned 1 [0284.543] GetFileType (hFile=0x44c) returned 0x1 [0284.543] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.543] WriteFile (in: hFile=0x44c, lpBuffer=0x12b10000*, nNumberOfBytesToWrite=0xc4fe, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b10000*, lpNumberOfBytesWritten=0x12851d00*=0xc4fe, lpOverlapped=0x12851d0c) returned 1 [0284.543] GetFileType (hFile=0x44c) returned 0x1 [0284.543] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xc4fe, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0284.629] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0284.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800981 | out: pbBuffer=0x12800981) returned 1 [0284.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a81 | out: pbBuffer=0x12800a81) returned 1 [0284.630] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x129153c8 | out: pbBuffer=0x129153c8) returned 1 [0284.630] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\BJWSz.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjwsz.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0284.630] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0284.630] WriteFile (in: hFile=0x45c, lpBuffer=0x12c2ef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12c2ef00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0284.630] CloseHandle (hObject=0x45c) returned 1 [0284.631] CloseHandle (hObject=0x44c) returned 1 [0284.631] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129153e0 | out: pbBuffer=0x129153e0) returned 1 [0284.631] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\BJWSz.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjwsz.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[E8C2DA15053C5546]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[e8c2da15053c5546]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0284.632] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0289.211] SetEvent (hEvent=0x1b8) returned 1 [0289.211] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0289.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SBXGxY5lR7LJ4DebJNW.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sbxgxy5lr7lj4debjnw.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0289.278] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0289.278] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SBXGxY5lR7LJ4DebJNW.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sbxgxy5lr7lj4debjnw.docx"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e6d6db0, ftCreationTime.dwHighDateTime=0x1d7f172, ftLastAccessTime.dwLowDateTime=0x87605420, ftLastAccessTime.dwHighDateTime=0x1d81af0, ftLastWriteTime.dwLowDateTime=0x87605420, ftLastWriteTime.dwHighDateTime=0x1d81af0, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6)) returned 1 [0289.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac7ca0 | out: pbBuffer=0x12ac7ca0) returned 1 [0289.278] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849ee0 | out: pbBuffer=0x12849ee0) returned 1 [0289.279] ReadFile (in: hFile=0x44c, lpBuffer=0x12984000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12984000*, lpNumberOfBytesRead=0x12851d1c*=0xf5f6, lpOverlapped=0x0) returned 1 [0289.282] GetFileType (hFile=0x44c) returned 0x1 [0289.282] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.282] WriteFile (in: hFile=0x44c, lpBuffer=0x129a4000*, nNumberOfBytesToWrite=0xf5f6, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x129a4000*, lpNumberOfBytesWritten=0x12851d00*=0xf5f6, lpOverlapped=0x12851d0c) returned 1 [0289.283] GetFileType (hFile=0x44c) returned 0x1 [0289.283] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xf5f6, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0289.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835201 | out: pbBuffer=0x12835201) returned 1 [0289.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835301 | out: pbBuffer=0x12835301) returned 1 [0289.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12835401 | out: pbBuffer=0x12835401) returned 1 [0289.283] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849f98 | out: pbBuffer=0x12849f98) returned 1 [0289.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SBXGxY5lR7LJ4DebJNW.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sbxgxy5lr7lj4debjnw.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0289.284] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0289.284] WriteFile (in: hFile=0x45c, lpBuffer=0x12a44500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44500*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0289.284] CloseHandle (hObject=0x45c) returned 1 [0289.329] CloseHandle (hObject=0x44c) returned 1 [0289.512] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848000 | out: pbBuffer=0x12848000) returned 1 [0289.512] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\SBXGxY5lR7LJ4DebJNW.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\sbxgxy5lr7lj4debjnw.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[5C38A0E7B3BC9C7D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[5c38a0e7b3bc9c7d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0290.998] SetEvent (hEvent=0xfc) returned 1 [0290.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\HDkvkngN2it Nq n.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\hdkvkngn2it nq n.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0291.000] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0291.000] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\HDkvkngN2it Nq n.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\hdkvkngn2it nq n.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38605f50, ftCreationTime.dwHighDateTime=0x1d824ff, ftLastAccessTime.dwLowDateTime=0xb1412210, ftLastAccessTime.dwHighDateTime=0x1d8264e, ftLastWriteTime.dwLowDateTime=0xb1412210, ftLastWriteTime.dwHighDateTime=0x1d8264e, nFileSizeHigh=0x0, nFileSizeLow=0x21e3)) returned 1 [0291.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6aa0 | out: pbBuffer=0x12ac6aa0) returned 1 [0291.000] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849a68 | out: pbBuffer=0x12849a68) returned 1 [0291.000] ReadFile (in: hFile=0x44c, lpBuffer=0x129f6000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x129f6000*, lpNumberOfBytesRead=0x12851d1c*=0x21e3, lpOverlapped=0x0) returned 1 [0291.001] GetFileType (hFile=0x44c) returned 0x1 [0291.002] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.002] WriteFile (in: hFile=0x44c, lpBuffer=0x12a16000*, nNumberOfBytesToWrite=0x21e3, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a16000*, lpNumberOfBytesWritten=0x12851d00*=0x21e3, lpOverlapped=0x12851d0c) returned 1 [0291.002] GetFileType (hFile=0x44c) returned 0x1 [0291.002] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x21e3, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0291.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834b81 | out: pbBuffer=0x12834b81) returned 1 [0291.002] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834c81 | out: pbBuffer=0x12834c81) returned 1 [0291.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834d81 | out: pbBuffer=0x12834d81) returned 1 [0291.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849b20 | out: pbBuffer=0x12849b20) returned 1 [0291.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\HDkvkngN2it Nq n.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\hdkvkngn2it nq n.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0291.003] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0291.003] WriteFile (in: hFile=0x470, lpBuffer=0x12b73400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12b73400*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0291.003] CloseHandle (hObject=0x470) returned 1 [0291.072] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0291.496] CloseHandle (hObject=0x44c) returned 1 [0291.621] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0291.857] SetEvent (hEvent=0xfc) returned 1 [0291.857] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3decfc0, ftCreationTime.dwHighDateTime=0x1d82061, ftLastAccessTime.dwLowDateTime=0x2cd1dbe0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0x2cd1dbe0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0291.858] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0291.858] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3decfc0, ftCreationTime.dwHighDateTime=0x1d82061, ftLastAccessTime.dwLowDateTime=0x2cd1dbe0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0x2cd1dbe0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbef9b8 [0291.858] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3decfc0, ftCreationTime.dwHighDateTime=0x1d82061, ftLastAccessTime.dwLowDateTime=0x2cd1dbe0, ftLastAccessTime.dwHighDateTime=0x1d82528, ftLastWriteTime.dwLowDateTime=0x2cd1dbe0, ftLastWriteTime.dwHighDateTime=0x1d82528, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0291.858] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9a728810, ftCreationTime.dwHighDateTime=0x1d829bb, ftLastAccessTime.dwLowDateTime=0xaf4ec470, ftLastAccessTime.dwHighDateTime=0x1d82a1e, ftLastWriteTime.dwLowDateTime=0xaf4ec470, ftLastWriteTime.dwHighDateTime=0x1d82a1e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4HstjI", cAlternateFileName="")) returned 1 [0291.858] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3be09c0, ftCreationTime.dwHighDateTime=0x1d81c33, ftLastAccessTime.dwLowDateTime=0x12905ef0, ftLastAccessTime.dwHighDateTime=0x1d82537, ftLastWriteTime.dwLowDateTime=0x12905ef0, ftLastWriteTime.dwHighDateTime=0x1d82537, nFileSizeHigh=0x0, nFileSizeLow=0x183e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="dAMDSDcR5.xls", cAlternateFileName="DAMDSD~1.XLS")) returned 1 [0291.858] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d64c280, ftCreationTime.dwHighDateTime=0x1d81ebe, ftLastAccessTime.dwLowDateTime=0x673fe9c0, ftLastAccessTime.dwHighDateTime=0x1d82438, ftLastWriteTime.dwLowDateTime=0x673fe9c0, ftLastWriteTime.dwHighDateTime=0x1d82438, nFileSizeHigh=0x0, nFileSizeLow=0x133dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="g3s66bQHe lVQQYoyL.ots", cAlternateFileName="G3S66B~1.OTS")) returned 1 [0291.859] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3aa690, ftCreationTime.dwHighDateTime=0x1d822ac, ftLastAccessTime.dwLowDateTime=0xd2fb03c0, ftLastAccessTime.dwHighDateTime=0x1d825af, ftLastWriteTime.dwLowDateTime=0xd2fb03c0, ftLastWriteTime.dwHighDateTime=0x1d825af, nFileSizeHigh=0x0, nFileSizeLow=0x3db5, dwReserved0=0x0, dwReserved1=0x0, cFileName="szgoHxlT.odt", cAlternateFileName="")) returned 1 [0291.859] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x152988a0, ftCreationTime.dwHighDateTime=0x1d82440, ftLastAccessTime.dwLowDateTime=0x97eca220, ftLastAccessTime.dwHighDateTime=0x1d826ea, ftLastWriteTime.dwLowDateTime=0x97eca220, ftLastWriteTime.dwHighDateTime=0x1d826ea, nFileSizeHigh=0x0, nFileSizeLow=0x18986, dwReserved0=0x0, dwReserved1=0x0, cFileName="uPNvhNg_N9fx0M3PhrT.pdf", cAlternateFileName="UPNVHN~1.PDF")) returned 1 [0291.859] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73e364d0, ftCreationTime.dwHighDateTime=0x1d828df, ftLastAccessTime.dwLowDateTime=0x3097f620, ftLastAccessTime.dwHighDateTime=0x1d829be, ftLastWriteTime.dwLowDateTime=0x3097f620, ftLastWriteTime.dwHighDateTime=0x1d829be, nFileSizeHigh=0x0, nFileSizeLow=0x14c1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="XI8Bv.pdf", cAlternateFileName="")) returned 1 [0291.859] FindNextFileW (in: hFindFile=0xbef9b8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0291.859] FindClose (in: hFindFile=0xbef9b8 | out: hFindFile=0xbef9b8) returned 1 [0291.859] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0291.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0291.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0291.982] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0291.982] WriteFile (in: hFile=0x45c, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0291.983] CloseHandle (hObject=0x45c) returned 1 [0291.983] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9a728810, ftCreationTime.dwHighDateTime=0x1d829bb, ftLastAccessTime.dwLowDateTime=0xaf4ec470, ftLastAccessTime.dwHighDateTime=0x1d82a1e, ftLastWriteTime.dwLowDateTime=0xaf4ec470, ftLastWriteTime.dwHighDateTime=0x1d82a1e, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0291.984] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0291.984] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9a728810, ftCreationTime.dwHighDateTime=0x1d829bb, ftLastAccessTime.dwLowDateTime=0xaf4ec470, ftLastAccessTime.dwHighDateTime=0x1d82a1e, ftLastWriteTime.dwLowDateTime=0xaf4ec470, ftLastWriteTime.dwHighDateTime=0x1d82a1e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbf00f8 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9a728810, ftCreationTime.dwHighDateTime=0x1d829bb, ftLastAccessTime.dwLowDateTime=0xaf4ec470, ftLastAccessTime.dwHighDateTime=0x1d82a1e, ftLastWriteTime.dwLowDateTime=0xaf4ec470, ftLastWriteTime.dwHighDateTime=0x1d82a1e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cca520, ftCreationTime.dwHighDateTime=0x1d82763, ftLastAccessTime.dwLowDateTime=0x991cc3c0, ftLastAccessTime.dwHighDateTime=0x1d82855, ftLastWriteTime.dwLowDateTime=0x991cc3c0, ftLastWriteTime.dwHighDateTime=0x1d82855, nFileSizeHigh=0x0, nFileSizeLow=0xd1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="-g- qLHI3w.ods", cAlternateFileName="-G-QLH~1.ODS")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x283188b0, ftCreationTime.dwHighDateTime=0x1d81b78, ftLastAccessTime.dwLowDateTime=0x330654f0, ftLastAccessTime.dwHighDateTime=0x1d81d03, ftLastWriteTime.dwLowDateTime=0x330654f0, ftLastWriteTime.dwHighDateTime=0x1d81d03, nFileSizeHigh=0x0, nFileSizeLow=0xda0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="7mgyJC0.odt", cAlternateFileName="")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323952d0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0x1a487d60, ftLastAccessTime.dwHighDateTime=0x1d8282c, ftLastWriteTime.dwLowDateTime=0x1a487d60, ftLastWriteTime.dwHighDateTime=0x1d8282c, nFileSizeHigh=0x0, nFileSizeLow=0x3dac, dwReserved0=0x0, dwReserved1=0x0, cFileName="7nb tvb_aDkc8zEbM.xls", cAlternateFileName="7NBTVB~1.XLS")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4551ca0, ftCreationTime.dwHighDateTime=0x1d828bc, ftLastAccessTime.dwLowDateTime=0x11502150, ftLastAccessTime.dwHighDateTime=0x1d82a1a, ftLastWriteTime.dwLowDateTime=0x11502150, ftLastWriteTime.dwHighDateTime=0x1d82a1a, nFileSizeHigh=0x0, nFileSizeLow=0xe856, dwReserved0=0x0, dwReserved1=0x0, cFileName="JwJgGeNfbdjzzfKk.odp", cAlternateFileName="JWJGGE~1.ODP")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bf830e0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x7075ff10, ftLastAccessTime.dwHighDateTime=0x1d82650, ftLastWriteTime.dwLowDateTime=0x7075ff10, ftLastWriteTime.dwHighDateTime=0x1d82650, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mW58l4NizJ", cAlternateFileName="MW58L4~1")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d2f2220, ftCreationTime.dwHighDateTime=0x1d82216, ftLastAccessTime.dwLowDateTime=0xc0810080, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0xc0810080, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0x1e5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="vbIjF6X8GPawTrv.doc", cAlternateFileName="VBIJF6~1.DOC")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef17480, ftCreationTime.dwHighDateTime=0x1d81fb8, ftLastAccessTime.dwLowDateTime=0x72f0ffc0, ftLastAccessTime.dwHighDateTime=0x1d82032, ftLastWriteTime.dwLowDateTime=0x72f0ffc0, ftLastWriteTime.dwHighDateTime=0x1d82032, nFileSizeHigh=0x0, nFileSizeLow=0x104c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="VhGbFhvbri9alcaNeITl.ots", cAlternateFileName="VHGBFH~1.OTS")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad03220, ftCreationTime.dwHighDateTime=0x1d81c1e, ftLastAccessTime.dwLowDateTime=0xdfa830b0, ftLastAccessTime.dwHighDateTime=0x1d8206f, ftLastWriteTime.dwLowDateTime=0xdfa830b0, ftLastWriteTime.dwHighDateTime=0x1d8206f, nFileSizeHigh=0x0, nFileSizeLow=0xef11, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSK0g_Xxq B8pyfX.pptx", cAlternateFileName="VSK0G_~1.PPT")) returned 1 [0291.984] FindNextFileW (in: hFindFile=0xbf00f8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0291.984] FindClose (in: hFindFile=0xbf00f8 | out: hFindFile=0xbf00f8) returned 1 [0291.985] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0291.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0291.985] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0292.136] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0292.136] WriteFile (in: hFile=0x468, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0292.138] CloseHandle (hObject=0x468) returned 1 [0292.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\-g- qLHI3w.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\-g- qlhi3w.ods"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cca520, ftCreationTime.dwHighDateTime=0x1d82763, ftLastAccessTime.dwLowDateTime=0x991cc3c0, ftLastAccessTime.dwHighDateTime=0x1d82855, ftLastWriteTime.dwLowDateTime=0x991cc3c0, ftLastWriteTime.dwHighDateTime=0x1d82855, nFileSizeHigh=0x0, nFileSizeLow=0xd1d7)) returned 1 [0292.138] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7mgyJC0.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7mgyjc0.odt"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x283188b0, ftCreationTime.dwHighDateTime=0x1d81b78, ftLastAccessTime.dwLowDateTime=0x330654f0, ftLastAccessTime.dwHighDateTime=0x1d81d03, ftLastWriteTime.dwLowDateTime=0x330654f0, ftLastWriteTime.dwHighDateTime=0x1d81d03, nFileSizeHigh=0x0, nFileSizeLow=0xda0c)) returned 1 [0292.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\-g- qLHI3w.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\-g- qlhi3w.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0292.140] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0292.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\-g- qLHI3w.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\-g- qlhi3w.ods"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18cca520, ftCreationTime.dwHighDateTime=0x1d82763, ftLastAccessTime.dwLowDateTime=0x991cc3c0, ftLastAccessTime.dwHighDateTime=0x1d82855, ftLastWriteTime.dwLowDateTime=0x991cc3c0, ftLastWriteTime.dwHighDateTime=0x1d82855, nFileSizeHigh=0x0, nFileSizeLow=0xd1d7)) returned 1 [0292.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac62c0 | out: pbBuffer=0x12ac62c0) returned 1 [0292.140] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810c70 | out: pbBuffer=0x12810c70) returned 1 [0292.140] ReadFile (in: hFile=0x468, lpBuffer=0x12de4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12de4000*, lpNumberOfBytesRead=0x12a2fd1c*=0xd1d7, lpOverlapped=0x0) returned 1 [0292.142] GetFileType (hFile=0x468) returned 0x1 [0292.142] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0292.142] WriteFile (in: hFile=0x468, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0xd1d7, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a2fd00*=0xd1d7, lpOverlapped=0x12a2fd0c) returned 1 [0292.143] GetFileType (hFile=0x468) returned 0x1 [0292.143] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xd1d7, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0292.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0292.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0292.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800b81 | out: pbBuffer=0x12800b81) returned 1 [0292.143] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810d28 | out: pbBuffer=0x12810d28) returned 1 [0292.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\-g- qLHI3w.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\-g- qlhi3w.ods"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0292.143] GetConsoleMode (in: hConsoleHandle=0x46c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0292.143] WriteFile (in: hFile=0x46c, lpBuffer=0x12a44500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44500*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0292.144] CloseHandle (hObject=0x46c) returned 1 [0292.144] CloseHandle (hObject=0x468) returned 1 [0292.144] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810d40 | out: pbBuffer=0x12810d40) returned 1 [0292.145] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\-g- qLHI3w.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\-g- qlhi3w.ods"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[3F291FDE8F5C8D24]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[3f291fde8f5c8d24]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0292.754] SwitchToThread () returned 1 [0292.804] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7nb tvb_aDkc8zEbM.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7nb tvb_adkc8zebm.xls"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323952d0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0x1a487d60, ftLastAccessTime.dwHighDateTime=0x1d8282c, ftLastWriteTime.dwLowDateTime=0x1a487d60, ftLastWriteTime.dwHighDateTime=0x1d8282c, nFileSizeHigh=0x0, nFileSizeLow=0x3dac)) returned 1 [0292.804] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\JwJgGeNfbdjzzfKk.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\jwjggenfbdjzzfkk.odp"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4551ca0, ftCreationTime.dwHighDateTime=0x1d828bc, ftLastAccessTime.dwLowDateTime=0x11502150, ftLastAccessTime.dwHighDateTime=0x1d82a1a, ftLastWriteTime.dwLowDateTime=0x11502150, ftLastWriteTime.dwHighDateTime=0x1d82a1a, nFileSizeHigh=0x0, nFileSizeLow=0xe856)) returned 1 [0292.805] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7nb tvb_aDkc8zEbM.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7nb tvb_adkc8zebm.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0292.806] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0292.806] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7nb tvb_aDkc8zEbM.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7nb tvb_adkc8zebm.xls"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323952d0, ftCreationTime.dwHighDateTime=0x1d82789, ftLastAccessTime.dwLowDateTime=0x1a487d60, ftLastAccessTime.dwHighDateTime=0x1d8282c, ftLastWriteTime.dwLowDateTime=0x1a487d60, ftLastWriteTime.dwHighDateTime=0x1d8282c, nFileSizeHigh=0x0, nFileSizeLow=0x3dac)) returned 1 [0292.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280f100 | out: pbBuffer=0x1280f100) returned 1 [0292.807] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848ad0 | out: pbBuffer=0x12848ad0) returned 1 [0292.807] ReadFile (in: hFile=0x44c, lpBuffer=0x12e04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e04000*, lpNumberOfBytesRead=0x12a2fd1c*=0x3dac, lpOverlapped=0x0) returned 1 [0292.809] GetFileType (hFile=0x44c) returned 0x1 [0292.810] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0292.810] WriteFile (in: hFile=0x44c, lpBuffer=0x12c30000*, nNumberOfBytesToWrite=0x3dac, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12c30000*, lpNumberOfBytesWritten=0x12a2fd00*=0x3dac, lpOverlapped=0x12a2fd0c) returned 1 [0292.810] GetFileType (hFile=0x44c) returned 0x1 [0292.810] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x3dac, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0292.810] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0292.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0292.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834501 | out: pbBuffer=0x12834501) returned 1 [0292.811] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848b98 | out: pbBuffer=0x12848b98) returned 1 [0292.811] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7nb tvb_aDkc8zEbM.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7nb tvb_adkc8zebm.xls"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0292.812] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0292.812] WriteFile (in: hFile=0x470, lpBuffer=0x12a32000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a32000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0292.812] CloseHandle (hObject=0x470) returned 1 [0292.813] CloseHandle (hObject=0x44c) returned 1 [0292.813] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848bc0 | out: pbBuffer=0x12848bc0) returned 1 [0292.813] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\7nb tvb_aDkc8zEbM.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\7nb tvb_adkc8zebm.xls"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\#_THIS_FILE_IS_ENCRYPTED_[E31A3E70CE098BAE]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\#_this_file_is_encrypted_[e31a3e70ce098bae]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.109] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.136] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.138] SetEvent (hEvent=0x1b8) returned 1 [0293.138] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.143] SetEvent (hEvent=0x1b8) returned 1 [0293.143] SetEvent (hEvent=0x420) returned 1 [0293.143] SwitchToThread () returned 1 [0293.145] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.198] SetEvent (hEvent=0x420) returned 1 [0293.198] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\46zHym0WJ.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\46zhym0wj.odt"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45e22bd0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x68a691a0, ftLastAccessTime.dwHighDateTime=0x1d825d8, ftLastWriteTime.dwLowDateTime=0x68a691a0, ftLastWriteTime.dwHighDateTime=0x1d825d8, nFileSizeHigh=0x0, nFileSizeLow=0xb25b)) returned 1 [0293.199] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.218] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.232] SetEvent (hEvent=0x420) returned 1 [0293.232] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\Qx26De31QiS.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\qx26de31qis.rtf"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaabee60, ftCreationTime.dwHighDateTime=0x1d8274d, ftLastAccessTime.dwLowDateTime=0x40e998d0, ftLastAccessTime.dwHighDateTime=0x1d82946, ftLastWriteTime.dwLowDateTime=0x40e998d0, ftLastWriteTime.dwHighDateTime=0x1d82946, nFileSizeHigh=0x0, nFileSizeLow=0x11e51)) returned 1 [0293.232] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.246] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.274] SetEvent (hEvent=0x420) returned 1 [0293.274] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\vbIjF6X8GPawTrv.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vbijf6x8gpawtrv.doc"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d2f2220, ftCreationTime.dwHighDateTime=0x1d82216, ftLastAccessTime.dwLowDateTime=0xc0810080, ftLastAccessTime.dwHighDateTime=0x1d8252f, ftLastWriteTime.dwLowDateTime=0xc0810080, ftLastWriteTime.dwHighDateTime=0x1d8252f, nFileSizeHigh=0x0, nFileSizeLow=0x1e5e)) returned 1 [0293.274] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.403] SwitchToThread () returned 1 [0293.446] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.525] SetEvent (hEvent=0x454) returned 1 [0293.525] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.535] SetEvent (hEvent=0x454) returned 1 [0293.535] SetEvent (hEvent=0xf4) returned 1 [0293.535] SetEvent (hEvent=0x1d0) returned 1 [0293.535] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.541] SwitchToThread () returned 1 [0293.578] SwitchToThread () returned 1 [0293.581] SetEvent (hEvent=0x454) returned 1 [0293.581] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.585] SetEvent (hEvent=0x454) returned 1 [0293.585] SetEvent (hEvent=0x1d0) returned 1 [0293.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fxKjYnPBbwwwVQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fxkjynpbbwwwvq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.587] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0293.587] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fxKjYnPBbwwwVQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fxkjynpbbwwwvq.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bb0450, ftCreationTime.dwHighDateTime=0x1d817e8, ftLastAccessTime.dwLowDateTime=0x6a574b90, ftLastAccessTime.dwHighDateTime=0x1d824eb, ftLastWriteTime.dwLowDateTime=0x6a574b90, ftLastWriteTime.dwHighDateTime=0x1d824eb, nFileSizeHigh=0x0, nFileSizeLow=0x8631)) returned 1 [0293.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844000 | out: pbBuffer=0x12844000) returned 1 [0293.587] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0293.587] ReadFile (in: hFile=0x45c, lpBuffer=0x128ee000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x128ee000*, lpNumberOfBytesRead=0x12a31d1c*=0x8631, lpOverlapped=0x0) returned 1 [0293.589] GetFileType (hFile=0x45c) returned 0x1 [0293.589] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.589] WriteFile (in: hFile=0x45c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x8631, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a31d00*=0x8631, lpOverlapped=0x12a31d0c) returned 1 [0293.590] GetFileType (hFile=0x45c) returned 0x1 [0293.590] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x8631, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0293.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0293.590] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0293.591] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0293.591] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fxKjYnPBbwwwVQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fxkjynpbbwwwvq.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.591] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0293.591] WriteFile (in: hFile=0x464, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.591] CloseHandle (hObject=0x464) returned 1 [0293.593] CloseHandle (hObject=0x45c) returned 1 [0293.593] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0293.593] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fxKjYnPBbwwwVQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fxkjynpbbwwwvq.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[7BCCCC9D2A887A10]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[7bcccc9d2a887a10]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.642] SetEvent (hEvent=0x110) returned 1 [0293.643] SetEvent (hEvent=0xf4) returned 1 [0293.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zfK8pBoO-F9HXS4.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfk8pboo-f9hxs4.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.644] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0293.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zfK8pBoO-F9HXS4.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfk8pboo-f9hxs4.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12a31ad0 | out: lpFileInformation=0x12a31ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63829830, ftCreationTime.dwHighDateTime=0x1d7f618, ftLastAccessTime.dwLowDateTime=0x62c620e0, ftLastAccessTime.dwHighDateTime=0x1d808ee, ftLastWriteTime.dwLowDateTime=0x62c620e0, ftLastWriteTime.dwHighDateTime=0x1d808ee, nFileSizeHigh=0x0, nFileSizeLow=0x6e92)) returned 1 [0293.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e440 | out: pbBuffer=0x1280e440) returned 1 [0293.644] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a140 | out: pbBuffer=0x12a9a140) returned 1 [0293.644] ReadFile (in: hFile=0x45c, lpBuffer=0x12df8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a31d1c, lpOverlapped=0x0 | out: lpBuffer=0x12df8000*, lpNumberOfBytesRead=0x12a31d1c*=0x6e92, lpOverlapped=0x0) returned 1 [0293.646] GetFileType (hFile=0x45c) returned 0x1 [0293.646] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.646] WriteFile (in: hFile=0x45c, lpBuffer=0x12a1c000*, nNumberOfBytesToWrite=0x6e92, lpNumberOfBytesWritten=0x12a31d00, lpOverlapped=0x12a31d0c | out: lpBuffer=0x12a1c000*, lpNumberOfBytesWritten=0x12a31d00*=0x6e92, lpOverlapped=0x12a31d0c) returned 1 [0293.646] GetFileType (hFile=0x45c) returned 0x1 [0293.646] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x6e92, lpNewFilePointer=0x0, dwMoveMethod=0x12a31ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.646] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0293.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0293.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0293.647] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a228 | out: pbBuffer=0x12a9a228) returned 1 [0293.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zfK8pBoO-F9HXS4.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfk8pboo-f9hxs4.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.648] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a31d0c | out: lpMode=0x12a31d0c) returned 0 [0293.648] WriteFile (in: hFile=0x470, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a31d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a31d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.648] CloseHandle (hObject=0x470) returned 1 [0293.658] CloseHandle (hObject=0x45c) returned 1 [0293.661] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a240 | out: pbBuffer=0x12a9a240) returned 1 [0293.661] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zfK8pBoO-F9HXS4.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfk8pboo-f9hxs4.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[6BAA83AEB46C4F34]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[6baa83aeb46c4f34]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.749] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.883] SetEvent (hEvent=0xf4) returned 1 [0293.883] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.884] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.884] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192)) returned 1 [0293.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280eb20 | out: pbBuffer=0x1280eb20) returned 1 [0293.885] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a470 | out: pbBuffer=0x12a9a470) returned 1 [0293.885] ReadFile (in: hFile=0x468, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x12853d1c*=0x192, lpOverlapped=0x0) returned 1 [0293.886] GetFileType (hFile=0x468) returned 0x1 [0293.886] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.886] WriteFile (in: hFile=0x468, lpBuffer=0x12ad8820*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ad8820*, lpNumberOfBytesWritten=0x12853d00*=0x192, lpOverlapped=0x12853d0c) returned 1 [0293.887] GetFileType (hFile=0x468) returned 0x1 [0293.887] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x192, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0293.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0293.887] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd101 | out: pbBuffer=0x12afd101) returned 1 [0293.902] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a588 | out: pbBuffer=0x12a9a588) returned 1 [0293.902] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.903] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.903] WriteFile (in: hFile=0x464, lpBuffer=0x12ac3400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac3400*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.938] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.964] CloseHandle (hObject=0x464) returned 1 [0293.966] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0293.974] SetEvent (hEvent=0x454) returned 1 [0293.974] CloseHandle (hObject=0x468) returned 1 [0293.976] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0293.976] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\#_THIS_FILE_IS_ENCRYPTED_[D2A48D1D234A7BE6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\#_this_file_is_encrypted_[d2a48d1d234a7be6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.133] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.225] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\M7OcQ_xS53l_hYT3Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\m7ocq_xs53l_hyt3q.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.225] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.226] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\M7OcQ_xS53l_hYT3Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\m7ocq_xs53l_hyt3q.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf5e41a0, ftCreationTime.dwHighDateTime=0x1d82636, ftLastAccessTime.dwLowDateTime=0xb7008f0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xb7008f0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0x1195d)) returned 1 [0294.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0294.226] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0294.226] ReadFile (in: hFile=0x470, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12851d1c*=0x1195d, lpOverlapped=0x0) returned 1 [0294.228] GetFileType (hFile=0x470) returned 0x1 [0294.228] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.229] WriteFile (in: hFile=0x470, lpBuffer=0x12e18000*, nNumberOfBytesToWrite=0x1195d, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12e18000*, lpNumberOfBytesWritten=0x12851d00*=0x1195d, lpOverlapped=0x12851d0c) returned 1 [0294.229] GetFileType (hFile=0x470) returned 0x1 [0294.229] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x1195d, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0294.229] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834401 | out: pbBuffer=0x12834401) returned 1 [0294.230] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0294.230] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\M7OcQ_xS53l_hYT3Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\m7ocq_xs53l_hyt3q.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.230] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.230] WriteFile (in: hFile=0x44c, lpBuffer=0x128aea00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x128aea00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.230] CloseHandle (hObject=0x44c) returned 1 [0294.231] CloseHandle (hObject=0x470) returned 1 [0294.231] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0294.231] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\M7OcQ_xS53l_hYT3Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\m7ocq_xs53l_hyt3q.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[518D883236A5EBC5]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[518d883236a5ebc5]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\hNADd WlkRZXly9vVPc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\hnadd wlkrzxly9vvpc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.233] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.233] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\hNADd WlkRZXly9vVPc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\hnadd wlkrzxly9vvpc.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97815a70, ftCreationTime.dwHighDateTime=0x1d823fb, ftLastAccessTime.dwLowDateTime=0xa5df5bb0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xa5df5bb0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x143e6)) returned 1 [0294.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e400 | out: pbBuffer=0x1280e400) returned 1 [0294.233] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810160 | out: pbBuffer=0x12810160) returned 1 [0294.233] ReadFile (in: hFile=0x470, lpBuffer=0x12e2a000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e2a000*, lpNumberOfBytesRead=0x12a2bd1c*=0x143e6, lpOverlapped=0x0) returned 1 [0294.236] GetFileType (hFile=0x470) returned 0x1 [0294.236] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.237] WriteFile (in: hFile=0x470, lpBuffer=0x12956000*, nNumberOfBytesToWrite=0x143e6, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12956000*, lpNumberOfBytesWritten=0x12a2bd00*=0x143e6, lpOverlapped=0x12a2bd0c) returned 1 [0294.237] GetFileType (hFile=0x470) returned 0x1 [0294.237] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x143e6, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834681 | out: pbBuffer=0x12834681) returned 1 [0294.237] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834781 | out: pbBuffer=0x12834781) returned 1 [0294.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834881 | out: pbBuffer=0x12834881) returned 1 [0294.238] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810218 | out: pbBuffer=0x12810218) returned 1 [0294.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\hNADd WlkRZXly9vVPc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\hnadd wlkrzxly9vvpc.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.238] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.238] WriteFile (in: hFile=0x44c, lpBuffer=0x128aef00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x128aef00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.238] CloseHandle (hObject=0x44c) returned 1 [0294.239] CloseHandle (hObject=0x470) returned 1 [0294.239] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810230 | out: pbBuffer=0x12810230) returned 1 [0294.239] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\hNADd WlkRZXly9vVPc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\hnadd wlkrzxly9vvpc.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[2C2B9B39D24618B1]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[2c2b9b39d24618b1]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.240] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.351] SetEvent (hEvent=0xf4) returned 1 [0294.351] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\jBuxsRgKfwyyGq2T\\ssRbLKtGO.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\jbuxsrgkfwyygq2t\\ssrblktgo.mp3"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb535960, ftCreationTime.dwHighDateTime=0x1d82415, ftLastAccessTime.dwLowDateTime=0xd65839c0, ftLastAccessTime.dwHighDateTime=0x1d82776, ftLastWriteTime.dwLowDateTime=0xd65839c0, ftLastWriteTime.dwHighDateTime=0x1d82776, nFileSizeHigh=0x0, nFileSizeLow=0xcbef)) returned 1 [0294.362] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb2214fd0, ftCreationTime.dwHighDateTime=0x1d821e3, ftLastAccessTime.dwLowDateTime=0xb1f92420, ftLastAccessTime.dwHighDateTime=0x1d827d2, ftLastWriteTime.dwLowDateTime=0xb1f92420, ftLastWriteTime.dwHighDateTime=0x1d827d2, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.362] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb2214fd0, ftCreationTime.dwHighDateTime=0x1d821e3, ftLastAccessTime.dwLowDateTime=0xb1f92420, ftLastAccessTime.dwHighDateTime=0x1d827d2, ftLastWriteTime.dwLowDateTime=0xb1f92420, ftLastWriteTime.dwHighDateTime=0x1d827d2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefef8 [0294.362] FindNextFileW (in: hFindFile=0xbefef8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb2214fd0, ftCreationTime.dwHighDateTime=0x1d821e3, ftLastAccessTime.dwLowDateTime=0xb1f92420, ftLastAccessTime.dwHighDateTime=0x1d827d2, ftLastWriteTime.dwLowDateTime=0xb1f92420, ftLastWriteTime.dwHighDateTime=0x1d827d2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.362] FindNextFileW (in: hFindFile=0xbefef8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25d77250, ftCreationTime.dwHighDateTime=0x1d8245b, ftLastAccessTime.dwLowDateTime=0xa52b80e0, ftLastAccessTime.dwHighDateTime=0x1d827c2, ftLastWriteTime.dwLowDateTime=0xa52b80e0, ftLastWriteTime.dwHighDateTime=0x1d827c2, nFileSizeHigh=0x0, nFileSizeLow=0x4692, dwReserved0=0x0, dwReserved1=0x0, cFileName="gQqe7Q.wav", cAlternateFileName="")) returned 1 [0294.363] FindNextFileW (in: hFindFile=0xbefef8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x795b8900, ftCreationTime.dwHighDateTime=0x1d82089, ftLastAccessTime.dwLowDateTime=0x4903a5e0, ftLastAccessTime.dwHighDateTime=0x1d82191, ftLastWriteTime.dwLowDateTime=0x4903a5e0, ftLastWriteTime.dwHighDateTime=0x1d82191, nFileSizeHigh=0x0, nFileSizeLow=0xb614, dwReserved0=0x0, dwReserved1=0x0, cFileName="W6 amBkm3SlAau_Nl.mp3", cAlternateFileName="W6AMBK~1.MP3")) returned 1 [0294.363] FindNextFileW (in: hFindFile=0xbefef8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfabc0890, ftCreationTime.dwHighDateTime=0x1d82691, ftLastAccessTime.dwLowDateTime=0xc9a1dd80, ftLastAccessTime.dwHighDateTime=0x1d827b2, ftLastWriteTime.dwLowDateTime=0xc9a1dd80, ftLastWriteTime.dwHighDateTime=0x1d827b2, nFileSizeHigh=0x0, nFileSizeLow=0x12546, dwReserved0=0x0, dwReserved1=0x0, cFileName="Xk3PPQU-esQvvpXXOrW.mp3", cAlternateFileName="XK3PPQ~1.MP3")) returned 1 [0294.363] FindNextFileW (in: hFindFile=0xbefef8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.363] FindClose (in: hFindFile=0xbefef8 | out: hFindFile=0xbefef8) returned 1 [0294.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.363] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.365] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0294.365] WriteFile (in: hFile=0x470, lpBuffer=0x1287b900*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x1287b900*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0294.372] CloseHandle (hObject=0x470) returned 1 [0294.373] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\W6 amBkm3SlAau_Nl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\w6 ambkm3slaau_nl.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x795b8900, ftCreationTime.dwHighDateTime=0x1d82089, ftLastAccessTime.dwLowDateTime=0x4903a5e0, ftLastAccessTime.dwHighDateTime=0x1d82191, ftLastWriteTime.dwLowDateTime=0x4903a5e0, ftLastWriteTime.dwHighDateTime=0x1d82191, nFileSizeHigh=0x0, nFileSizeLow=0xb614)) returned 1 [0294.373] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\Xk3PPQU-esQvvpXXOrW.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\xk3ppqu-esqvvpxxorw.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfabc0890, ftCreationTime.dwHighDateTime=0x1d82691, ftLastAccessTime.dwLowDateTime=0xc9a1dd80, ftLastAccessTime.dwHighDateTime=0x1d827b2, ftLastWriteTime.dwLowDateTime=0xc9a1dd80, ftLastWriteTime.dwHighDateTime=0x1d827b2, nFileSizeHigh=0x0, nFileSizeLow=0x12546)) returned 1 [0294.373] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\W6 amBkm3SlAau_Nl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\w6 ambkm3slaau_nl.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.375] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.375] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\W6 amBkm3SlAau_Nl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\w6 ambkm3slaau_nl.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x795b8900, ftCreationTime.dwHighDateTime=0x1d82089, ftLastAccessTime.dwLowDateTime=0x4903a5e0, ftLastAccessTime.dwHighDateTime=0x1d82191, ftLastWriteTime.dwLowDateTime=0x4903a5e0, ftLastWriteTime.dwHighDateTime=0x1d82191, nFileSizeHigh=0x0, nFileSizeLow=0xb614)) returned 1 [0294.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128447a0 | out: pbBuffer=0x128447a0) returned 1 [0294.375] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9aca0 | out: pbBuffer=0x12a9aca0) returned 1 [0294.376] ReadFile (in: hFile=0x470, lpBuffer=0x12d3c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d3c000*, lpNumberOfBytesRead=0x12a2bd1c*=0xb614, lpOverlapped=0x0) returned 1 [0294.378] GetFileType (hFile=0x470) returned 0x1 [0294.378] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.378] WriteFile (in: hFile=0x470, lpBuffer=0x12e3a000*, nNumberOfBytesToWrite=0xb614, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12e3a000*, lpNumberOfBytesWritten=0x12a2bd00*=0xb614, lpOverlapped=0x12a2bd0c) returned 1 [0294.378] GetFileType (hFile=0x470) returned 0x1 [0294.378] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xb614, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0294.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0294.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801801 | out: pbBuffer=0x12801801) returned 1 [0294.379] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9ade8 | out: pbBuffer=0x12a9ade8) returned 1 [0294.379] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\W6 amBkm3SlAau_Nl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\w6 ambkm3slaau_nl.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.380] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.380] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac3400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac3400*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.380] CloseHandle (hObject=0x44c) returned 1 [0294.380] CloseHandle (hObject=0x470) returned 1 [0294.380] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae20 | out: pbBuffer=0x12a9ae20) returned 1 [0294.380] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\W6 amBkm3SlAau_Nl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\w6 ambkm3slaau_nl.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\#_THIS_FILE_IS_ENCRYPTED_[933AD2B06E6C0815]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\#_this_file_is_encrypted_[933ad2b06e6c0815]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\Xk3PPQU-esQvvpXXOrW.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\xk3ppqu-esqvvpxxorw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.383] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.383] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\Xk3PPQU-esQvvpXXOrW.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\xk3ppqu-esqvvpxxorw.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfabc0890, ftCreationTime.dwHighDateTime=0x1d82691, ftLastAccessTime.dwLowDateTime=0xc9a1dd80, ftLastAccessTime.dwHighDateTime=0x1d827b2, ftLastWriteTime.dwLowDateTime=0xc9a1dd80, ftLastWriteTime.dwHighDateTime=0x1d827b2, nFileSizeHigh=0x0, nFileSizeLow=0x12546)) returned 1 [0294.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844fe0 | out: pbBuffer=0x12844fe0) returned 1 [0294.383] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9ae98 | out: pbBuffer=0x12a9ae98) returned 1 [0294.384] ReadFile (in: hFile=0x470, lpBuffer=0x12d7c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12d7c000*, lpNumberOfBytesRead=0x12a2bd1c*=0x12546, lpOverlapped=0x0) returned 1 [0294.386] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\gQqe7Q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\gqqe7q.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25d77250, ftCreationTime.dwHighDateTime=0x1d8245b, ftLastAccessTime.dwLowDateTime=0xa52b80e0, ftLastAccessTime.dwHighDateTime=0x1d827c2, ftLastWriteTime.dwLowDateTime=0xa52b80e0, ftLastWriteTime.dwHighDateTime=0x1d827c2, nFileSizeHigh=0x0, nFileSizeLow=0x4692)) returned 1 [0294.386] SetEvent (hEvent=0x1d0) returned 1 [0294.386] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.390] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.457] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.479] SetEvent (hEvent=0x1d0) returned 1 [0294.479] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\39xGW5hX3fvQs.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\39xgw5hx3fvqs.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.481] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.481] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\39xGW5hX3fvQs.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\39xgw5hx3fvqs.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa26fad40, ftCreationTime.dwHighDateTime=0x1d82114, ftLastAccessTime.dwLowDateTime=0x466b910, ftLastAccessTime.dwHighDateTime=0x1d827e3, ftLastWriteTime.dwLowDateTime=0x466b910, ftLastWriteTime.dwHighDateTime=0x1d827e3, nFileSizeHigh=0x0, nFileSizeLow=0x486d)) returned 1 [0294.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e200 | out: pbBuffer=0x1280e200) returned 1 [0294.481] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8008 | out: pbBuffer=0x128e8008) returned 1 [0294.481] ReadFile (in: hFile=0x464, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a2fd1c*=0x486d, lpOverlapped=0x0) returned 1 [0294.483] GetFileType (hFile=0x464) returned 0x1 [0294.483] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.483] WriteFile (in: hFile=0x464, lpBuffer=0x12902000*, nNumberOfBytesToWrite=0x486d, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12902000*, lpNumberOfBytesWritten=0x12a2fd00*=0x486d, lpOverlapped=0x12a2fd0c) returned 1 [0294.483] GetFileType (hFile=0x464) returned 0x1 [0294.483] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x486d, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0294.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0294.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0294.484] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e80c0 | out: pbBuffer=0x128e80c0) returned 1 [0294.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\39xGW5hX3fvQs.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\39xgw5hx3fvqs.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.484] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.485] WriteFile (in: hFile=0x474, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.485] CloseHandle (hObject=0x474) returned 1 [0294.485] CloseHandle (hObject=0x464) returned 1 [0294.485] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e80d8 | out: pbBuffer=0x128e80d8) returned 1 [0294.485] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\39xGW5hX3fvQs.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\39xgw5hx3fvqs.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[6CD5B2D9623343C6]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[6cd5b2d9623343c6]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.487] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GYc97IQh_mQirpr2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gyc97iqh_mqirpr2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.488] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.488] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GYc97IQh_mQirpr2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gyc97iqh_mqirpr2.png"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451b40f0, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0x5edc99d0, ftLastAccessTime.dwHighDateTime=0x1d825ba, ftLastWriteTime.dwLowDateTime=0x5edc99d0, ftLastWriteTime.dwHighDateTime=0x1d825ba, nFileSizeHigh=0x0, nFileSizeLow=0x15897)) returned 1 [0294.488] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e6e0 | out: pbBuffer=0x1280e6e0) returned 1 [0294.488] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8120 | out: pbBuffer=0x128e8120) returned 1 [0294.488] ReadFile (in: hFile=0x464, lpBuffer=0x12e04000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e04000*, lpNumberOfBytesRead=0x12a2fd1c*=0x15897, lpOverlapped=0x0) returned 1 [0294.491] GetFileType (hFile=0x464) returned 0x1 [0294.491] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.491] WriteFile (in: hFile=0x464, lpBuffer=0x12e24000*, nNumberOfBytesToWrite=0x15897, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12e24000*, lpNumberOfBytesWritten=0x12a2fd00*=0x15897, lpOverlapped=0x12a2fd0c) returned 1 [0294.492] GetFileType (hFile=0x464) returned 0x1 [0294.492] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x15897, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc901 | out: pbBuffer=0x12afc901) returned 1 [0294.492] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca01 | out: pbBuffer=0x12afca01) returned 1 [0294.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb01 | out: pbBuffer=0x12afcb01) returned 1 [0294.493] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128e8338 | out: pbBuffer=0x128e8338) returned 1 [0294.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GYc97IQh_mQirpr2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gyc97iqh_mqirpr2.png"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.493] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.493] WriteFile (in: hFile=0x474, lpBuffer=0x12aee500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee500*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.493] CloseHandle (hObject=0x474) returned 1 [0294.494] CloseHandle (hObject=0x464) returned 1 [0294.494] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128e8350 | out: pbBuffer=0x128e8350) returned 1 [0294.494] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GYc97IQh_mQirpr2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gyc97iqh_mqirpr2.png"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\#_THIS_FILE_IS_ENCRYPTED_[BAB413BC3154B899]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\#_this_file_is_encrypted_[bab413bc3154b899]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Qc4RhKRglBg__.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qc4rhkrglbg__.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2150450, ftCreationTime.dwHighDateTime=0x1d82720, ftLastAccessTime.dwLowDateTime=0x13448b0, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x13448b0, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x6ef5)) returned 1 [0294.496] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0294.570] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.575] SetEvent (hEvent=0x420) returned 1 [0294.575] SetEvent (hEvent=0x1b8) returned 1 [0294.575] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.575] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.575] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.575] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.576] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.576] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.576] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.608] SetEvent (hEvent=0x110) returned 1 [0294.608] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0294.608] WriteFile (in: hFile=0x470, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0294.610] CloseHandle (hObject=0x470) returned 1 [0294.611] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe)) returned 1 [0294.618] SetEvent (hEvent=0x454) returned 1 [0294.618] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VUqCu1k65i0E.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vuqcu1k65i0e.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f52bc70, ftCreationTime.dwHighDateTime=0x1d82930, ftLastAccessTime.dwLowDateTime=0xc6320790, ftLastAccessTime.dwHighDateTime=0x1d829d5, ftLastWriteTime.dwLowDateTime=0xc6320790, ftLastWriteTime.dwHighDateTime=0x1d829d5, nFileSizeHigh=0x0, nFileSizeLow=0x8a13)) returned 1 [0294.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7829b410, ftCreationTime.dwHighDateTime=0x1d8221b, ftLastAccessTime.dwLowDateTime=0xeb4cdf30, ftLastAccessTime.dwHighDateTime=0x1d8223e, ftLastWriteTime.dwLowDateTime=0xeb4cdf30, ftLastWriteTime.dwHighDateTime=0x1d8223e, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.619] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.619] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7829b410, ftCreationTime.dwHighDateTime=0x1d8221b, ftLastAccessTime.dwLowDateTime=0xeb4cdf30, ftLastAccessTime.dwHighDateTime=0x1d8223e, ftLastWriteTime.dwLowDateTime=0xeb4cdf30, ftLastWriteTime.dwHighDateTime=0x1d8223e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefab8 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7829b410, ftCreationTime.dwHighDateTime=0x1d8221b, ftLastAccessTime.dwLowDateTime=0xeb4cdf30, ftLastAccessTime.dwHighDateTime=0x1d8223e, ftLastWriteTime.dwLowDateTime=0xeb4cdf30, ftLastWriteTime.dwHighDateTime=0x1d8223e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcc9da30, ftCreationTime.dwHighDateTime=0x1d819bd, ftLastAccessTime.dwLowDateTime=0xd8c67420, ftLastAccessTime.dwHighDateTime=0x1d81a50, ftLastWriteTime.dwLowDateTime=0xd8c67420, ftLastWriteTime.dwHighDateTime=0x1d81a50, nFileSizeHigh=0x0, nFileSizeLow=0x18677, dwReserved0=0x0, dwReserved1=0x0, cFileName="C8Z4l7tj.jpg", cAlternateFileName="")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd90200, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x1c2c5660, ftLastAccessTime.dwHighDateTime=0x1d8281d, ftLastWriteTime.dwLowDateTime=0x1c2c5660, ftLastWriteTime.dwHighDateTime=0x1d8281d, nFileSizeHigh=0x0, nFileSizeLow=0x10b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="HKJj WT.gif", cAlternateFileName="HKJJWT~1.GIF")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28090b80, ftCreationTime.dwHighDateTime=0x1d82620, ftLastAccessTime.dwLowDateTime=0x779b5910, ftLastAccessTime.dwHighDateTime=0x1d827f5, ftLastWriteTime.dwLowDateTime=0x779b5910, ftLastWriteTime.dwHighDateTime=0x1d827f5, nFileSizeHigh=0x0, nFileSizeLow=0x182f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="kZ6dxGYg30pcqd Y9si.png", cAlternateFileName="KZ6DXG~1.PNG")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd62630, ftCreationTime.dwHighDateTime=0x1d82795, ftLastAccessTime.dwLowDateTime=0x32f88860, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0x32f88860, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x7d7b, dwReserved0=0x0, dwReserved1=0x0, cFileName="N6VxsMXcA1gYb3h x.jpg", cAlternateFileName="N6VXSM~1.JPG")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19eb5fd0, ftCreationTime.dwHighDateTime=0x1d81f45, ftLastAccessTime.dwLowDateTime=0xcc5e3650, ftLastAccessTime.dwHighDateTime=0x1d823ec, ftLastWriteTime.dwLowDateTime=0xcc5e3650, ftLastWriteTime.dwHighDateTime=0x1d823ec, nFileSizeHigh=0x0, nFileSizeLow=0x18c35, dwReserved0=0x0, dwReserved1=0x0, cFileName="O9fHKNinOZ.png", cAlternateFileName="O9FHKN~1.PNG")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528e8ae0, ftCreationTime.dwHighDateTime=0x1d8299c, ftLastAccessTime.dwLowDateTime=0x63fad660, ftLastAccessTime.dwHighDateTime=0x1d82a16, ftLastWriteTime.dwLowDateTime=0x63fad660, ftLastWriteTime.dwHighDateTime=0x1d82a16, nFileSizeHigh=0x0, nFileSizeLow=0x159ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="tS0NnwW.bmp", cAlternateFileName="")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbeb5c6d0, ftCreationTime.dwHighDateTime=0x1d81f23, ftLastAccessTime.dwLowDateTime=0x276703f0, ftLastAccessTime.dwHighDateTime=0x1d825c4, ftLastWriteTime.dwLowDateTime=0x276703f0, ftLastWriteTime.dwHighDateTime=0x1d825c4, nFileSizeHigh=0x0, nFileSizeLow=0xfb4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="vs8-8O8lmEeelehrIQoQ.png", cAlternateFileName="VS8-8O~1.PNG")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1778ee0, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0xe7631ad0, ftLastAccessTime.dwHighDateTime=0x1d825c0, ftLastWriteTime.dwLowDateTime=0xe7631ad0, ftLastWriteTime.dwHighDateTime=0x1d825c0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X jZwz7d75-kdunxRmDZ", cAlternateFileName="XJZWZ7~1")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976377c0, ftCreationTime.dwHighDateTime=0x1d82915, ftLastAccessTime.dwLowDateTime=0xf6164610, ftLastAccessTime.dwHighDateTime=0x1d82935, ftLastWriteTime.dwLowDateTime=0xf6164610, ftLastWriteTime.dwHighDateTime=0x1d82935, nFileSizeHigh=0x0, nFileSizeLow=0xcac8, dwReserved0=0x0, dwReserved1=0x0, cFileName="XxBVq2JXPp_ZGN53uP.jpg", cAlternateFileName="XXBVQ2~1.JPG")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf490c00, ftCreationTime.dwHighDateTime=0x1d8239e, ftLastAccessTime.dwLowDateTime=0x82af18b0, ftLastAccessTime.dwHighDateTime=0x1d82844, ftLastWriteTime.dwLowDateTime=0x82af18b0, ftLastWriteTime.dwHighDateTime=0x1d82844, nFileSizeHigh=0x0, nFileSizeLow=0x71eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yc3hCY.jpg", cAlternateFileName="")) returned 1 [0294.620] FindNextFileW (in: hFindFile=0xbefab8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.621] FindClose (in: hFindFile=0xbefab8 | out: hFindFile=0xbefab8) returned 1 [0294.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.642] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0294.642] WriteFile (in: hFile=0x464, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0294.644] CloseHandle (hObject=0x464) returned 1 [0294.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\C8Z4l7tj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\c8z4l7tj.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcc9da30, ftCreationTime.dwHighDateTime=0x1d819bd, ftLastAccessTime.dwLowDateTime=0xd8c67420, ftLastAccessTime.dwHighDateTime=0x1d81a50, ftLastWriteTime.dwLowDateTime=0xd8c67420, ftLastWriteTime.dwHighDateTime=0x1d81a50, nFileSizeHigh=0x0, nFileSizeLow=0x18677)) returned 1 [0294.644] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.672] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.685] SetEvent (hEvent=0x420) returned 1 [0294.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\N6VxsMXcA1gYb3h x.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\n6vxsmxca1gyb3h x.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd62630, ftCreationTime.dwHighDateTime=0x1d82795, ftLastAccessTime.dwLowDateTime=0x32f88860, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0x32f88860, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x7d7b)) returned 1 [0294.685] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.752] SetEvent (hEvent=0x420) returned 1 [0294.752] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1778ee0, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0xe7631ad0, ftLastAccessTime.dwHighDateTime=0x1d825c0, ftLastWriteTime.dwLowDateTime=0xe7631ad0, ftLastWriteTime.dwHighDateTime=0x1d825c0, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.752] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.752] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1778ee0, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0xe7631ad0, ftLastAccessTime.dwHighDateTime=0x1d825c0, ftLastWriteTime.dwLowDateTime=0xe7631ad0, ftLastWriteTime.dwHighDateTime=0x1d825c0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbeffb8 [0294.752] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1778ee0, ftCreationTime.dwHighDateTime=0x1d819df, ftLastAccessTime.dwLowDateTime=0xe7631ad0, ftLastAccessTime.dwHighDateTime=0x1d825c0, ftLastWriteTime.dwLowDateTime=0xe7631ad0, ftLastWriteTime.dwHighDateTime=0x1d825c0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.752] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d559f0, ftCreationTime.dwHighDateTime=0x1d81fc8, ftLastAccessTime.dwLowDateTime=0x79b53e40, ftLastAccessTime.dwHighDateTime=0x1d826ca, ftLastWriteTime.dwLowDateTime=0x79b53e40, ftLastWriteTime.dwHighDateTime=0x1d826ca, nFileSizeHigh=0x0, nFileSizeLow=0x11d2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRVSGs15zk.bmp", cAlternateFileName="CRVSGS~1.BMP")) returned 1 [0294.752] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b498f0, ftCreationTime.dwHighDateTime=0x1d82766, ftLastAccessTime.dwLowDateTime=0x62c08ff0, ftLastAccessTime.dwHighDateTime=0x1d82819, ftLastWriteTime.dwLowDateTime=0x62c08ff0, ftLastWriteTime.dwHighDateTime=0x1d82819, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1, dwReserved0=0x0, dwReserved1=0x0, cFileName="lM7esgOy36--LKPovnS.png", cAlternateFileName="LM7ESG~1.PNG")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c372530, ftCreationTime.dwHighDateTime=0x1d81a35, ftLastAccessTime.dwLowDateTime=0xda911920, ftLastAccessTime.dwHighDateTime=0x1d81b9c, ftLastWriteTime.dwLowDateTime=0xda911920, ftLastWriteTime.dwHighDateTime=0x1d81b9c, nFileSizeHigh=0x0, nFileSizeLow=0xc797, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt1XE8WJFN.jpg", cAlternateFileName="LT1XE8~1.JPG")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212f8210, ftCreationTime.dwHighDateTime=0x1d819bb, ftLastAccessTime.dwLowDateTime=0xa3b62a30, ftLastAccessTime.dwHighDateTime=0x1d82439, ftLastWriteTime.dwLowDateTime=0xa3b62a30, ftLastWriteTime.dwHighDateTime=0x1d82439, nFileSizeHigh=0x0, nFileSizeLow=0x1749d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ne3h82xciV8B.png", cAlternateFileName="NE3H82~1.PNG")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fe3830, ftCreationTime.dwHighDateTime=0x1d81c70, ftLastAccessTime.dwLowDateTime=0x7090be90, ftLastAccessTime.dwHighDateTime=0x1d82646, ftLastWriteTime.dwLowDateTime=0x7090be90, ftLastWriteTime.dwHighDateTime=0x1d82646, nFileSizeHigh=0x0, nFileSizeLow=0x186bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="R-vk5p4WTAFfUJEJC.jpg", cAlternateFileName="R-VK5P~1.JPG")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b383240, ftCreationTime.dwHighDateTime=0x1d8207d, ftLastAccessTime.dwLowDateTime=0xd2e450f0, ftLastAccessTime.dwHighDateTime=0x1d828f0, ftLastWriteTime.dwLowDateTime=0xd2e450f0, ftLastWriteTime.dwHighDateTime=0x1d828f0, nFileSizeHigh=0x0, nFileSizeLow=0x14ab3, dwReserved0=0x0, dwReserved1=0x0, cFileName="TqX2LJia.png", cAlternateFileName="")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82639f0, ftCreationTime.dwHighDateTime=0x1d82346, ftLastAccessTime.dwLowDateTime=0xaec13e20, ftLastAccessTime.dwHighDateTime=0x1d82834, ftLastWriteTime.dwLowDateTime=0xaec13e20, ftLastWriteTime.dwHighDateTime=0x1d82834, nFileSizeHigh=0x0, nFileSizeLow=0x7668, dwReserved0=0x0, dwReserved1=0x0, cFileName="ww9e exBrFr.gif", cAlternateFileName="WW9EEX~1.GIF")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58de8d70, ftCreationTime.dwHighDateTime=0x1d824f4, ftLastAccessTime.dwLowDateTime=0x582185b0, ftLastAccessTime.dwHighDateTime=0x1d8287b, ftLastWriteTime.dwLowDateTime=0x582185b0, ftLastWriteTime.dwHighDateTime=0x1d8287b, nFileSizeHigh=0x0, nFileSizeLow=0x103e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="XKzuW0KK3P__Rm.gif", cAlternateFileName="XKZUW0~1.GIF")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23db91e0, ftCreationTime.dwHighDateTime=0x1d82314, ftLastAccessTime.dwLowDateTime=0xe0d32230, ftLastAccessTime.dwHighDateTime=0x1d8244b, ftLastWriteTime.dwLowDateTime=0xe0d32230, ftLastWriteTime.dwHighDateTime=0x1d8244b, nFileSizeHigh=0x0, nFileSizeLow=0x5c97, dwReserved0=0x0, dwReserved1=0x0, cFileName="zZX7A-L 6x.gif", cAlternateFileName="ZZX7A-~1.GIF")) returned 1 [0294.753] FindNextFileW (in: hFindFile=0xbeffb8, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.753] FindClose (in: hFindFile=0xbeffb8 | out: hFindFile=0xbeffb8) returned 1 [0294.753] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.753] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.753] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.761] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0294.761] WriteFile (in: hFile=0x474, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0294.763] CloseHandle (hObject=0x474) returned 1 [0294.763] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\CRVSGs15zk.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\crvsgs15zk.bmp"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d559f0, ftCreationTime.dwHighDateTime=0x1d81fc8, ftLastAccessTime.dwLowDateTime=0x79b53e40, ftLastAccessTime.dwHighDateTime=0x1d826ca, ftLastWriteTime.dwLowDateTime=0x79b53e40, ftLastWriteTime.dwHighDateTime=0x1d826ca, nFileSizeHigh=0x0, nFileSizeLow=0x11d2f)) returned 1 [0294.763] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.772] SetEvent (hEvent=0x1d0) returned 1 [0294.772] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.777] SetEvent (hEvent=0x420) returned 1 [0294.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\Ne3h82xciV8B.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ne3h82xciv8b.png"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212f8210, ftCreationTime.dwHighDateTime=0x1d819bb, ftLastAccessTime.dwLowDateTime=0xa3b62a30, ftLastAccessTime.dwHighDateTime=0x1d82439, ftLastWriteTime.dwLowDateTime=0xa3b62a30, ftLastWriteTime.dwHighDateTime=0x1d82439, nFileSizeHigh=0x0, nFileSizeLow=0x1749d)) returned 1 [0294.778] SetEvent (hEvent=0xf4) returned 1 [0294.778] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0294.782] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.782] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x0 [0294.787] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0x3426fb28, ulCount=0x10, ulNumEntriesRemoved=0x3426fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x3426fb28, ulNumEntriesRemoved=0x3426fb0c) returned 0 [0294.787] SetEvent (hEvent=0x420) returned 1 [0294.787] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0x1) returned 0x102 [0294.789] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0294.790] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.289] SetEvent (hEvent=0x1b8) returned 1 [0295.289] SetEvent (hEvent=0xf4) returned 1 [0295.289] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.318] SetEvent (hEvent=0x1b8) returned 1 [0295.318] SwitchToThread () returned 1 [0295.324] SetEvent (hEvent=0x1b8) returned 1 [0295.324] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.330] SetEvent (hEvent=0x1b8) returned 1 [0295.330] SetEvent (hEvent=0xfc) returned 1 [0295.330] SetEvent (hEvent=0xf4) returned 1 [0295.330] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.649] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.650] SetEvent (hEvent=0x420) returned 1 [0295.650] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.655] SetEvent (hEvent=0x420) returned 1 [0295.655] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0295.658] SetEvent (hEvent=0x420) returned 1 [0295.658] SetEvent (hEvent=0x1b8) returned 1 [0295.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0295.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0295.658] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0295.659] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b100b0 | out: pbBuffer=0x12b100b0) returned 1 [0295.659] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\YNrRjI3FU86r44y.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\ynrrji3fu86r44y.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0295.659] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0295.659] WriteFile (in: hFile=0x44c, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0295.659] CloseHandle (hObject=0x44c) returned 1 [0295.667] CloseHandle (hObject=0x468) returned 1 [0295.669] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b100c8 | out: pbBuffer=0x12b100c8) returned 1 [0295.669] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\YNrRjI3FU86r44y.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\ynrrji3fu86r44y.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\8wexVd_7SxK-e-as26h\\oE8eH2ULzb\\Y_CM\\H0gqzpF7BJ2I\\#_THIS_FILE_IS_ENCRYPTED_[032F6FC05ACA701C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\8wexvd_7sxk-e-as26h\\oe8eh2ulzb\\y_cm\\h0gqzpf7bj2i\\#_this_file_is_encrypted_[032f6fc05aca701c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.835] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.835] FindFirstFileW (in: lpFileName="C:\\bootmgr\\*", lpFindFileData=0x12a31a44 | out: lpFindFileData=0x12a31a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.836] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) Thread: id = 24 os_tid = 0x264 [0225.828] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0xd1ff30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xd1ff30*=0x1a0) returned 1 [0225.828] VirtualQuery (in: lpAddress=0xd1ff40, lpBuffer=0xd1ff40, dwLength=0x1c | out: lpBuffer=0xd1ff40*(BaseAddress=0xd1f000, AllocationBase=0xc20000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0225.828] SetEvent (hEvent=0x3cc) returned 1 [0225.828] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x454 [0225.828] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0225.838] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0226.550] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0229.085] SetEvent (hEvent=0x1b8) returned 1 [0229.085] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0229.920] SetEvent (hEvent=0xfc) returned 1 [0229.920] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0230.003] SetEvent (hEvent=0xfc) returned 1 [0230.004] SetEvent (hEvent=0x1b8) returned 1 [0230.004] SwitchToThread () returned 1 [0230.008] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0230.252] SetEvent (hEvent=0x1b8) returned 1 [0230.300] SetEvent (hEvent=0x1b8) returned 1 [0230.300] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0230.308] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0230.308] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x0 [0230.310] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb28, ulCount=0x10, ulNumEntriesRemoved=0xd1fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb28, ulNumEntriesRemoved=0xd1fb0c) returned 0 [0230.311] SetEvent (hEvent=0x1b8) returned 1 [0230.311] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0230.332] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0230.332] SetEvent (hEvent=0x40c) returned 1 [0230.332] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0230.995] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.097] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.202] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.252] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.263] SetEvent (hEvent=0x1d0) returned 1 [0231.263] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.267] SetEvent (hEvent=0x40c) returned 1 [0231.269] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0231.271] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.271] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x0 [0231.273] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb28, ulCount=0x10, ulNumEntriesRemoved=0xd1fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb28, ulNumEntriesRemoved=0xd1fb0c) returned 0 [0231.274] SetEvent (hEvent=0xfc) returned 1 [0231.274] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0231.288] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0231.288] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0236.097] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0292.147] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0292.228] SetEvent (hEvent=0x1b8) returned 1 [0292.358] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x18a3, buf=0x12afe000*)), lpNumberOfBytesRecvd=0x12c2e034*=0x6b, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0 [0292.411] WSASend (in: s=0x1a4, lpBuffers=0x12c2e0b4*=((len=0x26, buf=0x12a48200*)), dwBufferCount=0x1, lpNumberOfBytesSent=0x12c2e0a8, dwFlags=0x0, lpOverlapped=0x12c2e088, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0x12c2e0a8*=0x26, lpOverlapped=0x12c2e088) returned 0 [0292.412] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x18a3, buf=0x12afe000*)), lpNumberOfBytesRecvd=0x12c2e034*=0x129, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0 [0292.458] SetEvent (hEvent=0x420) returned 1 [0292.458] WSARecv (in: s=0x1a4, lpBuffers=0x12c2e040, dwBufferCount=0x1, lpNumberOfBytesRecvd=0x12c2e034, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014, lpCompletionRoutine=0x0 | out: lpBuffers=0x12c2e040*=((len=0x18a3, buf=0x12afe000)), lpNumberOfBytesRecvd=0x12c2e034*=0x129, lpFlags=0x12c2e078*=0x0, lpOverlapped=0x12c2e014) returned 0xffffffff [0292.707] SetEvent (hEvent=0x3f4) returned 1 [0292.707] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0292.754] SwitchToThread () returned 1 [0292.814] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0292.953] SetEvent (hEvent=0x1b8) returned 1 [0292.953] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\VSK0g_Xxq B8pyfX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\vsk0g_xxq b8pyfx.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad03220, ftCreationTime.dwHighDateTime=0x1d81c1e, ftLastAccessTime.dwLowDateTime=0xdfa830b0, ftLastAccessTime.dwHighDateTime=0x1d8206f, ftLastWriteTime.dwLowDateTime=0xdfa830b0, ftLastWriteTime.dwHighDateTime=0x1d8206f, nFileSizeHigh=0x0, nFileSizeLow=0xef11)) returned 1 [0292.954] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.013] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.106] SetEvent (hEvent=0x1b8) returned 1 [0293.106] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bf830e0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x7075ff10, ftLastAccessTime.dwHighDateTime=0x1d82650, ftLastWriteTime.dwLowDateTime=0x7075ff10, ftLastWriteTime.dwHighDateTime=0x1d82650, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0293.106] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0293.106] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\*", lpFindFileData=0x12857904 | out: lpFindFileData=0x12857904*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bf830e0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x7075ff10, ftLastAccessTime.dwHighDateTime=0x1d82650, ftLastWriteTime.dwLowDateTime=0x7075ff10, ftLastWriteTime.dwHighDateTime=0x1d82650, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbef938 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bf830e0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x7075ff10, ftLastAccessTime.dwHighDateTime=0x1d82650, ftLastWriteTime.dwLowDateTime=0x7075ff10, ftLastWriteTime.dwHighDateTime=0x1d82650, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9c201e0, ftCreationTime.dwHighDateTime=0x1d82368, ftLastAccessTime.dwLowDateTime=0xf695e410, ftLastAccessTime.dwHighDateTime=0x1d826c9, ftLastWriteTime.dwLowDateTime=0xf695e410, ftLastWriteTime.dwHighDateTime=0x1d826c9, nFileSizeHigh=0x0, nFileSizeLow=0x8606, dwReserved0=0x0, dwReserved1=0x0, cFileName="17 16B3u8w.rtf", cAlternateFileName="1716B3~1.RTF")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997ba0d0, ftCreationTime.dwHighDateTime=0x1d8241c, ftLastAccessTime.dwLowDateTime=0x9145ebb0, ftLastAccessTime.dwHighDateTime=0x1d826be, ftLastWriteTime.dwLowDateTime=0x9145ebb0, ftLastWriteTime.dwHighDateTime=0x1d826be, nFileSizeHigh=0x0, nFileSizeLow=0x18e91, dwReserved0=0x0, dwReserved1=0x0, cFileName="42RrXsi9kpjrTPxu8By.xlsx", cAlternateFileName="42RRXS~1.XLS")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45e22bd0, ftCreationTime.dwHighDateTime=0x1d82519, ftLastAccessTime.dwLowDateTime=0x68a691a0, ftLastAccessTime.dwHighDateTime=0x1d825d8, ftLastWriteTime.dwLowDateTime=0x68a691a0, ftLastWriteTime.dwHighDateTime=0x1d825d8, nFileSizeHigh=0x0, nFileSizeLow=0xb25b, dwReserved0=0x0, dwReserved1=0x0, cFileName="46zHym0WJ.odt", cAlternateFileName="46ZHYM~1.ODT")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3edc0, ftCreationTime.dwHighDateTime=0x1d822ce, ftLastAccessTime.dwLowDateTime=0x9a33b5d0, ftLastAccessTime.dwHighDateTime=0x1d82322, ftLastWriteTime.dwLowDateTime=0x9a33b5d0, ftLastWriteTime.dwHighDateTime=0x1d82322, nFileSizeHigh=0x0, nFileSizeLow=0x1641f, dwReserved0=0x0, dwReserved1=0x0, cFileName="BXHo2RbAttrCH2QVm.xlsx", cAlternateFileName="BXHO2R~1.XLS")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaabee60, ftCreationTime.dwHighDateTime=0x1d8274d, ftLastAccessTime.dwLowDateTime=0x40e998d0, ftLastAccessTime.dwHighDateTime=0x1d82946, ftLastWriteTime.dwLowDateTime=0x40e998d0, ftLastWriteTime.dwHighDateTime=0x1d82946, nFileSizeHigh=0x0, nFileSizeLow=0x11e51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qx26De31QiS.rtf", cAlternateFileName="QX26DE~1.RTF")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1ba6500, ftCreationTime.dwHighDateTime=0x1d819d7, ftLastAccessTime.dwLowDateTime=0x12a35620, ftLastAccessTime.dwHighDateTime=0x1d826b5, ftLastWriteTime.dwLowDateTime=0x12a35620, ftLastWriteTime.dwHighDateTime=0x1d826b5, nFileSizeHigh=0x0, nFileSizeLow=0x15040, dwReserved0=0x0, dwReserved1=0x0, cFileName="r55WOM29Tnt.rtf", cAlternateFileName="R55WOM~1.RTF")) returned 1 [0293.107] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857948 | out: lpFindFileData=0x12857948*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0293.107] FindClose (in: hFindFile=0xbef938 | out: hFindFile=0xbef938) returned 1 [0293.107] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128575cc | out: lpFileInformation=0x128575cc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0293.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0293.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.118] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x128577dc | out: lpMode=0x128577dc) returned 0 [0293.118] WriteFile (in: hFile=0x464, lpBuffer=0x12e58000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128577dc, lpOverlapped=0x0 | out: lpBuffer=0x12e58000*, lpNumberOfBytesWritten=0x128577dc*=0x118a, lpOverlapped=0x0) returned 1 [0293.121] CloseHandle (hObject=0x464) returned 1 [0293.121] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\17 16B3u8w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\17 16b3u8w.rtf"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9c201e0, ftCreationTime.dwHighDateTime=0x1d82368, ftLastAccessTime.dwLowDateTime=0xf695e410, ftLastAccessTime.dwHighDateTime=0x1d826c9, ftLastWriteTime.dwLowDateTime=0xf695e410, ftLastWriteTime.dwHighDateTime=0x1d826c9, nFileSizeHigh=0x0, nFileSizeLow=0x8606)) returned 1 [0293.121] SetEvent (hEvent=0x1b8) returned 1 [0293.122] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\42RrXsi9kpjrTPxu8By.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\42rrxsi9kpjrtpxu8by.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x128579c8 | out: lpFileInformation=0x128579c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997ba0d0, ftCreationTime.dwHighDateTime=0x1d8241c, ftLastAccessTime.dwLowDateTime=0x9145ebb0, ftLastAccessTime.dwHighDateTime=0x1d826be, ftLastWriteTime.dwLowDateTime=0x9145ebb0, ftLastWriteTime.dwHighDateTime=0x1d826be, nFileSizeHigh=0x0, nFileSizeLow=0x18e91)) returned 1 [0293.122] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\17 16B3u8w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\17 16b3u8w.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.123] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.123] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\17 16B3u8w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\17 16b3u8w.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9c201e0, ftCreationTime.dwHighDateTime=0x1d82368, ftLastAccessTime.dwLowDateTime=0xf695e410, ftLastAccessTime.dwHighDateTime=0x1d826c9, ftLastWriteTime.dwLowDateTime=0xf695e410, ftLastWriteTime.dwHighDateTime=0x1d826c9, nFileSizeHigh=0x0, nFileSizeLow=0x8606)) returned 1 [0293.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6fc0 | out: pbBuffer=0x12ac6fc0) returned 1 [0293.123] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12811620 | out: pbBuffer=0x12811620) returned 1 [0293.124] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.126] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.126] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb20, ulCount=0x10, ulNumEntriesRemoved=0xd1fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb20, ulNumEntriesRemoved=0xd1fb04) returned 0 [0293.127] SetEvent (hEvent=0x110) returned 1 [0293.127] SetEvent (hEvent=0x1b8) returned 1 [0293.127] ReadFile (in: hFile=0x464, lpBuffer=0x12976000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12976000*, lpNumberOfBytesRead=0x12a2fd1c*=0x8606, lpOverlapped=0x0) returned 1 [0293.130] GetFileType (hFile=0x464) returned 0x1 [0293.130] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.130] WriteFile (in: hFile=0x464, lpBuffer=0x129be000*, nNumberOfBytesToWrite=0x8606, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x129be000*, lpNumberOfBytesWritten=0x12a2fd00*=0x8606, lpOverlapped=0x12a2fd0c) returned 1 [0293.131] GetFileType (hFile=0x464) returned 0x1 [0293.131] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x8606, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800d81 | out: pbBuffer=0x12800d81) returned 1 [0293.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800e81 | out: pbBuffer=0x12800e81) returned 1 [0293.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800f81 | out: pbBuffer=0x12800f81) returned 1 [0293.131] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128116d8 | out: pbBuffer=0x128116d8) returned 1 [0293.131] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\17 16B3u8w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\17 16b3u8w.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.132] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.132] WriteFile (in: hFile=0x470, lpBuffer=0x12a44f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44f00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.133] CloseHandle (hObject=0x470) returned 1 [0293.133] CloseHandle (hObject=0x464) returned 1 [0293.133] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128116f0 | out: pbBuffer=0x128116f0) returned 1 [0293.133] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\17 16B3u8w.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\17 16b3u8w.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[854DF11741FD4A30]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[854df11741fd4a30]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.187] SetEvent (hEvent=0x110) returned 1 [0293.187] SetEvent (hEvent=0x19c) returned 1 [0293.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\42RrXsi9kpjrTPxu8By.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\42rrxsi9kpjrtpxu8by.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.189] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.189] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\42RrXsi9kpjrTPxu8By.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\42rrxsi9kpjrtpxu8by.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997ba0d0, ftCreationTime.dwHighDateTime=0x1d8241c, ftLastAccessTime.dwLowDateTime=0x9145ebb0, ftLastAccessTime.dwHighDateTime=0x1d826be, ftLastWriteTime.dwLowDateTime=0x9145ebb0, ftLastWriteTime.dwHighDateTime=0x1d826be, nFileSizeHigh=0x0, nFileSizeLow=0x18e91)) returned 1 [0293.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0293.189] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0293.190] ReadFile (in: hFile=0x464, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12a2fd1c*=0x18e91, lpOverlapped=0x0) returned 1 [0293.193] GetFileType (hFile=0x464) returned 0x1 [0293.193] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.193] WriteFile (in: hFile=0x464, lpBuffer=0x12aa2000*, nNumberOfBytesToWrite=0x18e91, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12aa2000*, lpNumberOfBytesWritten=0x12a2fd00*=0x18e91, lpOverlapped=0x12a2fd0c) returned 1 [0293.194] GetFileType (hFile=0x464) returned 0x1 [0293.194] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x18e91, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0293.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0293.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0293.195] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0293.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\42RrXsi9kpjrTPxu8By.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\42rrxsi9kpjrtpxu8by.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.195] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.195] WriteFile (in: hFile=0x470, lpBuffer=0x12a44000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12a44000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.196] CloseHandle (hObject=0x470) returned 1 [0293.196] CloseHandle (hObject=0x464) returned 1 [0293.196] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810108 | out: pbBuffer=0x12810108) returned 1 [0293.196] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\42RrXsi9kpjrTPxu8By.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\42rrxsi9kpjrtpxu8by.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[95F6FE0DD50A6B81]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[95f6fe0dd50a6b81]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.262] SetEvent (hEvent=0x19c) returned 1 [0293.263] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\r55WOM29Tnt.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\r55wom29tnt.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.265] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.265] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\r55WOM29Tnt.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\r55wom29tnt.rtf"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1ba6500, ftCreationTime.dwHighDateTime=0x1d819d7, ftLastAccessTime.dwLowDateTime=0x12a35620, ftLastAccessTime.dwHighDateTime=0x1d826b5, ftLastWriteTime.dwLowDateTime=0x12a35620, ftLastWriteTime.dwHighDateTime=0x1d826b5, nFileSizeHigh=0x0, nFileSizeLow=0x15040)) returned 1 [0293.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128447c0 | out: pbBuffer=0x128447c0) returned 1 [0293.265] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848560 | out: pbBuffer=0x12848560) returned 1 [0293.265] ReadFile (in: hFile=0x44c, lpBuffer=0x12e24000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e24000*, lpNumberOfBytesRead=0x12a2fd1c*=0x15040, lpOverlapped=0x0) returned 1 [0293.266] GetFileType (hFile=0x44c) returned 0x1 [0293.267] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.267] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x15040, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a2fd00*=0x15040, lpOverlapped=0x12a2fd0c) returned 1 [0293.267] GetFileType (hFile=0x44c) returned 0x1 [0293.267] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x15040, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0293.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0293.268] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0293.268] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848618 | out: pbBuffer=0x12848618) returned 1 [0293.268] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\r55WOM29Tnt.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\r55wom29tnt.rtf"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.268] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.268] WriteFile (in: hFile=0x470, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.269] CloseHandle (hObject=0x470) returned 1 [0293.275] CloseHandle (hObject=0x44c) returned 1 [0293.279] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848630 | out: pbBuffer=0x12848630) returned 1 [0293.279] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\r55WOM29Tnt.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\r55wom29tnt.rtf"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\_oP0pbauaqCGB3\\jZ-2JQCeXoLk\\4HstjI\\mW58l4NizJ\\#_THIS_FILE_IS_ENCRYPTED_[5C9680A86131889A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\_op0pbauaqcgb3\\jz-2jqcexolk\\4hstji\\mw58l4nizj\\#_this_file_is_encrypted_[5c9680a86131889a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.443] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.457] SetEvent (hEvent=0x1d0) returned 1 [0293.457] SetEvent (hEvent=0xfc) returned 1 [0293.457] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192)) returned 1 [0293.458] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.497] SetEvent (hEvent=0x19c) returned 1 [0293.498] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fxKjYnPBbwwwVQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fxkjynpbbwwwvq.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84bb0450, ftCreationTime.dwHighDateTime=0x1d817e8, ftLastAccessTime.dwLowDateTime=0x6a574b90, ftLastAccessTime.dwHighDateTime=0x1d824eb, ftLastWriteTime.dwLowDateTime=0x6a574b90, ftLastWriteTime.dwHighDateTime=0x1d824eb, nFileSizeHigh=0x0, nFileSizeLow=0x8631)) returned 1 [0293.498] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jLJRUuMccxBs.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jljruumccxbs.xls"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7117d00, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0x2822eca0, ftLastAccessTime.dwHighDateTime=0x1d82592, ftLastWriteTime.dwLowDateTime=0x2822eca0, ftLastWriteTime.dwHighDateTime=0x1d82592, nFileSizeHigh=0x0, nFileSizeLow=0x12293)) returned 1 [0293.498] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\tLhwJhSyQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tlhwjhsyq.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f02fb00, ftCreationTime.dwHighDateTime=0x1d7cc31, ftLastAccessTime.dwLowDateTime=0x37179300, ftLastAccessTime.dwHighDateTime=0x1d7e311, ftLastWriteTime.dwLowDateTime=0x37179300, ftLastWriteTime.dwHighDateTime=0x1d7e311, nFileSizeHigh=0x0, nFileSizeLow=0x1b3d)) returned 1 [0293.498] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jLJRUuMccxBs.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jljruumccxbs.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.499] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jLJRUuMccxBs.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jljruumccxbs.xls"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7117d00, ftCreationTime.dwHighDateTime=0x1d8258e, ftLastAccessTime.dwLowDateTime=0x2822eca0, ftLastAccessTime.dwHighDateTime=0x1d82592, ftLastWriteTime.dwLowDateTime=0x2822eca0, ftLastWriteTime.dwHighDateTime=0x1d82592, nFileSizeHigh=0x0, nFileSizeLow=0x12293)) returned 1 [0293.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929220 | out: pbBuffer=0x12929220) returned 1 [0293.499] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a5d0 | out: pbBuffer=0x12a9a5d0) returned 1 [0293.499] ReadFile (in: hFile=0x44c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12853d1c*=0x12293, lpOverlapped=0x0) returned 1 [0293.502] GetFileType (hFile=0x44c) returned 0x1 [0293.502] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.502] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0x12293, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12853d00*=0x12293, lpOverlapped=0x12853d0c) returned 1 [0293.503] GetFileType (hFile=0x44c) returned 0x1 [0293.503] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x12293, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a001 | out: pbBuffer=0x1286a001) returned 1 [0293.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a201 | out: pbBuffer=0x1286a201) returned 1 [0293.503] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a301 | out: pbBuffer=0x1286a301) returned 1 [0293.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a6b8 | out: pbBuffer=0x12a9a6b8) returned 1 [0293.504] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jLJRUuMccxBs.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jljruumccxbs.xls"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.504] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.504] WriteFile (in: hFile=0x468, lpBuffer=0x12a76000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76000*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.504] CloseHandle (hObject=0x468) returned 1 [0293.504] CloseHandle (hObject=0x44c) returned 1 [0293.504] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a6d0 | out: pbBuffer=0x12a9a6d0) returned 1 [0293.505] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jLJRUuMccxBs.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jljruumccxbs.xls"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[FF000D2BD56C3131]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[ff000d2bd56c3131]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\tLhwJhSyQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tlhwjhsyq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.507] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.507] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\tLhwJhSyQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tlhwjhsyq.pptx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f02fb00, ftCreationTime.dwHighDateTime=0x1d7cc31, ftLastAccessTime.dwLowDateTime=0x37179300, ftLastAccessTime.dwHighDateTime=0x1d7e311, ftLastWriteTime.dwLowDateTime=0x37179300, ftLastWriteTime.dwHighDateTime=0x1d7e311, nFileSizeHigh=0x0, nFileSizeLow=0x1b3d)) returned 1 [0293.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929460 | out: pbBuffer=0x12929460) returned 1 [0293.507] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a748 | out: pbBuffer=0x12a9a748) returned 1 [0293.508] ReadFile (in: hFile=0x44c, lpBuffer=0x12b9e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12b9e000*, lpNumberOfBytesRead=0x12853d1c*=0x1b3d, lpOverlapped=0x0) returned 1 [0293.509] GetFileType (hFile=0x44c) returned 0x1 [0293.509] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.509] WriteFile (in: hFile=0x44c, lpBuffer=0x12a78000*, nNumberOfBytesToWrite=0x1b3d, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12a78000*, lpNumberOfBytesWritten=0x12853d00*=0x1b3d, lpOverlapped=0x12853d0c) returned 1 [0293.509] GetFileType (hFile=0x44c) returned 0x1 [0293.509] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x1b3d, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.509] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a501 | out: pbBuffer=0x1286a501) returned 1 [0293.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0293.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0293.510] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a890 | out: pbBuffer=0x12a9a890) returned 1 [0293.510] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\tLhwJhSyQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tlhwjhsyq.pptx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.510] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.510] WriteFile (in: hFile=0x468, lpBuffer=0x12a76500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76500*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.511] CloseHandle (hObject=0x468) returned 1 [0293.511] CloseHandle (hObject=0x44c) returned 1 [0293.511] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a8a8 | out: pbBuffer=0x12a9a8a8) returned 1 [0293.511] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\tLhwJhSyQ.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tlhwjhsyq.pptx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[062B4D7A1860ECD0]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[062b4d7a1860ecd0]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\vaWpAP.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vawpap.ods"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d0cdb50, ftCreationTime.dwHighDateTime=0x1d81bad, ftLastAccessTime.dwLowDateTime=0x2abc4050, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0x2abc4050, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x10cec)) returned 1 [0293.512] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yFisAPT.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yfisapt.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45801620, ftCreationTime.dwHighDateTime=0x1d79fb8, ftLastAccessTime.dwLowDateTime=0xceeb0890, ftLastAccessTime.dwHighDateTime=0x1d7e089, ftLastWriteTime.dwLowDateTime=0xceeb0890, ftLastWriteTime.dwHighDateTime=0x1d7e089, nFileSizeHigh=0x0, nFileSizeLow=0x758d)) returned 1 [0293.513] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\vaWpAP.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vawpap.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.513] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.513] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\vaWpAP.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vawpap.ods"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d0cdb50, ftCreationTime.dwHighDateTime=0x1d81bad, ftLastAccessTime.dwLowDateTime=0x2abc4050, ftLastAccessTime.dwHighDateTime=0x1d82a20, ftLastWriteTime.dwLowDateTime=0x2abc4050, ftLastWriteTime.dwHighDateTime=0x1d82a20, nFileSizeHigh=0x0, nFileSizeLow=0x10cec)) returned 1 [0293.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12929680 | out: pbBuffer=0x12929680) returned 1 [0293.513] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b6d0 | out: pbBuffer=0x12a9b6d0) returned 1 [0293.513] ReadFile (in: hFile=0x44c, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x12853d1c*=0x10cec, lpOverlapped=0x0) returned 1 [0293.516] GetFileType (hFile=0x44c) returned 0x1 [0293.516] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.516] WriteFile (in: hFile=0x44c, lpBuffer=0x12bfe000*, nNumberOfBytesToWrite=0x10cec, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12bfe000*, lpNumberOfBytesWritten=0x12853d00*=0x10cec, lpOverlapped=0x12853d0c) returned 1 [0293.517] GetFileType (hFile=0x44c) returned 0x1 [0293.517] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x10cec, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.517] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a881 | out: pbBuffer=0x1286a881) returned 1 [0293.517] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a981 | out: pbBuffer=0x1286a981) returned 1 [0293.517] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286aa81 | out: pbBuffer=0x1286aa81) returned 1 [0293.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b7f8 | out: pbBuffer=0x12a9b7f8) returned 1 [0293.518] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\vaWpAP.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vawpap.ods"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.518] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.518] WriteFile (in: hFile=0x468, lpBuffer=0x12a76a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76a00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.518] CloseHandle (hObject=0x468) returned 1 [0293.518] CloseHandle (hObject=0x44c) returned 1 [0293.518] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b820 | out: pbBuffer=0x12a9b820) returned 1 [0293.518] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\vaWpAP.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vawpap.ods"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[B15341679DAE70DA]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[b15341679dae70da]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yFisAPT.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yfisapt.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.520] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.520] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yFisAPT.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yfisapt.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45801620, ftCreationTime.dwHighDateTime=0x1d79fb8, ftLastAccessTime.dwLowDateTime=0xceeb0890, ftLastAccessTime.dwHighDateTime=0x1d7e089, ftLastWriteTime.dwLowDateTime=0xceeb0890, ftLastWriteTime.dwHighDateTime=0x1d7e089, nFileSizeHigh=0x0, nFileSizeLow=0x758d)) returned 1 [0293.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129298a0 | out: pbBuffer=0x129298a0) returned 1 [0293.521] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b868 | out: pbBuffer=0x12a9b868) returned 1 [0293.521] ReadFile (in: hFile=0x44c, lpBuffer=0x12cc4000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12cc4000*, lpNumberOfBytesRead=0x12853d1c*=0x758d, lpOverlapped=0x0) returned 1 [0293.522] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.526] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.526] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb20, ulCount=0x10, ulNumEntriesRemoved=0xd1fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb20, ulNumEntriesRemoved=0xd1fb04) returned 0 [0293.526] SetEvent (hEvent=0x110) returned 1 [0293.526] SetEvent (hEvent=0x19c) returned 1 [0293.526] GetFileType (hFile=0x44c) returned 0x1 [0293.526] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.526] WriteFile (in: hFile=0x44c, lpBuffer=0x12c1e000*, nNumberOfBytesToWrite=0x758d, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12c1e000*, lpNumberOfBytesWritten=0x12853d00*=0x758d, lpOverlapped=0x12853d0c) returned 1 [0293.527] GetFileType (hFile=0x44c) returned 0x1 [0293.527] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x758d, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ac01 | out: pbBuffer=0x1286ac01) returned 1 [0293.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ad01 | out: pbBuffer=0x1286ad01) returned 1 [0293.528] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286ae01 | out: pbBuffer=0x1286ae01) returned 1 [0293.529] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b920 | out: pbBuffer=0x12a9b920) returned 1 [0293.529] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yFisAPT.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yfisapt.xlsx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.529] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0293.529] WriteFile (in: hFile=0x470, lpBuffer=0x12a76f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12a76f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.529] CloseHandle (hObject=0x470) returned 1 [0293.529] CloseHandle (hObject=0x44c) returned 1 [0293.529] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b938 | out: pbBuffer=0x12a9b938) returned 1 [0293.530] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yFisAPT.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\yfisapt.xlsx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[6BDC031562314130]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[6bdc031562314130]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.532] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.537] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.537] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x0 [0293.577] SwitchToThread () returned 1 [0293.579] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.582] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.582] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb28, ulCount=0x10, ulNumEntriesRemoved=0xd1fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb28, ulNumEntriesRemoved=0xd1fb0c) returned 0 [0293.582] SetEvent (hEvent=0x110) returned 1 [0293.582] SetEvent (hEvent=0x19c) returned 1 [0293.582] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.596] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.597] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bJHrKFh47XxzRpF4.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjhrkfh47xxzrpf4.docx"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ccaff0, ftCreationTime.dwHighDateTime=0x1d7a224, ftLastAccessTime.dwLowDateTime=0x36cd7db0, ftLastAccessTime.dwHighDateTime=0x1d7e8cf, ftLastWriteTime.dwLowDateTime=0x36cd7db0, ftLastWriteTime.dwHighDateTime=0x1d7e8cf, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c)) returned 1 [0293.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0293.597] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0293.597] ReadFile (in: hFile=0x468, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12a2fd1c*=0x18f6c, lpOverlapped=0x0) returned 1 [0293.600] GetFileType (hFile=0x468) returned 0x1 [0293.600] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.601] WriteFile (in: hFile=0x468, lpBuffer=0x12b48000*, nNumberOfBytesToWrite=0x18f6c, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12b48000*, lpNumberOfBytesWritten=0x12a2fd00*=0x18f6c, lpOverlapped=0x12a2fd0c) returned 1 [0293.601] GetFileType (hFile=0x468) returned 0x1 [0293.601] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x18f6c, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.601] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0293.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0293.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0293.602] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0293.602] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bJHrKFh47XxzRpF4.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjhrkfh47xxzrpf4.docx"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.602] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.602] WriteFile (in: hFile=0x464, lpBuffer=0x128ae000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x128ae000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.603] CloseHandle (hObject=0x464) returned 1 [0293.618] CloseHandle (hObject=0x468) returned 1 [0293.619] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0293.620] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bJHrKFh47XxzRpF4.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bjhrkfh47xxzrpf4.docx"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\#_THIS_FILE_IS_ENCRYPTED_[2CC70A501454CE75]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\#_this_file_is_encrypted_[2cc70a501454ce75]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.682] SetEvent (hEvent=0x110) returned 1 [0293.683] SetEvent (hEvent=0x420) returned 1 [0293.683] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.684] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a)) returned 1 [0293.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e700 | out: pbBuffer=0x1280e700) returned 1 [0293.684] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a288 | out: pbBuffer=0x12a9a288) returned 1 [0293.684] ReadFile (in: hFile=0x464, lpBuffer=0x12e38000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e38000*, lpNumberOfBytesRead=0x12a2fd1c*=0x11a, lpOverlapped=0x0) returned 1 [0293.685] GetFileType (hFile=0x464) returned 0x1 [0293.686] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.686] WriteFile (in: hFile=0x464, lpBuffer=0x12e5a900*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12e5a900*, lpNumberOfBytesWritten=0x12a2fd00*=0x11a, lpOverlapped=0x12a2fd0c) returned 1 [0293.686] GetFileType (hFile=0x464) returned 0x1 [0293.686] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x11a, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc881 | out: pbBuffer=0x12afc881) returned 1 [0293.686] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0293.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0293.687] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a340 | out: pbBuffer=0x12a9a340) returned 1 [0293.687] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0293.687] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.687] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0293.694] CloseHandle (hObject=0x44c) returned 1 [0293.694] CloseHandle (hObject=0x464) returned 1 [0293.694] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a358 | out: pbBuffer=0x12a9a358) returned 1 [0293.694] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\#_THIS_FILE_IS_ENCRYPTED_[694C494BCE6CB619]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\#_this_file_is_encrypted_[694c494bce6cb619]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.704] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.716] SetEvent (hEvent=0xf4) returned 1 [0293.716] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0293.718] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.718] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), fInfoLevelId=0x0, lpFileInformation=0x12855ad0 | out: lpFileInformation=0x12855ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0)) returned 1 [0293.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x1280e920 | out: pbBuffer=0x1280e920) returned 1 [0293.718] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a3a0 | out: pbBuffer=0x12a9a3a0) returned 1 [0293.718] ReadFile (in: hFile=0x468, lpBuffer=0x12956000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12855d1c, lpOverlapped=0x0 | out: lpBuffer=0x12956000*, lpNumberOfBytesRead=0x12855d1c*=0xd0, lpOverlapped=0x0) returned 1 [0293.720] GetFileType (hFile=0x468) returned 0x1 [0293.720] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.720] WriteFile (in: hFile=0x468, lpBuffer=0x12ad4000*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x12855d00, lpOverlapped=0x12855d0c | out: lpBuffer=0x12ad4000*, lpNumberOfBytesWritten=0x12855d00*=0xd0, lpOverlapped=0x12855d0c) returned 1 [0293.720] GetFileType (hFile=0x468) returned 0x1 [0293.720] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xd0, lpNewFilePointer=0x0, dwMoveMethod=0x12855ce4 | out: lpNewFilePointer=0x0) returned 1 [0293.720] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcc01 | out: pbBuffer=0x12afcc01) returned 1 [0293.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcd01 | out: pbBuffer=0x12afcd01) returned 1 [0293.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0293.721] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9a458 | out: pbBuffer=0x12a9a458) returned 1 [0293.721] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0293.721] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12855d0c | out: lpMode=0x12855d0c) returned 0 [0293.722] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12855d0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2f00*, lpNumberOfBytesWritten=0x12855d0c*=0x276, lpOverlapped=0x0) returned 1 [0293.723] CloseHandle (hObject=0x464) returned 1 [0293.726] CloseHandle (hObject=0x468) returned 1 [0293.816] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810ee8 | out: pbBuffer=0x12810ee8) returned 1 [0293.843] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\#_THIS_FILE_IS_ENCRYPTED_[5ACA1013632076D2]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\#_this_file_is_encrypted_[5aca1013632076d2]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0293.867] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0293.868] GetConsoleMode (in: hConsoleHandle=0x45c, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0293.869] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50)) returned 1 [0293.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928940 | out: pbBuffer=0x12928940) returned 1 [0293.869] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810f30 | out: pbBuffer=0x12810f30) returned 1 [0293.869] ReadFile (in: hFile=0x45c, lpBuffer=0x12996000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12996000*, lpNumberOfBytesRead=0x12a2fd1c*=0x50, lpOverlapped=0x0) returned 1 [0293.870] GetFileType (hFile=0x45c) returned 0x1 [0293.870] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.871] WriteFile (in: hFile=0x45c, lpBuffer=0x12894050*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12894050*, lpNumberOfBytesWritten=0x12a2fd00*=0x50, lpOverlapped=0x12a2fd0c) returned 1 [0293.871] GetFileType (hFile=0x45c) returned 0x1 [0293.871] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x50, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0293.937] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.958] SetEvent (hEvent=0xfc) returned 1 [0293.958] SwitchToThread () returned 1 [0293.963] SetEvent (hEvent=0xfc) returned 1 [0293.963] SetEvent (hEvent=0x1d0) returned 1 [0293.963] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.966] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.966] SetEvent (hEvent=0x1d0) returned 1 [0293.966] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.972] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.972] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.975] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.975] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb28, ulCount=0x10, ulNumEntriesRemoved=0xd1fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb28, ulNumEntriesRemoved=0xd1fb0c) returned 0 [0293.975] SetEvent (hEvent=0x1d0) returned 1 [0293.976] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0293.998] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0293.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0293.999] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0293.999] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207)) returned 1 [0293.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6000 | out: pbBuffer=0x12ac6000) returned 1 [0293.999] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914008 | out: pbBuffer=0x12914008) returned 1 [0293.999] ReadFile (in: hFile=0x470, lpBuffer=0x12c00000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c00000*, lpNumberOfBytesRead=0x12a2bd1c*=0x207, lpOverlapped=0x0) returned 1 [0294.002] GetFileType (hFile=0x470) returned 0x1 [0294.002] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.002] WriteFile (in: hFile=0x470, lpBuffer=0x12b0a6c0*, nNumberOfBytesToWrite=0x207, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12b0a6c0*, lpNumberOfBytesWritten=0x12a2bd00*=0x207, lpOverlapped=0x12a2bd0c) returned 1 [0294.002] GetFileType (hFile=0x470) returned 0x1 [0294.002] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x207, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0294.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0294.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0294.003] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914220 | out: pbBuffer=0x12914220) returned 1 [0294.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.004] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.004] WriteFile (in: hFile=0x474, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.025] CloseHandle (hObject=0x474) returned 1 [0294.025] CloseHandle (hObject=0x470) returned 1 [0294.026] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914278 | out: pbBuffer=0x12914278) returned 1 [0294.026] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\#_THIS_FILE_IS_ENCRYPTED_[60A4BD6E8A562F6E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\#_this_file_is_encrypted_[60a4bd6e8a562f6e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.027] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\l7c1KEt1ofl0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\l7c1ket1ofl0.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.028] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\l7c1KEt1ofl0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\l7c1ket1ofl0.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef95a360, ftCreationTime.dwHighDateTime=0x1d820f4, ftLastAccessTime.dwLowDateTime=0xdcafae90, ftLastAccessTime.dwHighDateTime=0x1d825bc, ftLastWriteTime.dwLowDateTime=0xdcafae90, ftLastWriteTime.dwHighDateTime=0x1d825bc, nFileSizeHigh=0x0, nFileSizeLow=0x744f)) returned 1 [0294.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6280 | out: pbBuffer=0x12ac6280) returned 1 [0294.028] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12914320 | out: pbBuffer=0x12914320) returned 1 [0294.029] ReadFile (in: hFile=0x470, lpBuffer=0x12df0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12df0000*, lpNumberOfBytesRead=0x12a2bd1c*=0x744f, lpOverlapped=0x0) returned 1 [0294.030] GetFileType (hFile=0x470) returned 0x1 [0294.030] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.030] WriteFile (in: hFile=0x470, lpBuffer=0x12ae8000*, nNumberOfBytesToWrite=0x744f, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12ae8000*, lpNumberOfBytesWritten=0x12a2bd00*=0x744f, lpOverlapped=0x12a2bd0c) returned 1 [0294.031] GetFileType (hFile=0x470) returned 0x1 [0294.031] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x744f, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800881 | out: pbBuffer=0x12800881) returned 1 [0294.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801101 | out: pbBuffer=0x12801101) returned 1 [0294.031] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801201 | out: pbBuffer=0x12801201) returned 1 [0294.032] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12914458 | out: pbBuffer=0x12914458) returned 1 [0294.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\l7c1KEt1ofl0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\l7c1ket1ofl0.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.034] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.034] WriteFile (in: hFile=0x474, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.035] CloseHandle (hObject=0x474) returned 1 [0294.035] CloseHandle (hObject=0x470) returned 1 [0294.035] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x129144a0 | out: pbBuffer=0x129144a0) returned 1 [0294.035] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\l7c1KEt1ofl0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\l7c1ket1ofl0.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\#_THIS_FILE_IS_ENCRYPTED_[5D3797E234BB7391]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\#_this_file_is_encrypted_[5d3797e234bb7391]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.037] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de3c260, ftCreationTime.dwHighDateTime=0x1d819cf, ftLastAccessTime.dwLowDateTime=0xcb7f2be0, ftLastAccessTime.dwHighDateTime=0x1d81f55, ftLastWriteTime.dwLowDateTime=0xcb7f2be0, ftLastWriteTime.dwHighDateTime=0x1d81f55, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.037] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.037] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de3c260, ftCreationTime.dwHighDateTime=0x1d819cf, ftLastAccessTime.dwLowDateTime=0xcb7f2be0, ftLastAccessTime.dwHighDateTime=0x1d81f55, ftLastWriteTime.dwLowDateTime=0xcb7f2be0, ftLastWriteTime.dwHighDateTime=0x1d81f55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.037] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de3c260, ftCreationTime.dwHighDateTime=0x1d819cf, ftLastAccessTime.dwLowDateTime=0xcb7f2be0, ftLastAccessTime.dwHighDateTime=0x1d81f55, ftLastWriteTime.dwLowDateTime=0xcb7f2be0, ftLastWriteTime.dwHighDateTime=0x1d81f55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a63ecd0, ftCreationTime.dwHighDateTime=0x1d81a03, ftLastAccessTime.dwLowDateTime=0xa5c84340, ftLastAccessTime.dwHighDateTime=0x1d81d94, ftLastWriteTime.dwLowDateTime=0xa5c84340, ftLastWriteTime.dwHighDateTime=0x1d81d94, nFileSizeHigh=0x0, nFileSizeLow=0xe210, dwReserved0=0x0, dwReserved1=0x0, cFileName="1 aiY4L.mp3", cAlternateFileName="1AIY4L~1.MP3")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ff2440, ftCreationTime.dwHighDateTime=0x1d8296c, ftLastAccessTime.dwLowDateTime=0x801a19a0, ftLastAccessTime.dwHighDateTime=0x1d8297b, ftLastWriteTime.dwLowDateTime=0x801a19a0, ftLastWriteTime.dwHighDateTime=0x1d8297b, nFileSizeHigh=0x0, nFileSizeLow=0xeb89, dwReserved0=0x0, dwReserved1=0x0, cFileName="59FnZ5JJNh.mp3", cAlternateFileName="59FNZ5~1.MP3")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5be94010, ftCreationTime.dwHighDateTime=0x1d819a9, ftLastAccessTime.dwLowDateTime=0x15024340, ftLastAccessTime.dwHighDateTime=0x1d828ae, ftLastWriteTime.dwLowDateTime=0x15024340, ftLastWriteTime.dwHighDateTime=0x1d828ae, nFileSizeHigh=0x0, nFileSizeLow=0x2b79, dwReserved0=0x0, dwReserved1=0x0, cFileName="87Y4wkljoS5G5e jTi.wav", cAlternateFileName="87Y4WK~1.WAV")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29ec1960, ftCreationTime.dwHighDateTime=0x1d81f3b, ftLastAccessTime.dwLowDateTime=0xd44e27f0, ftLastAccessTime.dwHighDateTime=0x1d820de, ftLastWriteTime.dwLowDateTime=0xd44e27f0, ftLastWriteTime.dwHighDateTime=0x1d820de, nFileSizeHigh=0x0, nFileSizeLow=0x8bf0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-GfqHuaumP.wav", cAlternateFileName="BG-GFQ~1.WAV")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97815a70, ftCreationTime.dwHighDateTime=0x1d823fb, ftLastAccessTime.dwLowDateTime=0xa5df5bb0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xa5df5bb0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x143e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="hNADd WlkRZXly9vVPc.m4a", cAlternateFileName="HNADDW~1.M4A")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b292860, ftCreationTime.dwHighDateTime=0x1d81e86, ftLastAccessTime.dwLowDateTime=0x7d6a6650, ftLastAccessTime.dwHighDateTime=0x1d82733, ftLastWriteTime.dwLowDateTime=0x7d6a6650, ftLastWriteTime.dwHighDateTime=0x1d82733, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J_GcTV", cAlternateFileName="")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf5e41a0, ftCreationTime.dwHighDateTime=0x1d82636, ftLastAccessTime.dwLowDateTime=0xb7008f0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xb7008f0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0x1195d, dwReserved0=0x0, dwReserved1=0x0, cFileName="M7OcQ_xS53l_hYT3Q.mp3", cAlternateFileName="M7OCQ_~1.MP3")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab935e0, ftCreationTime.dwHighDateTime=0x1d819ad, ftLastAccessTime.dwLowDateTime=0x4d81af30, ftLastAccessTime.dwHighDateTime=0x1d81c47, ftLastWriteTime.dwLowDateTime=0x4d81af30, ftLastWriteTime.dwHighDateTime=0x1d81c47, nFileSizeHigh=0x0, nFileSizeLow=0x8436, dwReserved0=0x0, dwReserved1=0x0, cFileName="VtNmsD.m4a", cAlternateFileName="")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb059360, ftCreationTime.dwHighDateTime=0x1d82827, ftLastAccessTime.dwLowDateTime=0x6667c6c0, ftLastAccessTime.dwHighDateTime=0x1d828ad, ftLastWriteTime.dwLowDateTime=0x6667c6c0, ftLastWriteTime.dwHighDateTime=0x1d828ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yljx7Ntl5VcbSN", cAlternateFileName="YLJX7N~1")) returned 1 [0294.038] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.038] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.038] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.038] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.039] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.040] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0294.040] WriteFile (in: hFile=0x470, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0294.041] CloseHandle (hObject=0x470) returned 1 [0294.041] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\1 aiY4L.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\1 aiy4l.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a63ecd0, ftCreationTime.dwHighDateTime=0x1d81a03, ftLastAccessTime.dwLowDateTime=0xa5c84340, ftLastAccessTime.dwHighDateTime=0x1d81d94, ftLastWriteTime.dwLowDateTime=0xa5c84340, ftLastWriteTime.dwHighDateTime=0x1d81d94, nFileSizeHigh=0x0, nFileSizeLow=0xe210)) returned 1 [0294.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\59FnZ5JJNh.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\59fnz5jjnh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ff2440, ftCreationTime.dwHighDateTime=0x1d8296c, ftLastAccessTime.dwLowDateTime=0x801a19a0, ftLastAccessTime.dwHighDateTime=0x1d8297b, ftLastWriteTime.dwLowDateTime=0x801a19a0, ftLastWriteTime.dwHighDateTime=0x1d8297b, nFileSizeHigh=0x0, nFileSizeLow=0xeb89)) returned 1 [0294.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\1 aiY4L.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\1 aiy4l.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.042] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\1 aiY4L.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\1 aiy4l.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a63ecd0, ftCreationTime.dwHighDateTime=0x1d81a03, ftLastAccessTime.dwLowDateTime=0xa5c84340, ftLastAccessTime.dwHighDateTime=0x1d81d94, ftLastWriteTime.dwLowDateTime=0xa5c84340, ftLastWriteTime.dwHighDateTime=0x1d81d94, nFileSizeHigh=0x0, nFileSizeLow=0xe210)) returned 1 [0294.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6de0 | out: pbBuffer=0x12ac6de0) returned 1 [0294.043] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915060 | out: pbBuffer=0x12915060) returned 1 [0294.044] ReadFile (in: hFile=0x470, lpBuffer=0x12e10000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e10000*, lpNumberOfBytesRead=0x12a2bd1c*=0xe210, lpOverlapped=0x0) returned 1 [0294.046] GetFileType (hFile=0x470) returned 0x1 [0294.046] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.046] WriteFile (in: hFile=0x470, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xe210, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a2bd00*=0xe210, lpOverlapped=0x12a2bd0c) returned 1 [0294.047] GetFileType (hFile=0x470) returned 0x1 [0294.047] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xe210, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801501 | out: pbBuffer=0x12801501) returned 1 [0294.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801601 | out: pbBuffer=0x12801601) returned 1 [0294.047] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801701 | out: pbBuffer=0x12801701) returned 1 [0294.048] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915118 | out: pbBuffer=0x12915118) returned 1 [0294.048] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\1 aiY4L.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\1 aiy4l.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0294.048] GetConsoleMode (in: hConsoleHandle=0x474, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.048] WriteFile (in: hFile=0x474, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.048] CloseHandle (hObject=0x474) returned 1 [0294.048] CloseHandle (hObject=0x470) returned 1 [0294.049] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915130 | out: pbBuffer=0x12915130) returned 1 [0294.049] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\1 aiY4L.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\1 aiy4l.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[65B2A5E82847FA03]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[65b2a5e82847fa03]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.050] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\59FnZ5JJNh.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\59fnz5jjnh.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.051] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.051] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\59FnZ5JJNh.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\59fnz5jjnh.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ff2440, ftCreationTime.dwHighDateTime=0x1d8296c, ftLastAccessTime.dwLowDateTime=0x801a19a0, ftLastAccessTime.dwHighDateTime=0x1d8297b, ftLastWriteTime.dwLowDateTime=0x801a19a0, ftLastWriteTime.dwHighDateTime=0x1d8297b, nFileSizeHigh=0x0, nFileSizeLow=0xeb89)) returned 1 [0294.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6fe0 | out: pbBuffer=0x12ac6fe0) returned 1 [0294.051] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915178 | out: pbBuffer=0x12915178) returned 1 [0294.051] ReadFile (in: hFile=0x470, lpBuffer=0x12b7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b7e000*, lpNumberOfBytesRead=0x12a2bd1c*=0xeb89, lpOverlapped=0x0) returned 1 [0294.055] GetFileType (hFile=0x470) returned 0x1 [0294.055] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.055] WriteFile (in: hFile=0x470, lpBuffer=0x12bbe000*, nNumberOfBytesToWrite=0xeb89, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12bbe000*, lpNumberOfBytesWritten=0x12a2bd00*=0xeb89, lpOverlapped=0x12a2bd0c) returned 1 [0294.056] GetFileType (hFile=0x470) returned 0x1 [0294.056] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xeb89, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801981 | out: pbBuffer=0x12801981) returned 1 [0294.056] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801a81 | out: pbBuffer=0x12801a81) returned 1 [0294.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801b81 | out: pbBuffer=0x12801b81) returned 1 [0294.057] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12915260 | out: pbBuffer=0x12915260) returned 1 [0294.057] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\59FnZ5JJNh.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\59fnz5jjnh.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.065] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.084] SetEvent (hEvent=0x1d0) returned 1 [0294.084] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.084] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2f00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.085] CloseHandle (hObject=0x44c) returned 1 [0294.085] CloseHandle (hObject=0x470) returned 1 [0294.085] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12915278 | out: pbBuffer=0x12915278) returned 1 [0294.085] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\59FnZ5JJNh.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\59fnz5jjnh.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[241200DCF9427C3D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[241200dcf9427c3d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.087] SwitchToThread () returned 1 [0294.132] SetEvent (hEvent=0x1d0) returned 1 [0294.132] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.186] SetEvent (hEvent=0xf4) returned 1 [0294.187] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\8rDhX6jXWlt2.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\8rdhx6jxwlt2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.188] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.188] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\8rDhX6jXWlt2.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\8rdhx6jxwlt2.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa094a000, ftCreationTime.dwHighDateTime=0x1d822a6, ftLastAccessTime.dwLowDateTime=0x847877a0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0x847877a0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0xcba0)) returned 1 [0294.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0294.188] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0294.188] ReadFile (in: hFile=0x464, lpBuffer=0x12bde000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x12bde000*, lpNumberOfBytesRead=0x12851d1c*=0xcba0, lpOverlapped=0x0) returned 1 [0294.191] GetFileType (hFile=0x464) returned 0x1 [0294.191] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.191] WriteFile (in: hFile=0x464, lpBuffer=0x12a32000*, nNumberOfBytesToWrite=0xcba0, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12a32000*, lpNumberOfBytesWritten=0x12851d00*=0xcba0, lpOverlapped=0x12851d0c) returned 1 [0294.191] GetFileType (hFile=0x464) returned 0x1 [0294.192] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xcba0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc001 | out: pbBuffer=0x12afc001) returned 1 [0294.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc101 | out: pbBuffer=0x12afc101) returned 1 [0294.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc201 | out: pbBuffer=0x12afc201) returned 1 [0294.193] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0294.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\8rDhX6jXWlt2.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\8rdhx6jxwlt2.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.193] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.194] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.194] CloseHandle (hObject=0x470) returned 1 [0294.194] CloseHandle (hObject=0x464) returned 1 [0294.194] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0294.194] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\8rDhX6jXWlt2.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\8rdhx6jxwlt2.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\#_THIS_FILE_IS_ENCRYPTED_[A0BDC2D48D066980]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\#_this_file_is_encrypted_[a0bdc2d48d066980]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\GAqLsn0Nsu6JaA.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\gaqlsn0nsu6jaa.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.197] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.197] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\GAqLsn0Nsu6JaA.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\gaqlsn0nsu6jaa.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78f58a10, ftCreationTime.dwHighDateTime=0x1d819cc, ftLastAccessTime.dwLowDateTime=0x452d1cf0, ftLastAccessTime.dwHighDateTime=0x1d82095, ftLastWriteTime.dwLowDateTime=0x452d1cf0, ftLastWriteTime.dwHighDateTime=0x1d82095, nFileSizeHigh=0x0, nFileSizeLow=0xa19e)) returned 1 [0294.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129282a0 | out: pbBuffer=0x129282a0) returned 1 [0294.198] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0294.198] ReadFile (in: hFile=0x464, lpBuffer=0x129bc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129bc000*, lpNumberOfBytesRead=0x12a2bd1c*=0xa19e, lpOverlapped=0x0) returned 1 [0294.200] GetFileType (hFile=0x464) returned 0x1 [0294.200] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.200] WriteFile (in: hFile=0x464, lpBuffer=0x12ac8000*, nNumberOfBytesToWrite=0xa19e, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12ac8000*, lpNumberOfBytesWritten=0x12a2bd00*=0xa19e, lpOverlapped=0x12a2bd0c) returned 1 [0294.201] GetFileType (hFile=0x464) returned 0x1 [0294.201] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa19e, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc401 | out: pbBuffer=0x12afc401) returned 1 [0294.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc581 | out: pbBuffer=0x12afc581) returned 1 [0294.201] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc701 | out: pbBuffer=0x12afc701) returned 1 [0294.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0294.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\GAqLsn0Nsu6JaA.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\gaqlsn0nsu6jaa.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.202] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.202] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.202] CloseHandle (hObject=0x470) returned 1 [0294.202] CloseHandle (hObject=0x464) returned 1 [0294.202] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128484d0 | out: pbBuffer=0x128484d0) returned 1 [0294.202] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\GAqLsn0Nsu6JaA.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\gaqlsn0nsu6jaa.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\J_GcTV\\#_THIS_FILE_IS_ENCRYPTED_[66FBDEB3060F3768]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\j_gctv\\#_this_file_is_encrypted_[66fbdeb3060f3768]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\M7OcQ_xS53l_hYT3Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\m7ocq_xs53l_hyt3q.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf5e41a0, ftCreationTime.dwHighDateTime=0x1d82636, ftLastAccessTime.dwLowDateTime=0xb7008f0, ftLastAccessTime.dwHighDateTime=0x1d8296f, ftLastWriteTime.dwLowDateTime=0xb7008f0, ftLastWriteTime.dwHighDateTime=0x1d8296f, nFileSizeHigh=0x0, nFileSizeLow=0x1195d)) returned 1 [0294.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\VtNmsD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\vtnmsd.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab935e0, ftCreationTime.dwHighDateTime=0x1d819ad, ftLastAccessTime.dwLowDateTime=0x4d81af30, ftLastAccessTime.dwHighDateTime=0x1d81c47, ftLastWriteTime.dwLowDateTime=0x4d81af30, ftLastWriteTime.dwHighDateTime=0x1d81c47, nFileSizeHigh=0x0, nFileSizeLow=0x8436)) returned 1 [0294.204] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\bg-GfqHuaumP.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\bg-gfqhuaump.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29ec1960, ftCreationTime.dwHighDateTime=0x1d81f3b, ftLastAccessTime.dwLowDateTime=0xd44e27f0, ftLastAccessTime.dwHighDateTime=0x1d820de, ftLastWriteTime.dwLowDateTime=0xd44e27f0, ftLastWriteTime.dwHighDateTime=0x1d820de, nFileSizeHigh=0x0, nFileSizeLow=0x8bf0)) returned 1 [0294.204] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\VtNmsD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\vtnmsd.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.205] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.205] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\VtNmsD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\vtnmsd.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab935e0, ftCreationTime.dwHighDateTime=0x1d819ad, ftLastAccessTime.dwLowDateTime=0x4d81af30, ftLastAccessTime.dwHighDateTime=0x1d81c47, ftLastWriteTime.dwLowDateTime=0x4d81af30, ftLastWriteTime.dwHighDateTime=0x1d81c47, nFileSizeHigh=0x0, nFileSizeLow=0x8436)) returned 1 [0294.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928aa0 | out: pbBuffer=0x12928aa0) returned 1 [0294.206] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849720 | out: pbBuffer=0x12849720) returned 1 [0294.206] ReadFile (in: hFile=0x464, lpBuffer=0x12aa2000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12aa2000*, lpNumberOfBytesRead=0x12a2bd1c*=0x8436, lpOverlapped=0x0) returned 1 [0294.208] GetFileType (hFile=0x464) returned 0x1 [0294.208] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.208] WriteFile (in: hFile=0x464, lpBuffer=0x12ad4000*, nNumberOfBytesToWrite=0x8436, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12ad4000*, lpNumberOfBytesWritten=0x12a2bd00*=0x8436, lpOverlapped=0x12a2bd0c) returned 1 [0294.208] GetFileType (hFile=0x464) returned 0x1 [0294.208] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x8436, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.208] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afc981 | out: pbBuffer=0x12afc981) returned 1 [0294.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afca81 | out: pbBuffer=0x12afca81) returned 1 [0294.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcb81 | out: pbBuffer=0x12afcb81) returned 1 [0294.209] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128497d8 | out: pbBuffer=0x128497d8) returned 1 [0294.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\VtNmsD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\vtnmsd.m4a"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.209] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.209] WriteFile (in: hFile=0x470, lpBuffer=0x12dd1400*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1400*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.209] CloseHandle (hObject=0x470) returned 1 [0294.210] CloseHandle (hObject=0x464) returned 1 [0294.210] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849800 | out: pbBuffer=0x12849800) returned 1 [0294.210] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\VtNmsD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\vtnmsd.m4a"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[935F3297ECC7B00A]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[935f3297ecc7b00a]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.211] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\bg-GfqHuaumP.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\bg-gfqhuaump.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.212] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.212] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\bg-GfqHuaumP.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\bg-gfqhuaump.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29ec1960, ftCreationTime.dwHighDateTime=0x1d81f3b, ftLastAccessTime.dwLowDateTime=0xd44e27f0, ftLastAccessTime.dwHighDateTime=0x1d820de, ftLastWriteTime.dwLowDateTime=0xd44e27f0, ftLastWriteTime.dwHighDateTime=0x1d820de, nFileSizeHigh=0x0, nFileSizeLow=0x8bf0)) returned 1 [0294.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928ca0 | out: pbBuffer=0x12928ca0) returned 1 [0294.212] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849858 | out: pbBuffer=0x12849858) returned 1 [0294.212] ReadFile (in: hFile=0x464, lpBuffer=0x129fc000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x129fc000*, lpNumberOfBytesRead=0x12a2bd1c*=0x8bf0, lpOverlapped=0x0) returned 1 [0294.216] GetFileType (hFile=0x464) returned 0x1 [0294.216] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.216] WriteFile (in: hFile=0x464, lpBuffer=0x12a58000*, nNumberOfBytesToWrite=0x8bf0, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12a58000*, lpNumberOfBytesWritten=0x12a2bd00*=0x8bf0, lpOverlapped=0x12a2bd0c) returned 1 [0294.216] GetFileType (hFile=0x464) returned 0x1 [0294.216] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x8bf0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.216] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afce01 | out: pbBuffer=0x12afce01) returned 1 [0294.216] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afcf01 | out: pbBuffer=0x12afcf01) returned 1 [0294.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd001 | out: pbBuffer=0x12afd001) returned 1 [0294.218] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12849990 | out: pbBuffer=0x12849990) returned 1 [0294.218] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\bg-GfqHuaumP.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\bg-gfqhuaump.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.218] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.219] WriteFile (in: hFile=0x470, lpBuffer=0x12dd1900*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd1900*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.219] CloseHandle (hObject=0x470) returned 1 [0294.219] CloseHandle (hObject=0x464) returned 1 [0294.219] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128499a8 | out: pbBuffer=0x128499a8) returned 1 [0294.219] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\bg-GfqHuaumP.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\bg-gfqhuaump.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\#_THIS_FILE_IS_ENCRYPTED_[1800E93AC36AE406]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\#_this_file_is_encrypted_[1800e93ac36ae406]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\hNADd WlkRZXly9vVPc.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\hnadd wlkrzxly9vvpc.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97815a70, ftCreationTime.dwHighDateTime=0x1d823fb, ftLastAccessTime.dwLowDateTime=0xa5df5bb0, ftLastAccessTime.dwHighDateTime=0x1d8292f, ftLastWriteTime.dwLowDateTime=0xa5df5bb0, ftLastWriteTime.dwHighDateTime=0x1d8292f, nFileSizeHigh=0x0, nFileSizeLow=0x143e6)) returned 1 [0294.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb059360, ftCreationTime.dwHighDateTime=0x1d82827, ftLastAccessTime.dwLowDateTime=0x6667c6c0, ftLastAccessTime.dwHighDateTime=0x1d828ad, ftLastWriteTime.dwLowDateTime=0x6667c6c0, ftLastWriteTime.dwHighDateTime=0x1d828ad, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.221] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.221] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\*", lpFindFileData=0x128579cc | out: lpFindFileData=0x128579cc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb059360, ftCreationTime.dwHighDateTime=0x1d82827, ftLastAccessTime.dwLowDateTime=0x6667c6c0, ftLastAccessTime.dwHighDateTime=0x1d828ad, ftLastWriteTime.dwLowDateTime=0x6667c6c0, ftLastWriteTime.dwHighDateTime=0x1d828ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefb38 [0294.221] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb059360, ftCreationTime.dwHighDateTime=0x1d82827, ftLastAccessTime.dwLowDateTime=0x6667c6c0, ftLastAccessTime.dwHighDateTime=0x1d828ad, ftLastWriteTime.dwLowDateTime=0x6667c6c0, ftLastWriteTime.dwHighDateTime=0x1d828ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.221] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8908ff00, ftCreationTime.dwHighDateTime=0x1d822db, ftLastAccessTime.dwLowDateTime=0xbed606b0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0xbed606b0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3mk8bhVEVTMQxwx", cAlternateFileName="3MK8BH~1")) returned 1 [0294.221] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b28c50, ftCreationTime.dwHighDateTime=0x1d8253d, ftLastAccessTime.dwLowDateTime=0x25a95280, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x25a95280, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x3681, dwReserved0=0x0, dwReserved1=0x0, cFileName="C yeb-YqHxmdN.mp3", cAlternateFileName="CYEB-Y~1.MP3")) returned 1 [0294.221] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c8dff0, ftCreationTime.dwHighDateTime=0x1d8238d, ftLastAccessTime.dwLowDateTime=0x5a2431a0, ftLastAccessTime.dwHighDateTime=0x1d8297a, ftLastWriteTime.dwLowDateTime=0x5a2431a0, ftLastWriteTime.dwHighDateTime=0x1d8297a, nFileSizeHigh=0x0, nFileSizeLow=0x16634, dwReserved0=0x0, dwReserved1=0x0, cFileName="F8DESDMwN.wav", cAlternateFileName="F8DESD~1.WAV")) returned 1 [0294.221] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ba0490, ftCreationTime.dwHighDateTime=0x1d82164, ftLastAccessTime.dwLowDateTime=0x1c82fcb0, ftLastAccessTime.dwHighDateTime=0x1d8282f, ftLastWriteTime.dwLowDateTime=0x1c82fcb0, ftLastWriteTime.dwHighDateTime=0x1d8282f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IxK2aIlFxAhipB", cAlternateFileName="IXK2AI~1")) returned 1 [0294.222] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb2214fd0, ftCreationTime.dwHighDateTime=0x1d821e3, ftLastAccessTime.dwLowDateTime=0xb1f92420, ftLastAccessTime.dwHighDateTime=0x1d827d2, ftLastWriteTime.dwLowDateTime=0xb1f92420, ftLastWriteTime.dwHighDateTime=0x1d827d2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mgH8XE_3YqN_8iEki", cAlternateFileName="MGH8XE~1")) returned 1 [0294.222] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857a10 | out: lpFindFileData=0x12857a10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.222] FindClose (in: hFindFile=0xbefb38 | out: hFindFile=0xbefb38) returned 1 [0294.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857694 | out: lpFileInformation=0x12857694*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.222] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.223] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x128578a4 | out: lpMode=0x128578a4) returned 0 [0294.223] WriteFile (in: hFile=0x464, lpBuffer=0x12a52000*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x128578a4, lpOverlapped=0x0 | out: lpBuffer=0x12a52000*, lpNumberOfBytesWritten=0x128578a4*=0x118a, lpOverlapped=0x0) returned 1 [0294.246] CloseHandle (hObject=0x464) returned 1 [0294.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8908ff00, ftCreationTime.dwHighDateTime=0x1d822db, ftLastAccessTime.dwLowDateTime=0xbed606b0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0xbed606b0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.247] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\*", lpFindFileData=0x12857968 | out: lpFindFileData=0x12857968*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8908ff00, ftCreationTime.dwHighDateTime=0x1d822db, ftLastAccessTime.dwLowDateTime=0xbed606b0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0xbed606b0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefeb8 [0294.247] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8908ff00, ftCreationTime.dwHighDateTime=0x1d822db, ftLastAccessTime.dwLowDateTime=0xbed606b0, ftLastAccessTime.dwHighDateTime=0x1d824ce, ftLastWriteTime.dwLowDateTime=0xbed606b0, ftLastWriteTime.dwHighDateTime=0x1d824ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.247] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e041b0, ftCreationTime.dwHighDateTime=0x1d82757, ftLastAccessTime.dwLowDateTime=0x5afd6590, ftLastAccessTime.dwHighDateTime=0x1d828b4, ftLastWriteTime.dwLowDateTime=0x5afd6590, ftLastWriteTime.dwHighDateTime=0x1d828b4, nFileSizeHigh=0x0, nFileSizeLow=0xed5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="0q12e.mp3", cAlternateFileName="")) returned 1 [0294.247] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1e9fa70, ftCreationTime.dwHighDateTime=0x1d81add, ftLastAccessTime.dwLowDateTime=0xca494350, ftLastAccessTime.dwHighDateTime=0x1d8296e, ftLastWriteTime.dwLowDateTime=0xca494350, ftLastWriteTime.dwHighDateTime=0x1d8296e, nFileSizeHigh=0x0, nFileSizeLow=0xab7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hI0FYGyj19rrjP.m4a", cAlternateFileName="HI0FYG~1.M4A")) returned 1 [0294.247] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2cac010, ftCreationTime.dwHighDateTime=0x1d822b0, ftLastAccessTime.dwLowDateTime=0xdfeafdf0, ftLastAccessTime.dwHighDateTime=0x1d824c0, ftLastWriteTime.dwLowDateTime=0xdfeafdf0, ftLastWriteTime.dwHighDateTime=0x1d824c0, nFileSizeHigh=0x0, nFileSizeLow=0xb9e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMZsOFOkeg68udY j.wav", cAlternateFileName="RMZSOF~1.WAV")) returned 1 [0294.247] FindNextFileW (in: hFindFile=0xbefeb8, lpFindFileData=0x128579ac | out: lpFindFileData=0x128579ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.248] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0294.248] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x12857630 | out: lpFileInformation=0x12857630*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.248] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.248] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.249] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12857840 | out: lpMode=0x12857840) returned 0 [0294.249] WriteFile (in: hFile=0x464, lpBuffer=0x12a53300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857840, lpOverlapped=0x0 | out: lpBuffer=0x12a53300*, lpNumberOfBytesWritten=0x12857840*=0x118a, lpOverlapped=0x0) returned 1 [0294.251] CloseHandle (hObject=0x464) returned 1 [0294.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\0q12e.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\0q12e.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0e041b0, ftCreationTime.dwHighDateTime=0x1d82757, ftLastAccessTime.dwLowDateTime=0x5afd6590, ftLastAccessTime.dwHighDateTime=0x1d828b4, ftLastWriteTime.dwLowDateTime=0x5afd6590, ftLastWriteTime.dwHighDateTime=0x1d828b4, nFileSizeHigh=0x0, nFileSizeLow=0xed5d)) returned 1 [0294.251] SetEvent (hEvent=0xf4) returned 1 [0294.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\RMZsOFOkeg68udY j.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\rmzsofokeg68udy j.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2cac010, ftCreationTime.dwHighDateTime=0x1d822b0, ftLastAccessTime.dwLowDateTime=0xdfeafdf0, ftLastAccessTime.dwHighDateTime=0x1d824c0, ftLastWriteTime.dwLowDateTime=0xdfeafdf0, ftLastWriteTime.dwHighDateTime=0x1d824c0, nFileSizeHigh=0x0, nFileSizeLow=0xb9e4)) returned 1 [0294.251] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\3mk8bhVEVTMQxwx\\hI0FYGyj19rrjP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\3mk8bhvevtmqxwx\\hi0fygyj19rrjp.m4a"), fInfoLevelId=0x0, lpFileInformation=0x12857a2c | out: lpFileInformation=0x12857a2c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1e9fa70, ftCreationTime.dwHighDateTime=0x1d81add, ftLastAccessTime.dwLowDateTime=0xca494350, ftLastAccessTime.dwHighDateTime=0x1d8296e, ftLastWriteTime.dwLowDateTime=0xca494350, ftLastWriteTime.dwHighDateTime=0x1d8296e, nFileSizeHigh=0x0, nFileSizeLow=0xab7a)) returned 1 [0294.252] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\C yeb-YqHxmdN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\c yeb-yqhxmdn.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b28c50, ftCreationTime.dwHighDateTime=0x1d8253d, ftLastAccessTime.dwLowDateTime=0x25a95280, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x25a95280, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x3681)) returned 1 [0294.252] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\F8DESDMwN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\f8desdmwn.wav"), fInfoLevelId=0x0, lpFileInformation=0x12857a90 | out: lpFileInformation=0x12857a90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c8dff0, ftCreationTime.dwHighDateTime=0x1d8238d, ftLastAccessTime.dwLowDateTime=0x5a2431a0, ftLastAccessTime.dwHighDateTime=0x1d8297a, ftLastWriteTime.dwLowDateTime=0x5a2431a0, ftLastWriteTime.dwHighDateTime=0x1d8297a, nFileSizeHigh=0x0, nFileSizeLow=0x16634)) returned 1 [0294.252] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\C yeb-YqHxmdN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\c yeb-yqhxmdn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.253] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.253] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\C yeb-YqHxmdN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\c yeb-yqhxmdn.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b28c50, ftCreationTime.dwHighDateTime=0x1d8253d, ftLastAccessTime.dwLowDateTime=0x25a95280, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x25a95280, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x3681)) returned 1 [0294.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x128449a0 | out: pbBuffer=0x128449a0) returned 1 [0294.253] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b1a0 | out: pbBuffer=0x12a9b1a0) returned 1 [0294.253] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0294.255] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.255] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb20, ulCount=0x10, ulNumEntriesRemoved=0xd1fb04, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb20, ulNumEntriesRemoved=0xd1fb04) returned 0 [0294.256] SetEvent (hEvent=0x110) returned 1 [0294.256] SetEvent (hEvent=0xf4) returned 1 [0294.256] ReadFile (in: hFile=0x464, lpBuffer=0x1296c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x1296c000*, lpNumberOfBytesRead=0x12a2fd1c*=0x3681, lpOverlapped=0x0) returned 1 [0294.258] GetFileType (hFile=0x464) returned 0x1 [0294.258] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.258] WriteFile (in: hFile=0x464, lpBuffer=0x129ac000*, nNumberOfBytesToWrite=0x3681, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x129ac000*, lpNumberOfBytesWritten=0x12a2fd00*=0x3681, lpOverlapped=0x12a2fd0c) returned 1 [0294.258] GetFileType (hFile=0x464) returned 0x1 [0294.258] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x3681, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.258] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd401 | out: pbBuffer=0x12afd401) returned 1 [0294.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd501 | out: pbBuffer=0x12afd501) returned 1 [0294.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd601 | out: pbBuffer=0x12afd601) returned 1 [0294.259] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b278 | out: pbBuffer=0x12a9b278) returned 1 [0294.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\C yeb-YqHxmdN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\c yeb-yqhxmdn.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.259] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.259] WriteFile (in: hFile=0x468, lpBuffer=0x12aee000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee000*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.260] CloseHandle (hObject=0x468) returned 1 [0294.260] CloseHandle (hObject=0x464) returned 1 [0294.260] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b2d0 | out: pbBuffer=0x12a9b2d0) returned 1 [0294.260] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\C yeb-YqHxmdN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\c yeb-yqhxmdn.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\#_THIS_FILE_IS_ENCRYPTED_[C2ABBEECC9600046]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\#_this_file_is_encrypted_[c2abbeecc9600046]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.262] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\F8DESDMwN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\f8desdmwn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.263] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.263] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\F8DESDMwN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\f8desdmwn.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2fad0 | out: lpFileInformation=0x12a2fad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c8dff0, ftCreationTime.dwHighDateTime=0x1d8238d, ftLastAccessTime.dwLowDateTime=0x5a2431a0, ftLastAccessTime.dwHighDateTime=0x1d8297a, ftLastWriteTime.dwLowDateTime=0x5a2431a0, ftLastWriteTime.dwHighDateTime=0x1d8297a, nFileSizeHigh=0x0, nFileSizeLow=0x16634)) returned 1 [0294.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844c80 | out: pbBuffer=0x12844c80) returned 1 [0294.263] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b348 | out: pbBuffer=0x12a9b348) returned 1 [0294.263] ReadFile (in: hFile=0x464, lpBuffer=0x12c84000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2fd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c84000*, lpNumberOfBytesRead=0x12a2fd1c*=0x16634, lpOverlapped=0x0) returned 1 [0294.265] GetFileType (hFile=0x464) returned 0x1 [0294.265] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.265] WriteFile (in: hFile=0x464, lpBuffer=0x12cc4000*, nNumberOfBytesToWrite=0x16634, lpNumberOfBytesWritten=0x12a2fd00, lpOverlapped=0x12a2fd0c | out: lpBuffer=0x12cc4000*, lpNumberOfBytesWritten=0x12a2fd00*=0x16634, lpOverlapped=0x12a2fd0c) returned 1 [0294.265] GetFileType (hFile=0x464) returned 0x1 [0294.265] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x16634, lpNewFilePointer=0x0, dwMoveMethod=0x12a2fce4 | out: lpNewFilePointer=0x0) returned 1 [0294.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd801 | out: pbBuffer=0x12afd801) returned 1 [0294.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afd901 | out: pbBuffer=0x12afd901) returned 1 [0294.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12afda01 | out: pbBuffer=0x12afda01) returned 1 [0294.266] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b450 | out: pbBuffer=0x12a9b450) returned 1 [0294.266] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\F8DESDMwN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\f8desdmwn.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.266] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2fd0c | out: lpMode=0x12a2fd0c) returned 0 [0294.267] WriteFile (in: hFile=0x468, lpBuffer=0x12aee500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2fd0c, lpOverlapped=0x0 | out: lpBuffer=0x12aee500*, lpNumberOfBytesWritten=0x12a2fd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.267] CloseHandle (hObject=0x468) returned 1 [0294.267] CloseHandle (hObject=0x464) returned 1 [0294.267] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b468 | out: pbBuffer=0x12a9b468) returned 1 [0294.268] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\F8DESDMwN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\f8desdmwn.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\#_THIS_FILE_IS_ENCRYPTED_[05A2BD7E87CEC708]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\#_this_file_is_encrypted_[05a2bd7e87cec708]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.270] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0294.280] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.280] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x0 [0294.282] GetQueuedCompletionStatusEx (in: CompletionPort=0x1a8, lpCompletionPortEntries=0xd1fb28, ulCount=0x10, ulNumEntriesRemoved=0xd1fb0c, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0xd1fb28, ulNumEntriesRemoved=0xd1fb0c) returned 0 [0294.282] SetEvent (hEvent=0x1d0) returned 1 [0294.282] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0x1) returned 0x102 [0294.330] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.330] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\YvsVfer.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\yvsvfer.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.331] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\YvsVfer.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\yvsvfer.wav"), fInfoLevelId=0x0, lpFileInformation=0x12851ad0 | out: lpFileInformation=0x12851ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2cd00c0, ftCreationTime.dwHighDateTime=0x1d8211a, ftLastAccessTime.dwLowDateTime=0xfbd585f0, ftLastAccessTime.dwHighDateTime=0x1d828a1, ftLastWriteTime.dwLowDateTime=0xfbd585f0, ftLastWriteTime.dwHighDateTime=0x1d828a1, nFileSizeHigh=0x0, nFileSizeLow=0xf25d)) returned 1 [0294.331] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0294.331] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0294.331] ReadFile (in: hFile=0x468, lpBuffer=0x1296c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12851d1c, lpOverlapped=0x0 | out: lpBuffer=0x1296c000*, lpNumberOfBytesRead=0x12851d1c*=0xf25d, lpOverlapped=0x0) returned 1 [0294.334] GetFileType (hFile=0x468) returned 0x1 [0294.334] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.334] WriteFile (in: hFile=0x468, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0xf25d, lpNumberOfBytesWritten=0x12851d00, lpOverlapped=0x12851d0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12851d00*=0xf25d, lpOverlapped=0x12851d0c) returned 1 [0294.335] GetFileType (hFile=0x468) returned 0x1 [0294.335] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xf25d, lpNewFilePointer=0x0, dwMoveMethod=0x12851ce4 | out: lpNewFilePointer=0x0) returned 1 [0294.335] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0294.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0294.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.336] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0294.336] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\YvsVfer.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\yvsvfer.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.336] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12851d0c | out: lpMode=0x12851d0c) returned 0 [0294.336] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12851d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0a00*, lpNumberOfBytesWritten=0x12851d0c*=0x276, lpOverlapped=0x0) returned 1 [0294.337] CloseHandle (hObject=0x470) returned 1 [0294.337] CloseHandle (hObject=0x468) returned 1 [0294.337] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0294.337] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\YvsVfer.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\yvsvfer.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\#_THIS_FILE_IS_ENCRYPTED_[350E7DDB5C1F676D]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\#_this_file_is_encrypted_[350e7ddb5c1f676d]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.338] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\-b5_MxngD.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\-b5_mxngd.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.339] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\IxK2aIlFxAhipB\\-b5_MxngD.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\ixk2ailfxahipb\\-b5_mxngd.mp3"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1aa8aa0, ftCreationTime.dwHighDateTime=0x1d82039, ftLastAccessTime.dwLowDateTime=0x3f934b80, ftLastAccessTime.dwHighDateTime=0x1d828e1, ftLastWriteTime.dwLowDateTime=0x3f934b80, ftLastWriteTime.dwHighDateTime=0x1d828e1, nFileSizeHigh=0x0, nFileSizeLow=0xa5c5)) returned 1 [0294.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0294.339] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0294.339] ReadFile (in: hFile=0x468, lpBuffer=0x12c44000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c44000*, lpNumberOfBytesRead=0x12a2dd1c*=0xa5c5, lpOverlapped=0x0) returned 1 [0294.343] GetFileType (hFile=0x468) returned 0x1 [0294.343] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.343] WriteFile (in: hFile=0x468, lpBuffer=0x12dd8000*, nNumberOfBytesToWrite=0xa5c5, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12dd8000*, lpNumberOfBytesWritten=0x12a2dd00*=0xa5c5, lpOverlapped=0x12a2dd0c) returned 1 [0294.349] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.391] SetEvent (hEvent=0xf4) returned 1 [0294.391] GetFileType (hFile=0x468) returned 0x1 [0294.391] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xa5c5, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.391] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.393] SetEvent (hEvent=0xf4) returned 1 [0294.393] SetEvent (hEvent=0x19c) returned 1 [0294.394] GetFileType (hFile=0x470) returned 0x1 [0294.394] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.394] WriteFile (in: hFile=0x470, lpBuffer=0x128ee000*, nNumberOfBytesToWrite=0x12546, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x128ee000*, lpNumberOfBytesWritten=0x12a2bd00*=0x12546, lpOverlapped=0x12a2bd0c) returned 1 [0294.395] GetFileType (hFile=0x470) returned 0x1 [0294.395] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x12546, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800481 | out: pbBuffer=0x12800481) returned 1 [0294.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800581 | out: pbBuffer=0x12800581) returned 1 [0294.395] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800681 | out: pbBuffer=0x12800681) returned 1 [0294.396] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b270 | out: pbBuffer=0x12a9b270) returned 1 [0294.396] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\Xk3PPQU-esQvvpXXOrW.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\xk3ppqu-esqvvpxxorw.mp3"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.396] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.396] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.396] CloseHandle (hObject=0x44c) returned 1 [0294.397] CloseHandle (hObject=0x470) returned 1 [0294.397] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b2b8 | out: pbBuffer=0x12a9b2b8) returned 1 [0294.397] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\Xk3PPQU-esQvvpXXOrW.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\xk3ppqu-esqvvpxxorw.mp3"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\#_THIS_FILE_IS_ENCRYPTED_[913BA948AC4EF39F]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\#_this_file_is_encrypted_[913ba948ac4ef39f]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.407] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\gQqe7Q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\gqqe7q.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.408] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.408] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\gQqe7Q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\gqqe7q.wav"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25d77250, ftCreationTime.dwHighDateTime=0x1d8245b, ftLastAccessTime.dwLowDateTime=0xa52b80e0, ftLastAccessTime.dwHighDateTime=0x1d827c2, ftLastWriteTime.dwLowDateTime=0xa52b80e0, ftLastWriteTime.dwHighDateTime=0x1d827c2, nFileSizeHigh=0x0, nFileSizeLow=0x4692)) returned 1 [0294.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12844c60 | out: pbBuffer=0x12844c60) returned 1 [0294.409] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b340 | out: pbBuffer=0x12a9b340) returned 1 [0294.409] ReadFile (in: hFile=0x470, lpBuffer=0x12936000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12936000*, lpNumberOfBytesRead=0x12a2bd1c*=0x4692, lpOverlapped=0x0) returned 1 [0294.411] GetFileType (hFile=0x470) returned 0x1 [0294.411] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.411] WriteFile (in: hFile=0x470, lpBuffer=0x12e46000*, nNumberOfBytesToWrite=0x4692, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12e46000*, lpNumberOfBytesWritten=0x12a2bd00*=0x4692, lpOverlapped=0x12a2bd0c) returned 1 [0294.411] GetFileType (hFile=0x470) returned 0x1 [0294.412] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x4692, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0294.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0294.412] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0294.413] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12a9b448 | out: pbBuffer=0x12a9b448) returned 1 [0294.413] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\gQqe7Q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\gqqe7q.wav"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.413] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.413] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.413] CloseHandle (hObject=0x44c) returned 1 [0294.413] CloseHandle (hObject=0x470) returned 1 [0294.414] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9b460 | out: pbBuffer=0x12a9b460) returned 1 [0294.414] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\gQqe7Q.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\gqqe7q.wav"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\sHIg88ciyWN69\\yljx7Ntl5VcbSN\\mgH8XE_3YqN_8iEki\\#_THIS_FILE_IS_ENCRYPTED_[1D6430F08AA0013E]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\shig88ciywn69\\yljx7ntl5vcbsn\\mgh8xe_3yqn_8ieki\\#_this_file_is_encrypted_[1d6430f08aa0013e]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.417] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0294.418] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0294.418] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0294.418] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0294.418] CloseHandle (hObject=0x470) returned 1 [0294.419] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6b125138, ftLastAccessTime.dwHighDateTime=0x1d82a22, ftLastWriteTime.dwLowDateTime=0x6b125138, ftLastWriteTime.dwHighDateTime=0x1d82a22, nFileSizeHigh=0x0, nFileSizeLow=0x180000)) returned 1 [0294.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents" (normalized: "c:\\users\\rdhj0cnfevzx\\my documents"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.419] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.420] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.420] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0294.421] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0294.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.421] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.422] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.422] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.422] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0294.422] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0294.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0294.423] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0294.423] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0294.423] CloseHandle (hObject=0x470) returned 1 [0294.423] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.424] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood" (normalized: "c:\\users\\rdhj0cnfevzx\\nethood"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.424] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0294.424] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0294.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.425] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefb38 [0294.425] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.425] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.425] FindNextFileW (in: hFindFile=0xbefb38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.425] FindClose (in: hFindFile=0xbefb38 | out: hFindFile=0xbefb38) returned 1 [0294.425] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.426] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.426] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.427] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0294.427] WriteFile (in: hFile=0x470, lpBuffer=0x12879300*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x12879300*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0294.430] CloseHandle (hObject=0x470) returned 1 [0294.430] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67)) returned 1 [0294.430] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf52d70e7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf52d70e7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0294.431] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.431] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x12857a94 | out: lpFindFileData=0x12857a94*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf52d70e7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf52d70e7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefc38 [0294.431] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf52d70e7, ftLastAccessTime.dwHighDateTime=0x1d82a28, ftLastWriteTime.dwLowDateTime=0xf52d70e7, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.431] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa26fad40, ftCreationTime.dwHighDateTime=0x1d82114, ftLastAccessTime.dwLowDateTime=0x466b910, ftLastAccessTime.dwHighDateTime=0x1d827e3, ftLastWriteTime.dwLowDateTime=0x466b910, ftLastWriteTime.dwHighDateTime=0x1d827e3, nFileSizeHigh=0x0, nFileSizeLow=0x486d, dwReserved0=0x0, dwReserved1=0x0, cFileName="39xGW5hX3fvQs.gif", cAlternateFileName="39XGW5~1.GIF")) returned 1 [0294.431] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba8f4a0, ftCreationTime.dwHighDateTime=0x1d82604, ftLastAccessTime.dwLowDateTime=0x9a62bf20, ftLastAccessTime.dwHighDateTime=0x1d826d2, ftLastWriteTime.dwLowDateTime=0x9a62bf20, ftLastWriteTime.dwHighDateTime=0x1d826d2, nFileSizeHigh=0x0, nFileSizeLow=0x16a91, dwReserved0=0x0, dwReserved1=0x0, cFileName="AAv4QIyj5Va9vKdwbEiS.gif", cAlternateFileName="AAV4QI~1.GIF")) returned 1 [0294.460] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0294.460] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7829b410, ftCreationTime.dwHighDateTime=0x1d8221b, ftLastAccessTime.dwLowDateTime=0xeb4cdf30, ftLastAccessTime.dwHighDateTime=0x1d8223e, ftLastWriteTime.dwLowDateTime=0xeb4cdf30, ftLastWriteTime.dwHighDateTime=0x1d8223e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ckHe9316OZQ3TyD", cAlternateFileName="CKHE93~1")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66d6fd0, ftCreationTime.dwHighDateTime=0x1d81e72, ftLastAccessTime.dwLowDateTime=0x3e781d00, ftLastAccessTime.dwHighDateTime=0x1d824fb, ftLastWriteTime.dwLowDateTime=0x3e781d00, ftLastWriteTime.dwHighDateTime=0x1d824fb, nFileSizeHigh=0x0, nFileSizeLow=0x717a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ffClS8IjO.bmp", cAlternateFileName="FFCLS8~1.BMP")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b94320, ftCreationTime.dwHighDateTime=0x1d81ba0, ftLastAccessTime.dwLowDateTime=0x9bd1fd20, ftLastAccessTime.dwHighDateTime=0x1d81deb, ftLastWriteTime.dwLowDateTime=0x9bd1fd20, ftLastWriteTime.dwHighDateTime=0x1d81deb, nFileSizeHigh=0x0, nFileSizeLow=0xc113, dwReserved0=0x0, dwReserved1=0x0, cFileName="g8aDQC0nas4R_i.png", cAlternateFileName="G8ADQC~1.PNG")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451b40f0, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0x5edc99d0, ftLastAccessTime.dwHighDateTime=0x1d825ba, ftLastWriteTime.dwLowDateTime=0x5edc99d0, ftLastWriteTime.dwHighDateTime=0x1d825ba, nFileSizeHigh=0x0, nFileSizeLow=0x15897, dwReserved0=0x0, dwReserved1=0x0, cFileName="GYc97IQh_mQirpr2.png", cAlternateFileName="GYC97I~1.PNG")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2150450, ftCreationTime.dwHighDateTime=0x1d82720, ftLastAccessTime.dwLowDateTime=0x13448b0, ftLastAccessTime.dwHighDateTime=0x1d828f2, ftLastWriteTime.dwLowDateTime=0x13448b0, ftLastWriteTime.dwHighDateTime=0x1d828f2, nFileSizeHigh=0x0, nFileSizeLow=0x6ef5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qc4RhKRglBg__.jpg", cAlternateFileName="QC4RHK~1.JPG")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7184870, ftCreationTime.dwHighDateTime=0x1d82399, ftLastAccessTime.dwLowDateTime=0x45f7a710, ftLastAccessTime.dwHighDateTime=0x1d82502, ftLastWriteTime.dwLowDateTime=0x45f7a710, ftLastWriteTime.dwHighDateTime=0x1d82502, nFileSizeHigh=0x0, nFileSizeLow=0x4492, dwReserved0=0x0, dwReserved1=0x0, cFileName="trtv-7.bmp", cAlternateFileName="")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f52bc70, ftCreationTime.dwHighDateTime=0x1d82930, ftLastAccessTime.dwLowDateTime=0xc6320790, ftLastAccessTime.dwHighDateTime=0x1d829d5, ftLastWriteTime.dwLowDateTime=0xc6320790, ftLastWriteTime.dwHighDateTime=0x1d829d5, nFileSizeHigh=0x0, nFileSizeLow=0x8a13, dwReserved0=0x0, dwReserved1=0x0, cFileName="VUqCu1k65i0E.png", cAlternateFileName="VUQCU1~1.PNG")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09d58a0, ftCreationTime.dwHighDateTime=0x1d8298f, ftLastAccessTime.dwLowDateTime=0x8eca5ef0, ftLastAccessTime.dwHighDateTime=0x1d829e0, ftLastWriteTime.dwLowDateTime=0x8eca5ef0, ftLastWriteTime.dwHighDateTime=0x1d829e0, nFileSizeHigh=0x0, nFileSizeLow=0x8bfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="xdm8HuOAopSedRGTMbb.png", cAlternateFileName="XDM8HU~1.PNG")) returned 1 [0294.461] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857ad8 | out: lpFindFileData=0x12857ad8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.461] FindClose (in: hFindFile=0xbefc38 | out: hFindFile=0xbefc38) returned 1 [0294.461] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x1285775c | out: lpFileInformation=0x1285775c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.462] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.463] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x1285796c | out: lpMode=0x1285796c) returned 0 [0294.463] WriteFile (in: hFile=0x470, lpBuffer=0x1287a600*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x1285796c, lpOverlapped=0x0 | out: lpBuffer=0x1287a600*, lpNumberOfBytesWritten=0x1285796c*=0x118a, lpOverlapped=0x0) returned 1 [0294.465] CloseHandle (hObject=0x470) returned 1 [0294.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\39xGW5hX3fvQs.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\39xgw5hx3fvqs.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa26fad40, ftCreationTime.dwHighDateTime=0x1d82114, ftLastAccessTime.dwLowDateTime=0x466b910, ftLastAccessTime.dwHighDateTime=0x1d827e3, ftLastWriteTime.dwLowDateTime=0x466b910, ftLastWriteTime.dwHighDateTime=0x1d827e3, nFileSizeHigh=0x0, nFileSizeLow=0x486d)) returned 1 [0294.465] SetEvent (hEvent=0x19c) returned 1 [0294.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\AAv4QIyj5Va9vKdwbEiS.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\aav4qiyj5va9vkdwbeis.gif"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba8f4a0, ftCreationTime.dwHighDateTime=0x1d82604, ftLastAccessTime.dwLowDateTime=0x9a62bf20, ftLastAccessTime.dwHighDateTime=0x1d826d2, ftLastWriteTime.dwLowDateTime=0x9a62bf20, ftLastWriteTime.dwHighDateTime=0x1d826d2, nFileSizeHigh=0x0, nFileSizeLow=0x16a91)) returned 1 [0294.465] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0294.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0294.466] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x12857a30 | out: lpFindFileData=0x12857a30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbefc38 [0294.466] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0294.466] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0294.466] FindNextFileW (in: hFindFile=0xbefc38, lpFindFileData=0x12857a74 | out: lpFindFileData=0x12857a74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0294.466] FindClose (in: hFindFile=0xbefc38 | out: hFindFile=0xbefc38) returned 1 [0294.466] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\# satan cryptor #.hta"), fInfoLevelId=0x0, lpFileInformation=0x128576f8 | out: lpFileInformation=0x128576f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0294.466] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\# satan cryptor #.hta"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0294.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\# SATAN CRYPTOR #.hta" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\# satan cryptor #.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.468] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12857908 | out: lpMode=0x12857908) returned 0 [0294.468] WriteFile (in: hFile=0x470, lpBuffer=0x1287cc00*, nNumberOfBytesToWrite=0x118a, lpNumberOfBytesWritten=0x12857908, lpOverlapped=0x0 | out: lpBuffer=0x1287cc00*, lpNumberOfBytesWritten=0x12857908*=0x118a, lpOverlapped=0x0) returned 1 [0294.469] CloseHandle (hObject=0x470) returned 1 [0294.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857af4 | out: lpFileInformation=0x12857af4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe)) returned 1 [0294.470] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\GYc97IQh_mQirpr2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\gyc97iqh_mqirpr2.png"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451b40f0, ftCreationTime.dwHighDateTime=0x1d821b9, ftLastAccessTime.dwLowDateTime=0x5edc99d0, ftLastAccessTime.dwHighDateTime=0x1d825ba, ftLastWriteTime.dwLowDateTime=0x5edc99d0, ftLastWriteTime.dwHighDateTime=0x1d825ba, nFileSizeHigh=0x0, nFileSizeLow=0x15897)) returned 1 [0294.470] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.472] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2dad0 | out: lpFileInformation=0x12a2dad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe)) returned 1 [0294.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129285e0 | out: pbBuffer=0x129285e0) returned 1 [0294.472] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810760 | out: pbBuffer=0x12810760) returned 1 [0294.472] ReadFile (in: hFile=0x470, lpBuffer=0x12c92000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2dd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c92000*, lpNumberOfBytesRead=0x12a2dd1c*=0xbe, lpOverlapped=0x0) returned 1 [0294.474] GetFileType (hFile=0x470) returned 0x1 [0294.474] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.474] WriteFile (in: hFile=0x470, lpBuffer=0x12926300*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x12a2dd00, lpOverlapped=0x12a2dd0c | out: lpBuffer=0x12926300*, lpNumberOfBytesWritten=0x12a2dd00*=0xbe, lpOverlapped=0x12a2dd0c) returned 1 [0294.474] GetFileType (hFile=0x470) returned 0x1 [0294.474] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xbe, lpNewFilePointer=0x0, dwMoveMethod=0x12a2dce4 | out: lpNewFilePointer=0x0) returned 1 [0294.474] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801081 | out: pbBuffer=0x12801081) returned 1 [0294.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801181 | out: pbBuffer=0x12801181) returned 1 [0294.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12801281 | out: pbBuffer=0x12801281) returned 1 [0294.475] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12810818 | out: pbBuffer=0x12810818) returned 1 [0294.475] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.475] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2dd0c | out: lpMode=0x12a2dd0c) returned 0 [0294.475] WriteFile (in: hFile=0x44c, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2dd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12a2dd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.496] CloseHandle (hObject=0x44c) returned 1 [0294.497] CloseHandle (hObject=0x470) returned 1 [0294.497] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810830 | out: pbBuffer=0x12810830) returned 1 [0294.497] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\#_THIS_FILE_IS_ENCRYPTED_[AF0A00C0778DBA4C]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\#_this_file_is_encrypted_[af0a00c0778dba4c]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.588] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.623] SetEvent (hEvent=0x1b8) returned 1 [0294.623] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.625] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.625] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe)) returned 1 [0294.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928060 | out: pbBuffer=0x12928060) returned 1 [0294.626] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848008 | out: pbBuffer=0x12848008) returned 1 [0294.626] ReadFile (in: hFile=0x470, lpBuffer=0x12dd8000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12dd8000*, lpNumberOfBytesRead=0x12a2bd1c*=0xbe, lpOverlapped=0x0) returned 1 [0294.627] GetFileType (hFile=0x470) returned 0x1 [0294.627] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.627] WriteFile (in: hFile=0x470, lpBuffer=0x12b700c0*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12b700c0*, lpNumberOfBytesWritten=0x12a2bd00*=0xbe, lpOverlapped=0x12a2bd0c) returned 1 [0294.628] GetFileType (hFile=0x470) returned 0x1 [0294.628] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xbe, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a601 | out: pbBuffer=0x1286a601) returned 1 [0294.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a701 | out: pbBuffer=0x1286a701) returned 1 [0294.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a801 | out: pbBuffer=0x1286a801) returned 1 [0294.628] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12848390 | out: pbBuffer=0x12848390) returned 1 [0294.629] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.629] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.629] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.638] CloseHandle (hObject=0x464) returned 1 [0294.638] CloseHandle (hObject=0x470) returned 1 [0294.638] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483a8 | out: pbBuffer=0x128483a8) returned 1 [0294.638] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\#_THIS_FILE_IS_ENCRYPTED_[41278B4286FF7805]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\#_this_file_is_encrypted_[41278b4286ff7805]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.677] SetEvent (hEvent=0x19c) returned 1 [0294.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\HKJj WT.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\hkjj wt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0294.678] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.678] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\HKJj WT.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\hkjj wt.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd90200, ftCreationTime.dwHighDateTime=0x1d82548, ftLastAccessTime.dwLowDateTime=0x1c2c5660, ftLastAccessTime.dwHighDateTime=0x1d8281d, ftLastWriteTime.dwLowDateTime=0x1c2c5660, ftLastWriteTime.dwHighDateTime=0x1d8281d, nFileSizeHigh=0x0, nFileSizeLow=0x10b54)) returned 1 [0294.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x129284e0 | out: pbBuffer=0x129284e0) returned 1 [0294.678] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848528 | out: pbBuffer=0x12848528) returned 1 [0294.678] ReadFile (in: hFile=0x470, lpBuffer=0x12c7e000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12c7e000*, lpNumberOfBytesRead=0x12a2bd1c*=0x10b54, lpOverlapped=0x0) returned 1 [0294.681] GetFileType (hFile=0x470) returned 0x1 [0294.681] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.681] WriteFile (in: hFile=0x470, lpBuffer=0x12cbe000*, nNumberOfBytesToWrite=0x10b54, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12cbe000*, lpNumberOfBytesWritten=0x12a2bd00*=0x10b54, lpOverlapped=0x12a2bd0c) returned 1 [0294.681] GetFileType (hFile=0x470) returned 0x1 [0294.681] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x10b54, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b201 | out: pbBuffer=0x1286b201) returned 1 [0294.681] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b301 | out: pbBuffer=0x1286b301) returned 1 [0294.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286b401 | out: pbBuffer=0x1286b401) returned 1 [0294.682] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128485e0 | out: pbBuffer=0x128485e0) returned 1 [0294.682] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\HKJj WT.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\hkjj wt.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.682] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.682] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2a00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2a00*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.682] CloseHandle (hObject=0x464) returned 1 [0294.743] CloseHandle (hObject=0x470) returned 1 [0294.757] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12848718 | out: pbBuffer=0x12848718) returned 1 [0294.757] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\HKJj WT.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\hkjj wt.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\#_THIS_FILE_IS_ENCRYPTED_[9948985C33CDF650]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\#_this_file_is_encrypted_[9948985c33cdf650]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.819] SetEvent (hEvent=0xf4) returned 1 [0294.819] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\R-vk5p4WTAFfUJEJC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\r-vk5p4wtaffujejc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.820] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.820] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\R-vk5p4WTAFfUJEJC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\r-vk5p4wtaffujejc.jpg"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9fe3830, ftCreationTime.dwHighDateTime=0x1d81c70, ftLastAccessTime.dwLowDateTime=0x7090be90, ftLastAccessTime.dwHighDateTime=0x1d82646, ftLastWriteTime.dwLowDateTime=0x7090be90, ftLastWriteTime.dwHighDateTime=0x1d82646, nFileSizeHigh=0x0, nFileSizeLow=0x186bb)) returned 1 [0294.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12928280 | out: pbBuffer=0x12928280) returned 1 [0294.820] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x128483f0 | out: pbBuffer=0x128483f0) returned 1 [0294.820] ReadFile (in: hFile=0x468, lpBuffer=0x12b22000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12b22000*, lpNumberOfBytesRead=0x12a2bd1c*=0x186bb, lpOverlapped=0x0) returned 1 [0294.825] GetFileType (hFile=0x468) returned 0x1 [0294.825] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.825] WriteFile (in: hFile=0x468, lpBuffer=0x12b9e000*, nNumberOfBytesToWrite=0x186bb, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12b9e000*, lpNumberOfBytesWritten=0x12a2bd00*=0x186bb, lpOverlapped=0x12a2bd0c) returned 1 [0294.825] GetFileType (hFile=0x468) returned 0x1 [0294.825] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x186bb, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.825] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a481 | out: pbBuffer=0x1286a481) returned 1 [0294.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a581 | out: pbBuffer=0x1286a581) returned 1 [0294.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x1286a681 | out: pbBuffer=0x1286a681) returned 1 [0294.826] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128484b8 | out: pbBuffer=0x128484b8) returned 1 [0294.826] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\R-vk5p4WTAFfUJEJC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\r-vk5p4wtaffujejc.jpg"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0294.826] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.826] WriteFile (in: hFile=0x464, lpBuffer=0x12ac2500*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12ac2500*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.827] CloseHandle (hObject=0x464) returned 1 [0294.841] CloseHandle (hObject=0x468) returned 1 [0294.860] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12849010 | out: pbBuffer=0x12849010) returned 1 [0294.860] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\R-vk5p4WTAFfUJEJC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\r-vk5p4wtaffujejc.jpg"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[8DFBEBC60F4D1560]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[8dfbebc60f4d1560]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0294.926] SetEvent (hEvent=0x420) returned 1 [0294.926] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\ww9e exBrFr.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ww9e exbrfr.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0294.928] GetConsoleMode (in: hConsoleHandle=0x468, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.928] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\ww9e exBrFr.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ww9e exbrfr.gif"), fInfoLevelId=0x0, lpFileInformation=0x12a2bad0 | out: lpFileInformation=0x12a2bad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82639f0, ftCreationTime.dwHighDateTime=0x1d82346, ftLastAccessTime.dwLowDateTime=0xaec13e20, ftLastAccessTime.dwHighDateTime=0x1d82834, ftLastWriteTime.dwLowDateTime=0xaec13e20, ftLastWriteTime.dwHighDateTime=0x1d82834, nFileSizeHigh=0x0, nFileSizeLow=0x7668)) returned 1 [0294.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12a98000 | out: pbBuffer=0x12a98000) returned 1 [0294.928] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12810038 | out: pbBuffer=0x12810038) returned 1 [0294.928] ReadFile (in: hFile=0x468, lpBuffer=0x12e18000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12a2bd1c, lpOverlapped=0x0 | out: lpBuffer=0x12e18000*, lpNumberOfBytesRead=0x12a2bd1c*=0x7668, lpOverlapped=0x0) returned 1 [0294.930] GetFileType (hFile=0x468) returned 0x1 [0294.930] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.930] WriteFile (in: hFile=0x468, lpBuffer=0x12b68000*, nNumberOfBytesToWrite=0x7668, lpNumberOfBytesWritten=0x12a2bd00, lpOverlapped=0x12a2bd0c | out: lpBuffer=0x12b68000*, lpNumberOfBytesWritten=0x12a2bd00*=0x7668, lpOverlapped=0x12a2bd0c) returned 1 [0294.930] GetFileType (hFile=0x468) returned 0x1 [0294.930] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x7668, lpNewFilePointer=0x0, dwMoveMethod=0x12a2bce4 | out: lpNewFilePointer=0x0) returned 1 [0294.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834101 | out: pbBuffer=0x12834101) returned 1 [0294.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834201 | out: pbBuffer=0x12834201) returned 1 [0294.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12834301 | out: pbBuffer=0x12834301) returned 1 [0294.931] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x128100f0 | out: pbBuffer=0x128100f0) returned 1 [0294.931] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\ww9e exBrFr.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ww9e exbrfr.gif"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0294.932] GetConsoleMode (in: hConsoleHandle=0x44c, lpMode=0x12a2bd0c | out: lpMode=0x12a2bd0c) returned 0 [0294.932] WriteFile (in: hFile=0x44c, lpBuffer=0x12c30000*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12a2bd0c, lpOverlapped=0x0 | out: lpBuffer=0x12c30000*, lpNumberOfBytesWritten=0x12a2bd0c*=0x276, lpOverlapped=0x0) returned 1 [0294.932] CloseHandle (hObject=0x44c) returned 1 [0294.941] CloseHandle (hObject=0x468) returned 1 [0294.950] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.969] SwitchToThread () returned 1 [0294.972] SetEvent (hEvent=0xfc) returned 1 [0294.972] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0294.975] SetEvent (hEvent=0xfc) returned 1 [0294.975] SetEvent (hEvent=0x420) returned 1 [0294.975] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12a9a000 | out: pbBuffer=0x12a9a000) returned 1 [0294.976] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\ww9e exBrFr.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\ww9e exbrfr.gif"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ckHe9316OZQ3TyD\\X jZwz7d75-kdunxRmDZ\\#_THIS_FILE_IS_ENCRYPTED_[278BC8BB0E2EA917]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ckhe9316ozq3tyd\\x jzwz7d75-kdunxrmdz\\#_this_file_is_encrypted_[278bc8bb0e2ea917]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.276] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0295.286] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent" (normalized: "c:\\users\\rdhj0cnfevzx\\recent"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.286] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent" (normalized: "c:\\users\\rdhj0cnfevzx\\recent"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x470 [0295.287] GetFileInformationByHandle (in: hFile=0x470, lpFileInformation=0x12857b4c | out: lpFileInformation=0x12857b4c) returned 1 [0295.287] GetFileInformationByHandleEx (in: hFile=0x470, FileInformationClass=0x9, lpFileInformation=0x12857b44, dwBufferSize=0x8 | out: lpFileInformation=0x12857b44) returned 1 [0295.287] CloseHandle (hObject=0x470) returned 1 [0295.287] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0295.649] SetEvent (hEvent=0x420) returned 1 [0295.649] SetEvent (hEvent=0x19c) returned 1 [0295.649] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0295.762] SwitchToThread () returned 1 [0295.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\R- yMEn8xMS5Z0vnIX0M.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r- ymen8xms5z0vnix0m.flv"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7017eb0, ftCreationTime.dwHighDateTime=0x1d82984, ftLastAccessTime.dwLowDateTime=0xb9e762e0, ftLastAccessTime.dwHighDateTime=0x1d829b8, ftLastWriteTime.dwLowDateTime=0xb9e762e0, ftLastWriteTime.dwHighDateTime=0x1d829b8, nFileSizeHigh=0x0, nFileSizeLow=0x169b2)) returned 1 [0295.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857b58 | out: lpFileInformation=0x12857b58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8)) returned 1 [0295.765] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x62400)) returned 1 [0295.766] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\R- yMEn8xMS5Z0vnIX0M.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r- ymen8xms5z0vnix0m.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.767] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.767] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\R- yMEn8xMS5Z0vnIX0M.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r- ymen8xms5z0vnix0m.flv"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7017eb0, ftCreationTime.dwHighDateTime=0x1d82984, ftLastAccessTime.dwLowDateTime=0xb9e762e0, ftLastAccessTime.dwHighDateTime=0x1d829b8, ftLastWriteTime.dwLowDateTime=0xb9e762e0, ftLastWriteTime.dwHighDateTime=0x1d829b8, nFileSizeHigh=0x0, nFileSizeLow=0x169b2)) returned 1 [0295.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6d00 | out: pbBuffer=0x12ac6d00) returned 1 [0295.767] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10c50 | out: pbBuffer=0x12b10c50) returned 1 [0295.767] ReadFile (in: hFile=0x464, lpBuffer=0x12d1c000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x12853d1c, lpOverlapped=0x0 | out: lpBuffer=0x12d1c000*, lpNumberOfBytesRead=0x12853d1c*=0x169b2, lpOverlapped=0x0) returned 1 [0295.770] GetFileType (hFile=0x464) returned 0x1 [0295.770] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.770] WriteFile (in: hFile=0x464, lpBuffer=0x12bee000*, nNumberOfBytesToWrite=0x169b2, lpNumberOfBytesWritten=0x12853d00, lpOverlapped=0x12853d0c | out: lpBuffer=0x12bee000*, lpNumberOfBytesWritten=0x12853d00*=0x169b2, lpOverlapped=0x12853d0c) returned 1 [0295.771] GetFileType (hFile=0x464) returned 0x1 [0295.771] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x169b2, lpNewFilePointer=0x0, dwMoveMethod=0x12853ce4 | out: lpNewFilePointer=0x0) returned 1 [0295.771] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800801 | out: pbBuffer=0x12800801) returned 1 [0295.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800901 | out: pbBuffer=0x12800901) returned 1 [0295.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x14, pbBuffer=0x12800a01 | out: pbBuffer=0x12800a01) returned 1 [0295.772] CryptGenRandom (in: hProv=0xb40170, dwLen=0x4, pbBuffer=0x12b10d08 | out: pbBuffer=0x12b10d08) returned 1 [0295.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\R- yMEn8xMS5Z0vnIX0M.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r- ymen8xms5z0vnix0m.flv"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0295.772] GetConsoleMode (in: hConsoleHandle=0x470, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.772] WriteFile (in: hFile=0x470, lpBuffer=0x12dd0f00*, nNumberOfBytesToWrite=0x276, lpNumberOfBytesWritten=0x12853d0c, lpOverlapped=0x0 | out: lpBuffer=0x12dd0f00*, lpNumberOfBytesWritten=0x12853d0c*=0x276, lpOverlapped=0x0) returned 1 [0295.773] CloseHandle (hObject=0x470) returned 1 [0295.773] CloseHandle (hObject=0x464) returned 1 [0295.773] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b10d20 | out: pbBuffer=0x12b10d20) returned 1 [0295.773] MoveFileExW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\R- yMEn8xMS5Z0vnIX0M.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r- ymen8xms5z0vnix0m.flv"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\#_THIS_FILE_IS_ENCRYPTED_[4EA980E7F288B2C3]-[ID-9893949947FDA5A23D8DE0930B74801F]-[EMAIL-MREncptor@protonmail.com].satan" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\#_this_file_is_encrypted_[4ea980e7f288b2c3]-[id-9893949947fda5a23d8de0930b74801f]-[email-mrencptor@protonmail.com].satan"), dwFlags=0x1) returned 1 [0295.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.775] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.776] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x89000)) returned 1 [0295.776] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857bbc | out: lpFileInformation=0x12857bbc*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14)) returned 1 [0295.776] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.776] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2\\*", lpFindFileData=0x12853a44 | out: lpFindFileData=0x12853a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0295.777] GetConsoleMode (in: hConsoleHandle=0x464, lpMode=0x12853d0c | out: lpMode=0x12853d0c) returned 0 [0295.777] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), fInfoLevelId=0x0, lpFileInformation=0x12853ad0 | out: lpFileInformation=0x12853ad0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14)) returned 1 [0295.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x20, pbBuffer=0x12ac6f60 | out: pbBuffer=0x12ac6f60) returned 1 [0295.778] CryptGenRandom (in: hProv=0xb40170, dwLen=0x8, pbBuffer=0x12b115f8 | out: pbBuffer=0x12b115f8) returned 1 [0295.778] GetFileAttributesExW (in: lpFileName="C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x12857c20 | out: lpFileInformation=0x12857c20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae)) returned 1 [0295.778] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0295.804] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) returned 0x0 [0295.815] SetEvent (hEvent=0x1b8) returned 1 [0295.815] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x12857c84 | out: lpFileInformation=0x12857c84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0295.815] CreateFileW (lpFileName="C:\\Windows" (normalized: "c:\\windows"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.815] FindFirstFileW (in: lpFileName="C:\\Windows\\*", lpFindFileData=0x12857b5c | out: lpFindFileData=0x12857b5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbef938 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x383caa7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x383caa7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="addins", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xdc4d01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xdc4d01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="appcompat", cAlternateFileName="APPCOM~1")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppPatch", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x22e61277, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x22e61277, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppReadiness", cAlternateFileName="APPREA~1")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9d1522, ftLastAccessTime.dwHighDateTime=0x1d705f0, ftLastWriteTime.dwLowDateTime=0x9d1522, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="assembly", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3888f58, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3888f58, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bcastdvr", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425a437, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1425a437, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14280695, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf200, dwReserved0=0x0, dwReserved1=0x0, cFileName="bfsvc.exe", cAlternateFileName="")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ecfa42d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ecfa42d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLockerDiscoveryVolumeContents", cAlternateFileName="BITLOC~1")) returned 1 [0295.816] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe111b6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xe111b6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x9012b7dc, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x9012b7dc, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xe7ab3773, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootstat.dat", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe111b6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe111b6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xe111b6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Branding", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388963fa, ftCreationTime.dwHighDateTime=0x1d112e2, ftLastAccessTime.dwLowDateTime=0x77a1c398, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77a1c398, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CbsTemp", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a60a69, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CSC", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe111b6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3b5dc04, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3b5dc04, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cursors", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe111b6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x87c914ec, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x87c914ec, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="debug", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe111b6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3b5dc04, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3b5dc04, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DesktopTileResources", cAlternateFileName="DESKTO~1")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe37410, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9559687a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9559687a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DevicesFlow", cAlternateFileName="DEVICE~1")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe37410, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe37410, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xe37410, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="diagnostics", cAlternateFileName="DIAGNO~1")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd3f8070, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd3f8070, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd3f8070, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DigitalLocker", cAlternateFileName="DIGITA~1")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe5d667, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x4022730, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x4022730, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloaded Program Files", cAlternateFileName="DOWNLO~1")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37f054c7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f054c7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaa4d45e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x6b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DtcInstall.log", cAlternateFileName="DTCINS~1.LOG")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xe5d667, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x4022730, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x4022730, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ELAMBKUP", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd3f8070, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd41e2a2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd41e2a2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x220ad5e0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x220ad5e0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x220ad5e0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44b550, dwReserved0=0x0, dwReserved1=0x0, cFileName="explorer.exe", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x15, ftCreationTime.dwLowDateTime=0xe5d667, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x2bf387cd, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x2bf387cd, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0295.817] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5d667, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe5d667, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xe5d667, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Globalization", cAlternateFileName="GLOBAL~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5d667, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd41e2a2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd41e2a2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192f7b5f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x192f7b5f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x192f7b5f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="HelpPane.exe", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1883d233, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1883d233, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1883d233, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="hh.exe", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe838c5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd44450f, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd44450f, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe838c5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5eeea3fc, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5eeea3fc, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImmersiveControlPanel", cAlternateFileName="IMMERS~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa31f8be1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xbadb70d3, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xbadb70d3, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INF", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xef5fd1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xef5fd1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfusedApps", cAlternateFileName="INFUSE~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xef5fd1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xef5fd1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputMethod", cAlternateFileName="INPUTM~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x63d4f3ad, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x63f5b630, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Installer", cAlternateFileName="INSTAL~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x4d1939a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x4d1939a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L2Schemas", cAlternateFileName="L2SCHE~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xef5fd1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xef5fd1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LiveKernelReports", cAlternateFileName="LIVEKE~1")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8cf3e7ab, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1a869a96, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x6449ebcb, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e0eb86, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x87e0eb86, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x87e0eb86, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x0, dwReserved1=0x0, cFileName="lsasetup.log", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x15, ftCreationTime.dwLowDateTime=0xef5fd1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x4dfe1b9, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x4dfe1b9, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10293695, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x10293695, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x10293695, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa87b, dwReserved0=0x0, dwReserved1=0x0, cFileName="mib.bin", cAlternateFileName="")) returned 1 [0295.818] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x8a7d6dae, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0x8a7d6dae, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf686e4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf686e4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Migration", cAlternateFileName="MIGRAT~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9f657f27, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f657f27, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView", cAlternateFileName="MIRACA~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf686e4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf686e4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ModemLogs", cAlternateFileName="MODEML~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505b5aa3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x505b5aa3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x505b5aa3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="notepad.exe", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe139e089, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xe139e089, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xe139e089, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OCR", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x61f5c95, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x61f5c95, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Offline Web Pages", cAlternateFileName="OFFLIN~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f8fa6db, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x4fa275ed, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x4fa4d76f, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Panther", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf686e4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf686e4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Performance", cAlternateFileName="PERFOR~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf686e4, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8e937, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf8e937, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PLA", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ee9dc43, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ee9dc43, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PolicyDefinitions", cAlternateFileName="POLICY~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x938e66c3, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xe37cf9d, ftLastAccessTime.dwHighDateTime=0x1d7b062, ftLastWriteTime.dwLowDateTime=0xe37cf9d, ftLastWriteTime.dwHighDateTime=0x1d7b062, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Prefetch", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa039b1b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa039b1b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog", cAlternateFileName="PRINTD~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96b1269a, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x96b1269a, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7dc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Professional.xml", cAlternateFileName="PROFES~1.XML")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6300d36, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x6300d36, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaaed1dd9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaaed1dd9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PurchaseDialog", cAlternateFileName="PURCHA~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14eb873f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14eb873f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14eb873f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e400, dwReserved0=0x0, dwReserved1=0x0, cFileName="regedit.exe", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x637340b, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x637340b, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Registration", cAlternateFileName="REGIST~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x4d6bf5ba, ftLastAccessTime.dwHighDateTime=0x1d7b05a, ftLastWriteTime.dwLowDateTime=0x4d6bf5ba, ftLastWriteTime.dwHighDateTime=0x1d7b05a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rescache", cAlternateFileName="")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8e937, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf8e937, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0295.819] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf8e937, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf8e937, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SchCache", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8e937, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfb4b8d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xfb4b8d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="schemas", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb4b8d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f04186d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f04186d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="security", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x506c8f22, ftCreationTime.dwHighDateTime=0x1d112f3, ftLastAccessTime.dwLowDateTime=0x88109cb8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x88109cb8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ServiceProfiles", cAlternateFileName="SERVIC~2")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xbd54f5be, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd54f5be, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="servicing", cAlternateFileName="SERVIC~1")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50226d22, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x50226d22, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x50226d22, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb14070, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8cb14070, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8f64ac44, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0xf45, dwReserved0=0x0, dwReserved1=0x0, cFileName="setupact.log", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb14070, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8cb14070, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8cb14070, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setuperr.log", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f04186d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f067ab4, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f067ab4, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShellNew", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd13c1c8a, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xd13c1c8a, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xd13c1c8a, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SKB", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x675574ee, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0xdfc2100c, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdfc2100c, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb4b8d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfb4b8d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xfb4b8d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb4b8d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfb4b8d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xfb4b8d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech_OneCore", cAlternateFileName="SPEECH~1")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x213b6972, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x213b6972, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x213dcbcc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f400, dwReserved0=0x0, dwReserved1=0x0, cFileName="splwow64.exe", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb4b8d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfb4b8d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xfb4b8d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x383caa7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97447ccc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97447ccc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x0, cFileName="system.ini", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xbae59694, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xbae59694, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 1 [0295.820] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f95896c, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f95896c, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemApps", cAlternateFileName="SYSTEM~1")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14796bd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x149f91c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x149f91c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemResources", cAlternateFileName="SYSTEM~2")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35938b58, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe0e516ca, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xe0e516ca, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysWOW64", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x16b59ff, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x16b59ff, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TAPI", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5f793717, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5f793717, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tasks", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9cc23cbf, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x9cc23cbf, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x16b59ff, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x16b59ff, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracing", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd761812, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd761812, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="twain_32", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5139153c, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5139153c, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5139153c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="twain_32.dll", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x16b59ff, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x16b59ff, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vss", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x706c1e39, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x706c1e39, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x383caa7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97447ccc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97447ccc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="win.ini", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x252e4dc1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252e4dc1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252e4dc1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsShell.Manifest", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x675574ee, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x675574ee, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xaf1efec6, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x113, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate.log", cAlternateFileName="WINDOW~1.LOG")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d082a6f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d082a6f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d082a6f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="winhlp32.exe", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x83447569, ftLastAccessTime.dwHighDateTime=0x1d7b059, ftLastWriteTime.dwLowDateTime=0x83447569, ftLastWriteTime.dwHighDateTime=0x1d7b059, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinSxS", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x342f36fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x342f36fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x342f36fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d4e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMSysPr9.prx", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x245a1c9a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x245a1c9a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x245a1c9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="write.exe", cAlternateFileName="")) returned 1 [0295.821] FindNextFileW (in: hFindFile=0xbef938, lpFindFileData=0x12857ba0 | out: lpFindFileData=0x12857ba0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.822] FindClose (in: hFindFile=0xbef938 | out: hFindFile=0xbef938) returned 1 [0295.822] GetFileAttributesExW (in: lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), fInfoLevelId=0x0, lpFileInformation=0x12857c84 | out: lpFileInformation=0x12857c84*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64)) returned 1 [0295.835] SetEvent (hEvent=0x420) returned 1 [0295.835] GetFileAttributesExW (in: lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), fInfoLevelId=0x0, lpFileInformation=0x12857c84 | out: lpFileInformation=0x12857c84*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.835] FindFirstFileW (in: lpFileName="C:\\hiberfil.sys", lpFindFileData=0x128579f8 | out: lpFindFileData=0x128579f8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xa8d4eb26, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 0xbf00f8 [0295.845] SetEvent (hEvent=0x110) returned 1 [0295.845] FindClose (in: hFindFile=0xbf00f8 | out: hFindFile=0xbf00f8) returned 1 [0295.855] SetEvent (hEvent=0x420) returned 1 [0295.855] GetFileAttributesExW (in: lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), fInfoLevelId=0x0, lpFileInformation=0x12857c84 | out: lpFileInformation=0x12857c84*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.855] FindFirstFileW (in: lpFileName="C:\\pagefile.sys", lpFindFileData=0x128579f8 | out: lpFindFileData=0x128579f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 0xbefeb8 [0295.855] FindClose (in: hFindFile=0xbefeb8 | out: hFindFile=0xbefeb8) returned 1 [0295.855] GetFileAttributesExW (in: lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), fInfoLevelId=0x0, lpFileInformation=0x12857c84 | out: lpFileInformation=0x12857c84*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0295.855] FindFirstFileW (in: lpFileName="C:\\swapfile.sys", lpFindFileData=0x128579f8 | out: lpFindFileData=0x128579f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xa99bf471, ftLastWriteTime.dwHighDateTime=0x1d82a28, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 0xbf00f8 [0295.855] FindClose (in: hFindFile=0xbf00f8 | out: hFindFile=0xbf00f8) returned 1 [0295.856] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.856] FindFirstFileW (in: lpFileName="C:\\pagefile.sys\\*", lpFindFileData=0x12a31a44 | out: lpFindFileData=0x12a31a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.856] CreateFileW (lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.856] FindFirstFileW (in: lpFileName="C:\\swapfile.sys\\*", lpFindFileData=0x12a31a44 | out: lpFindFileData=0x12a31a44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.857] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0295.857] FindFirstFileW (in: lpFileName="C:\\hiberfil.sys\\*", lpFindFileData=0x12a2ba44 | out: lpFindFileData=0x12a2ba44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.857] WaitForSingleObject (hHandle=0x454, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x48039000" os_pid = "0x1054" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x4c4" cmd_line = "cmd /c ver" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 365 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 366 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 367 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 368 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 369 start_va = 0xa0000 end_va = 0xa3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 370 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 371 start_va = 0xc0000 end_va = 0xc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 372 start_va = 0x190000 end_va = 0x1e1fff monitored = 1 entry_point = 0x1a4fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 373 start_va = 0x1f0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 374 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 375 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 376 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 377 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 378 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 379 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 380 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 381 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 382 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 383 start_va = 0x4610000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 384 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 385 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 386 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 387 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 388 start_va = 0x4620000 end_va = 0x489ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 389 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 390 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 391 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 392 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 403 start_va = 0xd0000 end_va = 0x18dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 479 start_va = 0x748c0000 end_va = 0x7497dfff monitored = 0 entry_point = 0x748f5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 480 start_va = 0x4500000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 481 start_va = 0x4620000 end_va = 0x471ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 482 start_va = 0x47a0000 end_va = 0x489ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047a0000" filename = "" Region: id = 483 start_va = 0x4540000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 484 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 485 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 13 os_tid = 0x5c4 [0155.672] GetModuleHandleA (lpModuleName=0x0) returned 0x190000 [0155.672] __set_app_type (_Type=0x1) [0155.672] __p__fmode () returned 0x74974d6c [0155.672] __p__commode () returned 0x74975b1c [0155.673] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1a5200) returned 0x0 [0155.673] __getmainargs (in: _Argc=0x1b60e8, _Argv=0x1b60ec, _Env=0x1b60f0, _DoWildCard=0, _StartInfo=0x1b60fc | out: _Argc=0x1b60e8, _Argv=0x1b60ec, _Env=0x1b60f0) returned 0 [0155.676] GetCurrentThreadId () returned 0x5c4 [0155.676] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5c4) returned 0x78 [0155.676] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0155.676] GetProcAddress (hModule=0x75600000, lpProcName="SetThreadUILanguage") returned 0x75642510 [0155.677] SetThreadUILanguage (LangId=0x0) returned 0x409 [0155.685] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0155.685] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x44fff18 | out: phkResult=0x44fff18*=0x0) returned 0x2 [0155.685] VirtualQuery (in: lpAddress=0x44fff1f, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x44ff000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.685] VirtualQuery (in: lpAddress=0x4400000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4400000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0155.685] VirtualQuery (in: lpAddress=0x4401000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4401000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0155.685] VirtualQuery (in: lpAddress=0x4403000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4403000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0155.685] VirtualQuery (in: lpAddress=0x4500000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4500000, AllocationBase=0x4500000, AllocationProtect=0x4, RegionSize=0x35000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0155.685] GetConsoleOutputCP () returned 0x1b5 [0155.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1bf460 | out: lpCPInfo=0x1bf460) returned 1 [0155.686] SetConsoleCtrlHandler (HandlerRoutine=0x1b0e40, Add=1) returned 1 [0155.686] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.687] SetConsoleMode (hConsoleHandle=0x41c, dwMode=0x0) returned 0 [0155.687] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.687] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1bf40c | out: lpMode=0x1bf40c) returned 0 [0155.687] _get_osfhandle (_FileHandle=0) returned 0x418 [0155.687] GetConsoleMode (in: hConsoleHandle=0x418, lpMode=0x1bf408 | out: lpMode=0x1bf408) returned 0 [0155.687] GetEnvironmentStringsW () returned 0x47a7c60* [0155.687] GetProcessHeap () returned 0x47a0000 [0155.687] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0xa1a) returned 0x47a8688 [0155.687] FreeEnvironmentStringsA (penv="A") returned 1 [0155.687] GetProcessHeap () returned 0x47a0000 [0155.687] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x4) returned 0x47a0550 [0155.687] GetEnvironmentStringsW () returned 0x47a7c60* [0155.688] GetProcessHeap () returned 0x47a0000 [0155.688] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0xa1a) returned 0x47a90b0 [0155.688] FreeEnvironmentStringsA (penv="A") returned 1 [0155.688] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44fee7c | out: phkResult=0x44fee7c*=0x88) returned 0x0 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x49, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x0, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.689] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.689] RegCloseKey (hKey=0x88) returned 0x0 [0155.689] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44fee7c | out: phkResult=0x44fee7c*=0x88) returned 0x0 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x0, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x4) returned 0x0 [0155.690] RegQueryValueExW (in: hKey=0x88, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x1000) returned 0x2 [0155.690] RegCloseKey (hKey=0x88) returned 0x0 [0155.690] time (in: timer=0x0 | out: timer=0x0) returned 0x6263ea4b [0155.690] srand (_Seed=0x6263ea4b) [0155.690] GetCommandLineW () returned="cmd /c ver" [0155.690] GetCommandLineW () returned="cmd /c ver" [0155.690] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1c7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.692] GetProcessHeap () returned 0x47a0000 [0155.692] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x210) returned 0x47a9ad8 [0155.692] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x47a9ae0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0155.693] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1bf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0155.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1bf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0155.693] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x1bf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.693] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0155.693] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0155.693] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0155.693] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0155.693] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0155.693] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0155.693] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0155.693] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0155.693] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0155.694] GetProcessHeap () returned 0x47a0000 [0155.694] RtlFreeHeap (HeapHandle=0x47a0000, Flags=0x0, BaseAddress=0x47a8688) returned 1 [0155.695] GetEnvironmentStringsW () returned 0x47a7c60* [0155.695] GetProcessHeap () returned 0x47a0000 [0155.695] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0xa32) returned 0x47aa730 [0155.695] FreeEnvironmentStringsA (penv="A") returned 1 [0155.695] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x1bf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0155.695] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x1bf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0155.696] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0155.696] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0155.696] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0155.696] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0155.696] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0155.696] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0155.696] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0155.696] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0155.696] GetProcessHeap () returned 0x47a0000 [0155.696] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x44) returned 0x47a05c8 [0155.696] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x44ffc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.696] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x44ffc54, lpFilePart=0x44ffc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x44ffc4c*="Desktop") returned 0x1d [0155.696] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0155.697] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x47a0618 [0155.697] FindClose (in: hFindFile=0x47a0618 | out: hFindFile=0x47a0618) returned 1 [0155.697] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x47a0618 [0155.697] FindClose (in: hFindFile=0x47a0618 | out: hFindFile=0x47a0618) returned 1 [0155.698] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0155.698] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7acb0e39, ftLastAccessTime.dwHighDateTime=0x1d85709, ftLastWriteTime.dwLowDateTime=0x7acb0e39, ftLastWriteTime.dwHighDateTime=0x1d85709, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x47a0618 [0155.698] FindClose (in: hFindFile=0x47a0618 | out: hFindFile=0x47a0618) returned 1 [0155.698] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0155.698] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0155.698] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0155.698] GetProcessHeap () returned 0x47a0000 [0155.699] RtlFreeHeap (HeapHandle=0x47a0000, Flags=0x0, BaseAddress=0x47aa730) returned 1 [0155.699] GetEnvironmentStringsW () returned 0x47a7c60* [0155.699] GetProcessHeap () returned 0x47a0000 [0155.699] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0xa76) returned 0x47a9cf0 [0155.699] FreeEnvironmentStringsA (penv="=") returned 1 [0155.699] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1c7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0155.699] GetProcessHeap () returned 0x47a0000 [0155.700] RtlFreeHeap (HeapHandle=0x47a0000, Flags=0x0, BaseAddress=0x47a05c8) returned 1 [0155.700] GetProcessHeap () returned 0x47a0000 [0155.700] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x400e) returned 0x47abbf0 [0155.701] GetProcessHeap () returned 0x47a0000 [0155.701] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x14) returned 0x47a7768 [0155.701] GetProcessHeap () returned 0x47a0000 [0155.701] RtlFreeHeap (HeapHandle=0x47a0000, Flags=0x0, BaseAddress=0x47abbf0) returned 1 [0155.701] GetConsoleOutputCP () returned 0x1b5 [0155.702] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1bf460 | out: lpCPInfo=0x1bf460) returned 1 [0155.702] GetUserDefaultLCID () returned 0x409 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x1c34a0, cchData=8 | out: lpLCData=":") returned 2 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="0") returned 2 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="0") returned 2 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="1") returned 2 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x1c34b0, cchData=8 | out: lpLCData="/") returned 2 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x1c3500, cchData=32 | out: lpLCData="Mon") returned 4 [0155.703] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x1c3540, cchData=32 | out: lpLCData="Tue") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x1c3580, cchData=32 | out: lpLCData="Wed") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x1c35c0, cchData=32 | out: lpLCData="Thu") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x1c3600, cchData=32 | out: lpLCData="Fri") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x1c3640, cchData=32 | out: lpLCData="Sat") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x1c3680, cchData=32 | out: lpLCData="Sun") returned 4 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x1c34c0, cchData=8 | out: lpLCData=".") returned 2 [0155.704] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x1c34e0, cchData=8 | out: lpLCData=",") returned 2 [0155.704] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0155.707] GetProcessHeap () returned 0x47a0000 [0155.707] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x0, Size=0x20c) returned 0x47aa7b8 [0155.707] GetConsoleTitleW (in: lpConsoleTitle=0x47aa7b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0155.707] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75600000 [0155.708] GetProcAddress (hModule=0x75600000, lpProcName="CopyFileExW") returned 0x7561ffc0 [0155.708] GetProcAddress (hModule=0x75600000, lpProcName="IsDebuggerPresent") returned 0x7561b0b0 [0155.708] GetProcAddress (hModule=0x75600000, lpProcName="SetConsoleInputExeNameW") returned 0x7559b440 [0155.708] GetProcessHeap () returned 0x47a0000 [0155.708] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x400a) returned 0x47abbf0 [0155.708] GetProcessHeap () returned 0x47a0000 [0155.709] RtlFreeHeap (HeapHandle=0x47a0000, Flags=0x0, BaseAddress=0x47abbf0) returned 1 [0155.709] _wcsicmp (_String1="ver", _String2=")") returned 77 [0155.709] _wcsicmp (_String1="FOR", _String2="ver") returned -16 [0155.709] _wcsicmp (_String1="FOR/?", _String2="ver") returned -16 [0155.709] _wcsicmp (_String1="IF", _String2="ver") returned -13 [0155.710] _wcsicmp (_String1="IF/?", _String2="ver") returned -13 [0155.710] _wcsicmp (_String1="REM", _String2="ver") returned -4 [0155.710] _wcsicmp (_String1="REM/?", _String2="ver") returned -4 [0155.710] GetProcessHeap () returned 0x47a0000 [0155.710] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x58) returned 0x47aa9d0 [0155.710] GetProcessHeap () returned 0x47a0000 [0155.710] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x10) returned 0x47a0578 [0155.711] GetConsoleTitleW (in: lpConsoleTitle=0x44ffa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0155.712] _wcsicmp (_String1="ver", _String2="DIR") returned 18 [0155.713] _wcsicmp (_String1="ver", _String2="ERASE") returned 17 [0155.713] _wcsicmp (_String1="ver", _String2="DEL") returned 18 [0155.713] _wcsicmp (_String1="ver", _String2="TYPE") returned 2 [0155.713] _wcsicmp (_String1="ver", _String2="COPY") returned 19 [0155.713] _wcsicmp (_String1="ver", _String2="CD") returned 19 [0155.713] _wcsicmp (_String1="ver", _String2="CHDIR") returned 19 [0155.713] _wcsicmp (_String1="ver", _String2="RENAME") returned 4 [0155.713] _wcsicmp (_String1="ver", _String2="REN") returned 4 [0155.713] _wcsicmp (_String1="ver", _String2="ECHO") returned 17 [0155.713] _wcsicmp (_String1="ver", _String2="SET") returned 3 [0155.713] _wcsicmp (_String1="ver", _String2="PAUSE") returned 6 [0155.713] _wcsicmp (_String1="ver", _String2="DATE") returned 18 [0155.713] _wcsicmp (_String1="ver", _String2="TIME") returned 2 [0155.713] _wcsicmp (_String1="ver", _String2="PROMPT") returned 6 [0155.713] _wcsicmp (_String1="ver", _String2="MD") returned 9 [0155.713] _wcsicmp (_String1="ver", _String2="MKDIR") returned 9 [0155.713] _wcsicmp (_String1="ver", _String2="RD") returned 4 [0155.713] _wcsicmp (_String1="ver", _String2="RMDIR") returned 4 [0155.713] _wcsicmp (_String1="ver", _String2="PATH") returned 6 [0155.713] _wcsicmp (_String1="ver", _String2="GOTO") returned 15 [0155.713] _wcsicmp (_String1="ver", _String2="SHIFT") returned 3 [0155.713] _wcsicmp (_String1="ver", _String2="CLS") returned 19 [0155.713] _wcsicmp (_String1="ver", _String2="CALL") returned 19 [0155.714] _wcsicmp (_String1="ver", _String2="VERIFY") returned -105 [0155.714] _wcsicmp (_String1="ver", _String2="VER") returned 0 [0155.714] GetProcessHeap () returned 0x47a0000 [0155.714] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0xc) returned 0x47a0590 [0155.714] GetProcessHeap () returned 0x47a0000 [0155.714] RtlAllocateHeap (HeapHandle=0x47a0000, Flags=0x8, Size=0x10) returned 0x47aaa30 [0155.714] GetVersion () returned 0x295a000a [0155.714] _vsnwprintf (in: _Buffer=0x44ff9f0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x44ff9d4 | out: _Buffer="10.0.10586") returned 10 [0155.714] _vsnwprintf (in: _Buffer=0x1c7940, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x44ff9e8 | out: _Buffer="\r\n") returned 2 [0155.715] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.715] GetFileType (hFile=0x41c) returned 0x3 [0155.715] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.715] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x1cb960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0155.715] WriteFile (in: hFile=0x41c, lpBuffer=0x1cb960*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x44ff9d8, lpOverlapped=0x0 | out: lpBuffer=0x1cb960*, lpNumberOfBytesWritten=0x44ff9d8*=0x2, lpOverlapped=0x0) returned 1 [0155.715] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.715] GetFileType (hFile=0x41c) returned 0x3 [0155.715] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x1c7940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0155.722] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x1c7940, nSize=0x2000, Arguments=0x44ff9d0 | out: lpBuffer="Microsoft Windows [Version 10.0.10586]") returned 0x26 [0155.722] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.10586]", cchWideChar=-1, lpMultiByteStr=0x1cb960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.10586]", lpUsedDefaultChar=0x0) returned 39 [0155.722] WriteFile (in: hFile=0x41c, lpBuffer=0x1cb960*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x44ff970, lpOverlapped=0x0 | out: lpBuffer=0x1cb960*, lpNumberOfBytesWritten=0x44ff970*=0x26, lpOverlapped=0x0) returned 1 [0155.722] _vsnwprintf (in: _Buffer=0x1c7940, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x44ff9e8 | out: _Buffer="\r\n") returned 2 [0155.722] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.722] GetFileType (hFile=0x41c) returned 0x3 [0155.722] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.722] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x1cb960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0155.722] WriteFile (in: hFile=0x41c, lpBuffer=0x1cb960*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x44ff9d8, lpOverlapped=0x0 | out: lpBuffer=0x1cb960*, lpNumberOfBytesWritten=0x44ff9d8*=0x2, lpOverlapped=0x0) returned 1 [0155.722] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.722] SetConsoleMode (hConsoleHandle=0x41c, dwMode=0x0) returned 0 [0155.723] _get_osfhandle (_FileHandle=1) returned 0x41c [0155.723] GetConsoleMode (in: hConsoleHandle=0x41c, lpMode=0x1bf40c | out: lpMode=0x1bf40c) returned 0 [0155.723] _get_osfhandle (_FileHandle=0) returned 0x418 [0155.723] GetConsoleMode (in: hConsoleHandle=0x418, lpMode=0x1bf408 | out: lpMode=0x1bf408) returned 0 [0155.723] GetConsoleOutputCP () returned 0x1b5 [0155.723] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1bf460 | out: lpCPInfo=0x1bf460) returned 1 [0155.723] SetThreadUILanguage (LangId=0x0) returned 0x409 [0155.723] exit (_Code=0) Thread: id = 21 os_tid = 0xca8 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x69c20000" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1054" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 393 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 394 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 395 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 396 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 397 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 398 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 399 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 400 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 401 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 402 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 404 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 405 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 406 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 407 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 408 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 409 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 410 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 411 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 412 start_va = 0x190000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 413 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 414 start_va = 0x7ff8747d0000 end_va = 0x7ff874828fff monitored = 0 entry_point = 0x7ff8747dfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 415 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 416 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 417 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 418 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 419 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 420 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 421 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 422 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 423 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 424 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 425 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 426 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 427 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 428 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 429 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 430 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 431 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 432 start_va = 0xa40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 433 start_va = 0x1e40000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 434 start_va = 0x1e40000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 435 start_va = 0x1e90000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 436 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 437 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 438 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 439 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 440 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 441 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 442 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 443 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 444 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 445 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 446 start_va = 0x1ea0000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 447 start_va = 0x2040000 end_va = 0x2376fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 448 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 449 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 450 start_va = 0x1ea0000 end_va = 0x1ef9fff monitored = 1 entry_point = 0x1eb53f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 451 start_va = 0x1f00000 end_va = 0x1f20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 452 start_va = 0x2030000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 453 start_va = 0x2380000 end_va = 0x2592fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 454 start_va = 0x25a0000 end_va = 0x27bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 455 start_va = 0x1ea0000 end_va = 0x1faafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 456 start_va = 0x27c0000 end_va = 0x29ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 457 start_va = 0x29e0000 end_va = 0x2aedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 458 start_va = 0x1fb0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 459 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 460 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 461 start_va = 0x2af0000 end_va = 0x2babfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002af0000" filename = "" Region: id = 462 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 463 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 464 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 465 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 466 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 467 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 468 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 469 start_va = 0x790000 end_va = 0x794fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 470 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 471 start_va = 0x1e80000 end_va = 0x1e81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e80000" filename = "" Region: id = 472 start_va = 0x2bb0000 end_va = 0x2da5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bb0000" filename = "" Region: id = 473 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 474 start_va = 0x1ff0000 end_va = 0x1ff0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 475 start_va = 0x2000000 end_va = 0x2001fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 476 start_va = 0x2db0000 end_va = 0x2e8cfff monitored = 0 entry_point = 0x2e0e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 477 start_va = 0x1ff0000 end_va = 0x1ff0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ff0000" filename = "" Region: id = 478 start_va = 0x2db0000 end_va = 0x2eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 486 start_va = 0x2eb0000 end_va = 0x30aefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002eb0000" filename = "" Thread: id = 14 os_tid = 0xf18 Thread: id = 16 os_tid = 0xdd0 Thread: id = 17 os_tid = 0x5e0 Thread: id = 20 os_tid = 0x9a4 Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x2b1ba000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x4c4" cmd_line = "C:\\Windows\\system32\\cmd.exe /C del C:\\Users\\RDhJ0CNFevzX\\Desktop\\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 505 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 506 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 507 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 508 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 509 start_va = 0xa0000 end_va = 0xa3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 510 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 511 start_va = 0xc0000 end_va = 0xc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 512 start_va = 0x190000 end_va = 0x1e1fff monitored = 1 entry_point = 0x1a4fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 513 start_va = 0x1f0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 514 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 515 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 516 start_va = 0x77720000 end_va = 0x7789afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 517 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 518 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 519 start_va = 0x7fff0000 end_va = 0x7df87ff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 520 start_va = 0x7df87ffa0000 end_va = 0x7ff87ff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df87ffa0000" filename = "" Region: id = 521 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 522 start_va = 0x7ff880161000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff880161000" filename = "" Region: id = 523 start_va = 0x4660000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 524 start_va = 0x662d0000 end_va = 0x66349fff monitored = 0 entry_point = 0x662e3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 525 start_va = 0x66350000 end_va = 0x6639ffff monitored = 0 entry_point = 0x66368180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 526 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 527 start_va = 0x663a0000 end_va = 0x663a7fff monitored = 0 entry_point = 0x663a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 528 start_va = 0x4670000 end_va = 0x48affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 529 start_va = 0x75600000 end_va = 0x756dffff monitored = 0 entry_point = 0x75613980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 530 start_va = 0x75480000 end_va = 0x755fdfff monitored = 0 entry_point = 0x75531b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 531 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 532 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Thread: id = 25 os_tid = 0x9c8 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x2ae8a000" os_pid = "0xbd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xffc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 533 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 534 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 535 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 536 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 537 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 538 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 539 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 540 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 541 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 542 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 543 start_va = 0x600000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 544 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 545 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 546 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 547 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 548 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 549 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 550 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 551 start_va = 0x780000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 552 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 553 start_va = 0x7ff8747d0000 end_va = 0x7ff874828fff monitored = 0 entry_point = 0x7ff8747dfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 554 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 555 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 556 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 557 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 558 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 559 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 560 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 561 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 562 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 563 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 564 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 565 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 566 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 567 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 568 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 569 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 570 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 571 start_va = 0x1f60000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 572 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 573 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 574 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 575 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 576 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 577 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 578 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 579 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 580 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 581 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 582 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 583 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 584 start_va = 0x1f60000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 585 start_va = 0x2120000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 586 start_va = 0x2130000 end_va = 0x2466fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 587 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 588 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 589 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 590 start_va = 0x780000 end_va = 0x7d9fff monitored = 1 entry_point = 0x7953f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 591 start_va = 0x830000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 592 start_va = 0x2470000 end_va = 0x268bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 593 start_va = 0x2690000 end_va = 0x28a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 594 start_va = 0x28b0000 end_va = 0x29c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 595 start_va = 0x29d0000 end_va = 0x2bedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 596 start_va = 0x2bf0000 end_va = 0x2d04fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 597 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 598 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 599 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 600 start_va = 0x1f60000 end_va = 0x201bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Region: id = 601 start_va = 0x2070000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 602 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 603 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 604 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 605 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 606 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 607 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 608 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 609 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 610 start_va = 0x780000 end_va = 0x780fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 611 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 612 start_va = 0x2d10000 end_va = 0x2f05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d10000" filename = "" Region: id = 613 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 614 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 615 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Thread: id = 26 os_tid = 0x990 Thread: id = 27 os_tid = 0xf7c Thread: id = 28 os_tid = 0xd60 Thread: id = 29 os_tid = 0x658